A school became aware they had suffered a cyber incident after their IT team suggested much of their IT environment had been encrypted by threat actors with ransomware, with ransom notes left on the desktop backgrounds.
After confirming the potential severity, the school contacted their Cyber insurer and Hayes Parsons Insurance Brokers and between the parties an incident response and containment strategy was agreed. What happened next shows the true worth of having a quality Cyber product provided by an experienced Cyber insurer, and a broker who understands how the policy will respond and can provide guidance and reassurance to the school.
The following was provided by the insurer and their specialist consultants, with Hayes Parsons Insurance Brokers coordinating with the school.
- The school engaged with crisis communication and legal firms, to ensure relevant reports and communications were made to the ICO and the Charity Commission
- All parents were informed and kept updated as the incident progressed
- Further malware was blocked from being deployed and all suspicious behaviour monitored
- Domains and accounts were disabled and new ones created
- Vulnerability scans were undertaken along with ongoing monitoring of the dark web
Restoration and recovery
- New infrastructure and core domain were created along with the network and auxiliary services
- Back-ups were checked to establish if any data had been compromised, encrypted or deleted
- Lost data was identified and a plan put together for rebuild
- It was established how access was gained and what activity had been undertaken in the network
- Data exfiltration was assessed
Threat actor intelligence and engagement
- The threat actor’s profile was researched
- Potential engagement strategies were discussed
Strategy and reporting
- Key meetings were held between Hayes Parsons, the insurer, and their third-party specialists ensuring legal, regulatory and school concerns were considered throughout
This was a stressful period for the school, as they needed to minimise the impact on the education being delivered and needed to ensure management information was not compromised. The school commented, that yes, the reimbursement of costs to remedy the situation was welcome, but the project management and expertise of those involved in the claim was the key differentiator.
The claim itself spanned nearly 12 months with total claim costs exceeding £300,000. Remember to check your own policy limits and cover periods, as they can be less than noted here.