Case Studies — Real-World Losses
What cyber risk looks like when it hits
What happened
The insured discovered ransomware in its systems and disconnected its manufacturing plants within two hours as a precaution. Some systems were encrypted and operations paused. Despite having viable backups, production was disrupted for weeks. Threat actors later claimed exfiltration of files and threatened to publish them unless paid.
Business interruption losses exhausted the cyber tower limits. Insurers contributed toward the loss but operational disruption continued for several weeks.
What it cost
Boardroom lesson
Viable backups don’t prevent disruption if restoration takes weeks. Ransomware planning needs to focus on restoring business operations as much as recovering data.
A sophisticated hack led to compromise of millions of current and former customers’ data. Attackers bypassed IT controls and exfiltrated sensitive data undetected until an employee spotted a suspicious query.
The insured faced class actions, regulatory investigations, and reputational fallout. Vendors were called in for forensics, IT security, credit monitoring, call center support, and public relations.
Detection delays multiply costs. Boards need investment in detection and escalation as well as prevention.
Drives containing client data from a wealth management department were sold to outside vendors without proper data destruction.
The insured faced regulatory scrutiny, lawsuits, and the cost of providing credit monitoring to affected customers.
Basic governance failures can create complex losses. Boards need to treat vendor data handling as part of operational risk, not just compliance.
A vendor upgrade to a core platform caused system failure, forcing the client to revert to paper-based operations.
Even well-meaning changes can trigger costly outages. Vendor contracts should include incident support and clear notification triggers.
Services stopped for days, causing operational disruption and revenue loss.
A malware attack on a point-of-sale system exfiltrated payment data from shoppers.
The insured faced class action litigation, regulatory fines, and had to pay for customer monitoring, system remediation, and legal defense.
Even mid-sized incidents trigger cascading costs. Breach response plans need to integrate legal, operational, and reputational response.
Loss: $45M revenue loss after a critical SaaS provider went offline
What went wrong: Contracts lacked liability coverage, leaving most of the loss uninsured
How Willis FINEX helps: CyVRA vendor analytics, contract playbooks, and policy language aligning coverage to vendor-triggered outages
Loss: 26-day outage; $2.5M average daily lost income; $18M recovered from insurance
What went wrong: Delays in notification blocked recovery of a further $5M
How Willis FINEX helps: Ransomware tabletop simulations, pre-loss claims protocols, and rapid-notification workflows to trigger interim payments
Loss: $2.1M transfer after a convincing live video call from the “CEO”
What went wrong: The deepfake was only identified afterward; policies only partially responded, and regulators are reviewing governance failures
How Willis FINEX helps: AI-enabled fraud simulations, board oversight frameworks, and policy wording reviews for social engineering triggers beyond FTF
