Allardyce Bower Consulting paid more than $14,000 for a cyber insurance policy that included ransom coverage, but when they needed it, the insurer refused to pay. Had the business made a grave error in security?
Over on SuspectFile, Marco A. De Felice writes:
Allardyce Bower Consulting (ABC) was the victim of a severe cyberattack attributed to the ransomware group Securotrop. The intrusion into the company’s systems reportedly began in late August 2025, with the encryption of servers on September 7, followed by the online release of a large volume of sensitive data.
ABC held a cyber insurance policy with Coalition, which covered ransomware attacks up to five million Canadian dollars.
The policy was technically activated when ABC notified Coalition of the attack, yet it was never fully implemented — most notably, the ransom demand was not paid.
It remains unclear whether Coalition also declined to cover related expenses such as legal or consulting support, but several indicators suggest a prudential stance by the insurer.
The inevitable question is: why?
Read more at SuspectFile about the incident and their thoughts on why Coalition may have declined to pay the ransom. Note: We are not encouraging victims or insurers to pay ransom, because that just encourages more crime. But why did they decline? Coalition has not explained.
One possibility SuspectFile discussed seems noteworthy. The policy includes a section called “DUTY TO COOPERATE.” It states (emphasis added by DataBreaches):
We will have the right to make any investigation we deem necessary, and you will cooperate with us in all investigations, respond to reasonable requests for information, and execute all papers and render all assistance as requested by us. You will do nothing that increases our exposure under this Policy. You will also cooperate with us and counsel in the defence of all claims and response to all events, and provide all information necessary for appropriate and effective representation.
With respect to Section II.J, RANSOMWARE AND CYBER EXTORTION, you must make every reasonable effort not to divulge the existence of this coverage, without first seeking our prior consent.
But as SuspectFile reported, that’s precisely what ABC had done. It stored a copy of its policy that Securotrop downloaded. It also reportedly told Securotrop in a phone call that their insurance would take over handling the incident.
But even if they had not mentioned the existence of insurance in a phone call, Securotrop had discovered the policy. As reported to DataBreaches by SuspectFile in a chat, he specifically asked Securotrop whether they had known about the policy and its limits prior to ABC mentioning anything about cyber insurance. Securotrop’s spokesperson replied, “We did, however, they [Coalition] would have no way to know that, especially with the price we set being so much lower than the limit.”
Although SuspectFile notes that ABC had passed a pre-coverage audit by Coalition to obtain the policy, it seems that after the policy was issued, ABC kept a copy of it on its server, promptly violating the “Duty to Cooperate” conditions.
Good Security Hygiene Includes Hiding the Existence of Cyber Insurance
As SuspectFile emphasizes, we don’t know why Coalition declined to pay the ransom, and they have not answered that site’s inquiries. But the issue of ransomware gangs looking for and finding cyber insurance policies on victims’ systems is not a new one. Other gangs have specifically looked for — and trained others to — look for policies so that they can see the amount of coverage for a ransom payment. Conti, Hardbit, and Qilin have all actively sought and evaluated insurance policies. In 2022, for example, in reporting on an attack by Hive, DataBreaches reported:
On August 26, someone from Tift contacted Hive and asked what they wanted. To cut to the chase, the amount was $1,150,000.00. “We know that you have a cyber insurance policy with a limit of $6M. Our financial experts have estimated what losses you will incur in the event of a leak of your personal data.” Hive wrote.
The BlackCat gang also attempted to leverage cyberinsurance policies. As The Register reported in 2023:
The BlackCat ransomware group attempted to leverage a victim’s cyberinsurance policy during a December 2023 attack on the accounting software company Tipalti. The hackers learned through the company’s internal discussions that their insurance policy likely did not cover extortion, so they escalated their tactics.
Instead of just threatening Tipalti, BlackCat threatened to extort Tipalti’s clients directly, including Roblox and Twitch.
Once it became known in 2021 that Conti was looking for their victims’ policies, companies should have stopped storing their policies on their systems. Even just encrypting the policy and companion correspondence or internal memos about the policy and coverage would still reveal its existence.
Unfortunately, too many companies continue to expose their policies and related records.
Ironically, criminals who try to exploit their knowledge of a victim’s cyber insurance policy by letting on that they know the victim has insurance may be shooting themselves in the financial foot if the insurers then turn around and decline to pay because the insured failed to adequately prevent the attackers from discovering the existence of coverage.
Are You Still Exposing Your Policy and Coverage?
On August 28, Coalition published an article on its blog, How Hackers Leverage Insurance Details in Ransomware Attacks. Was its timing coincidental, or was it because their insured, ABC, had made that costly mistake?
While there is much we do not know about this particular incident, one thing seems clear: entities increase their own risk of losing coverage by not adequately protecting their insurance policy and correspondence concerning any policies.
Please read the post by Coalition and implement its good advice.
Cyber insurance policies should be stored in secure systems with strict access controls, like a safe deposit box for digital files.
From experience reviewing data tranches and negotiation logs, DataBreaches would also add reminders to secure not just the policy, but also all correspondence and internal memos about the policy or its coverage. And in the event of any cyberattack, remember NOT to communicate using internal channels such as email or messaging where the policy or its coverage might be mentioned. In the event of an attack, it is always best to assume the attackers are still in your system and can read your communications about incident response. Even if you properly store your policy and correspondence, discussing it during incident response could expose important information to the attackers.