How modern hacks turn into stolen money

A hack is rarely the event. The event is the wire that leaves your account six weeks later.

The boards I sit across from in 2026 still describe a breach the way the press release describes it. A name-brand SaaS vendor announces an incident. The CISO posts a LinkedIn statement. The stock dips four percent. The board reviews a quarterly cyber update. Everybody moves on. The money has not moved yet, so the breach feels abstract.

The money moves later. It moves through one of five chains, all of which are now well-documented in the 2026 incident record. The job of the policy is to sit on the chain where the loss actually shows up, not on the chain where the press release does.

The boards still describe a breach the way the press release describes it. The money moves six weeks later, through a chain nobody was insuring.

The five hack-to-money chains we see in 2026

Each of these chains has the same shape. A primary breach produces a data inventory. The data inventory moves into a secondary market. A buyer in that market converts the data into a financial action against a specific person or organization. The conversion takes weeks to months. The loss event is the conversion, not the breach.

Chain one: the BOLA leak into synthetic identity

The anchor case is Navia Benefit Solutions, the Renton-based benefits administrator. Between 22 December 2025 and 15 January 2026, an attacker pulled records via a Broken Object Level Authorization vulnerability in Navia's API. Not ransomware. Not phishing. An API access-control failure. The intruder simply enumerated record IDs that should have been protected and pulled the data via legitimate-looking API calls. Navia disclosed in February 2026. The Maine AG filing landed in March. HackerOne, downstream, was forced to issue its own employee-side notification in April.

The data taken was 2.7 million records of name, date of birth, Social Security number, phone number, email, and health-plan information. That is the gold-standard kit for synthetic-identity fraud. The conversion path is well known. The data sells on the secondary market inside 11 days. A synthetic identity is opened against the victim's credit file inside three months. The first credit account is granted inside six months. The first bank account is drained inside eighteen months. The loss arrives a year and a half after the breach, against a person who has no idea Navia was even their benefits administrator.

The policy implication is direct. By the time the wire is drained, Navia is two SEC cycles past the news cycle. The board that approved the Navia vendor relationship is the board now defending the class-action complaint. Director Shield is built for the gap between the breach disclosure and the eighteen-month-out financial event.

Chain two: the supply-chain OAuth attack

The anchor is the Scattered Lapsus$ Hunters Salesforce campaign that ran across 2026. Thirty-nine named tenants. Approximately one billion records. The chain: an attacker calls a Salesforce administrator at the target company, presents as IT support, walks them through linking a malicious OAuth application to the tenant's Salesforce instance, and then pulls the customer database through legitimate API tokens. No malware. No CVE. The exfiltration looks like normal application traffic.

The named victims include FedEx, Disney, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Air France-KLM, Adidas, IKEA. Each tenant disclosed its own portion under its own 8-K. The aggregated leak site, before the FBI shuttered it in November 2026, listed a consolidated ransom demand against Salesforce itself, which Salesforce refused.

The conversion path on this chain is fast for the named brands and slow for their customers. The named brands take an immediate financial-disclosure hit and a class-action wave. The brands' customers experience loyalty-point theft inside weeks (documented at Marriott and Air France-KLM by Bleeping Computer) and targeted phishing inside months. Every email-plus-purchase-history record in that one billion has been bought, sold, and weaponized into a phishing campaign somewhere by Q4 2026.

The policy implication is where the standard cyber form fails. A tenant's cyber policy covers the breach against the tenant. It does not cover the directors who approved the Salesforce vendor decision, the OAuth-app review process that failed, or the supply-chain liability that flows back upstream to the boards. Director Shield is the gap-fill on the personal-liability side; AgentShield Pro is the gap-fill on the OAuth-trusted-vendor-bypassed-our-controls side. Standard cyber sits in the middle and pays nothing on either edge.

Chain three: the ransomware double-dip

The anchor is Instructure / Canvas. Disclosed late April 2026. Login-portal defacement detected 7 May. Ransom deadline 12 May. Deal announced mid-May. ShinyHunters pulled 3.65 TB containing approximately 275 million records across nearly 9,000 organizations. Instructure paid an undisclosed ransom for shred logs. The US Government has since requested testimony.

The double-dip is the pattern. The board approves the ransom wire, on the theory that paying ends the incident. Then the board sits through twenty-four to thirty-six months of class-action discovery from students, parents, school districts, and state attorneys general whose records were in the exfiltrated set. The ransom doesn't end the loss. It moves the loss from the carrier's incident-response account to the board's D&O account.

The policy implication is that the ransom payment, the regulatory testimony, and the class-action defense are three different lines on the policy. Standard cyber covers the first. D&O covers the third, with a "regulatory action" exclusion broad enough to deny the second. Director Shield is the carve-in that converts that exclusion into named coverage for the testimony, the deposition, and the prep cost.

Chain four: the agentic-AI prompt injection

The anchor is Salesforce Agentforce ForcedLeak. CVSS 9.4. Disclosed July 2025, patched September 2025, weaponized through 2026. The chain does not require the attacker to write code. The attacker submits a Web-to-Lead form with a malicious prompt embedded in the lead body. When an Agentforce agent later processes the lead in its routine workflow, the injected instructions cause it to exfiltrate CRM data to an attacker-controlled domain. The exfiltration is enabled by an expired trusted-Salesforce domain that the attacker re-registered.

What makes this chain different from the prior four is that no human is in the loop at the point of compromise. The agent reads the form, decides what to do, and acts. There is no employee to phish, no credential to steal, no admin to vish. The attack surface is the prompt itself. The policy trigger that standard cyber relies on, "an external actor gained unauthorized access," does not cleanly apply, because the agent had authorized access; it was just instructed by a malicious party to misuse it.

The conversion path is the same as chain two. CRM records exfiltrated, secondary-market resale, targeted phishing inside months. The difference is the trigger. AgentShield Pro is the only US wholesale form we have seen that names the action, the agent's tool-call to the attacker domain, rather than the actor. The trigger fires on the action. The policy pays.

Chain five: the credential-theft consumer chain

The anchor is ADT. Two breaches in two months. The April 2026 incident: a ShinyHunters operator called an ADT employee, captured Okta SSO credentials over the phone, and used the session to pull ADT's Salesforce CRM. 5.5 million customer records. Names, phone numbers, addresses. Date of birth and last-four-Social on a small percentage.

The conversion path on a consumer-side credential leak is the SIM-swap-to-bank-account chain. Home address plus last-four-Social is sufficient to convince a US mobile carrier to port a number to an attacker-controlled SIM. Once the number is ported, every two-factor SMS code the bank sends arrives at the attacker. Bank account drain follows inside seventy-two hours. The ADT customer base skews toward homeowners with assets, which is exactly the population the criminal market values most.

PersonalGuard is built for the conversion event, not for the breach. The breach is ADT's problem. The wire out of the ADT customer's account is the family's problem. The concierge work that intercepts the wire while it is still recoverable (calling the receiving bank, escalating to IC3, freezing the funds before the attacker converts to crypto) is the only thing that meaningfully closes the loss.

What "standard" cyber insurance actually covers (and doesn't)

I have read forty-seven mid-market cyber proposals in the last twelve months across the wholesale markets that bind in the US and the EU. The pattern is consistent.

Page 47 of every one of them carries the same family of carve-outs. "Voluntary action by an insured" is excluded. "Regulatory action" is excluded with a sub-limit small enough to cover the kickoff meeting and nothing else. "Indirect or consequential loss" is excluded. "Loss arising from autonomous software" is excluded under an "Artificial Intelligence" header that defines AI broadly enough to capture any non-deterministic workflow run by a vendor of the insured.

The "voluntary action" exclusion is the one that bites the families and the directors on chains one and five. The board approved the vendor. The CFO approved the wire. The customer authorized the SMS reset. Each of those is, in the carrier's reading, a voluntary action that converts the loss from an insurable event to an uninsurable business decision. The carve-out is on page 47. The buyer reads pages one through ten.

The sixty-day proof window is the other quiet killer. Standard cyber forms require the insured to file proof of loss inside sixty days of discovery. On chain one, the actual financial event is eighteen months after discovery. Sixty days after the Navia notification is March 2026, when the bank account drain has not yet happened. The proof window closes before the loss occurs.

D&O is now where the real personal liability sits for directors of breached vendors and tenants. The 2026 class-action filings against the Salesforce-named brands are running through D&O, not cyber. The 2026 directors-and-officers filings against the Instructure school district boards are running through D&O, not cyber. The "regulatory action" sub-limits on standard D&O are not built for the testimony, deposition, and prep cycle that follows a ransom-paid breach. Director Shield is the carve-in we wrote to close that specific gap.

Where secure.syba.io changes the math

We built three products to sit on three different points of the chain. Each one is named for the loss vector it actually pays on.

The vendor-risk posture scan at secure.syba.io/app is the first artifact a buyer receives. The scan inventories every vendor with API access into the insured's environment, scores the OAuth-app exposure, flags the BOLA-class API endpoints on the inventory, and produces a board-ready document with the specific carve-outs that would deny a claim against each vendor. The scan is free. The output is what most boards have asked their CISO for and not received.

Director Shield is the personal-liability gap-fill for directors of breached vendors and tenants. It names the deposition, testimony, and class-action prep costs that standard D&O excludes via the "regulatory action" carve-out. The form is bindable through Jencap-Bind inside ninety seconds for accounts under EUR 5M revenue. Priced at EUR 2,500 per director per year, backed by the same $5M Chubb umbrella.

AgentShield Pro is the named-risk cyber form for the agentic-AI chain. It is the only US wholesale form I have read in 2026 that names the agent's action, not the agent's nature, inside the insuring clause rather than outside it. The four enumerated loss vectors are tool-call exfiltration, prompt-injection cascade, hallucinated authority, and workflow drift. The trigger is the action. The form is model-agnostic. Anthropic, OpenAI, in-house, all covered, provided the action is traceable to an enumerated scope.

The $5M Chubb umbrella sits behind all three. The umbrella is what makes the math work, because the chains above are long enough that the loss at the end of the chain is usually multiples of what the front-of-chain policy would pay.

The trigger is the action, not the actor. That is the entire form distilled.

The 4 things every CFO and CISO should do this week

1. Inventory every vendor with API access. Not every vendor. Every vendor with a token that can read your data. The Navia chain starts at a vendor most of the affected employers had not thought about in years. The Salesforce chain starts at an OAuth application most of the affected admins linked in a single click. The inventory is the first artifact any policy underwriter will ask for in 2026. Build it before the carrier does.
2. Run the posture scan at secure.syba.io/app. It scores your vendor exposure, your OAuth-app footprint, your BOLA-class endpoints, and your supply-chain blast radius in a single board-ready document. It takes fifteen minutes. If the scan flags something, you can act on it without us.
3. Pull your D&O policy and stress-test the "voluntary authorization" exclusion. Read page 47. Find the carve-out. Bring the language to your broker and ask: if a director of mine approves a vendor that gets breached, and the breach produces a class action against me personally, does this clause cover or deny? Get the answer in writing before the renewal.
4. Brief the board, on paper, before the next vendor audit cycle. The 8-K disclosures from the Salesforce-named brands are the playbook for what your board minutes will look like inside the next twelve months. The boards that prepared in writing before the breach are the boards that came out the other side. The boards that prepared in PowerPoint slides did not.

If you want to walk through whether Director Shield or AgentShield Pro fits your account, the bindable quote at secure.syba.io/app returns a coverage card in the browser inside ninety seconds. If you would rather talk through the chain analysis first, book a fifteen-minute call.

https://secure.syba.io/app

The money moves six weeks after the headline. The policy has to be on the chain by then.