Insurers to set aside funds for claims as systemic risk looks more likely
Many of us have already learned of the SUNBURST attack which is fast becoming the biggest hack for years and potentially, the largest penetration of Western governments to date.
The threat actors behind the attack gained access to numerous public and private organisations across the globe via trojanized updates to SolarWind’s Orion IT monitoring and management software. SolarWinds’ services are used by more than 300,000 customers across the globe, including military, Fortune 500 companies, government agencies, and educational facilities.
FireEye has published an analysis of what they have dubbed SUNBURST here.
Many cybersecurity organisations (starting stateside but probably soon followed by UK and others) are recommending that those businesses using SolarWinds, should initiate their cyber incident response process. This may lead to claims by those clients using SolarWinds if they discover some of the Indicators of Compromise.
Some years ago, we theorised with insurance partners that a systemic cyber risk would manifest itself in an attack which compromised a popular software vendor’s update process. In our scenario, we considered a Microsoft Windows Update. Whilst the news we discuss today is not that, this incident does demonstrate that an update process can be infiltrated and used to distribute malware (in this case a trojan).
This incident also exposes what we all-too-often see in our risk assessments of businesses software development. That is poor control over DevOps, a set of practices that combines software development and IT operations. SolarWinds appear to have allowed their update process to be hijacked. To prevent these types of attack, it is vital that software developers operate good security around software development, updates, signing, packaging, websites/distribution etc.
As with many cybersecurity alerts, there is always a degree of exaggeration of facts by vendors.
However, the impact of this attack to organisations on the books of many brokers and insurers would be significant. The results of the SolarWind’s hack will inevitably be reflected in the rise of claims by insured’s, and brokers and insurers alike will need to prepare. It may be time to reassess risk management, asking targeted questions of insureds; starting with whether they use SolarWinds, to ensure that steps taken to mitigate have been enacted.
Conversely, this attack is sophisticated and takes effort. It may be that threat actors will have limited the number of organisations targeted for this attack, because the processes they use to maintain a covert presence are resource-intensive. It is possible that they only had the capacity to manage a limited number of attacks at once and therefore are likely to have concentrated their efforts on government, intelligence and military targets and tier 1 suppliers to these organisations.
Nevertheless, the risk is still very real, and governmental and private organisations across the globe are now hurriedly disconnecting the affected SolarWinds products from their systems.