Author: Joey Sylvester
Beginning in 2020 and continuing through today, the cyber insurance industry has "hardened" quicker than any other line of coverage. We have seen dramatically increased premiums and similar increases in deductibles and retentions; carriers carving back coverage in key areas such as extortion, introducing new exclusions for nation-state attacks and declining to offer coverage in certain industry verticals such as public entities and education; and many more adverse changes with which our insureds must now contend.
This hardening is primarily due to the evolving threat landscape related to 1) ransomware activity 2) the changing legal and regulatory issues generally related to wrongful collection and 3) widespread IT supply chain attacks.
Supply chain attacks such as those perpetrated on Blackbaud, Accellion, Microsoft Exchange servers and — most notably — SolarWinds, represent a unique challenge to the insurance industry and a key shift in attack vectors for threat actors around the world.
The story of the SolarWinds hack
SolarWinds Orion is an IT management platform that many governmental and private organizations use. Software vendors of all shapes and sizes generally provide periodic updates to their systems. Sometimes the update is a critical security patch for a newly discovered zero-day vulnerability, but most often we see general bug and security fixes.
In March 2020, SolarWinds released a general update for their Orion platform. Unbeknownst to SolarWinds and their thousands of customers, hackers who are now believed to have been nation-state sponsored had inserted malicious code into the update itself, which allowed them access to the many thousands of organizations using the Orion platform. All the client organization had to do to enable hackers to gain access was to download their legitimate update from their trusted vendor. Given the push by the insurance industry in particular to make sure patching cadence is quick, it's no surprise 18,000+ organizations installed the update quickly.
Those impacted included a significant number of federal agencies such as the Department of Homeland Security, the State Department and the Department of the Treasury. Impacted private companies included AT&T, Microsoft, Cisco and Deloitte.1
The SolarWinds hack has a pretty straightforward timeline. We now know that hackers gained access to SolarWinds' systems in late 2019. We don't know specifics on how the hackers got in, but the likely culprit would have been phishing or possibly exposed remote desktop protocol (RDP) ports. In late 2019, multi-factor authentication (MFA) was not the standard insurance requirement that it's today.
After gaining access, hackers lurked in the SolarWinds systems for some time, laying low while testing payloads and apparently doing a test run of their malware before the deployment into the Orion platform update, which was later released to the public in March 2020.
The timing is interesting, to say the least. I've always believed hackers may use opportunities to deploy attacks when our attention is focused elsewhere, such as during holidays or natural disasters. It's not hard to remember what we were focused on in March 2020. Ultimately, the dwell time on the attack is estimated to be over a year from when the breach first occurred to discovery in late 2020.
Insurance carriers respond to IT supply chain attacks
All of these hacks represent a key shift in target for threat actors across the world. From the hackers' standpoint, the logic seems clear — breach one system, and you've suddenly breached thousands of systems that use the platform you just compromised. The ability to compromise systems on this scale by using one entry point represents a unique challenge not only to cybersecurity professionals, but also to my own industry — insurance. One hacking group can pose catastrophic results for an insurance carrier and its ability to uphold their contractual commitment to pay claims.
To use a simple analogy, consider the reason no single insurance company covers every individual home in a given area. In my hometown of New Orleans, if a Category 5 hurricane rolls through and destroys every home, that's a several-billion-dollar loss that cannot be absorbed by any one carrier. Carriers pay attention to their "aggregates" in each ZIP code. Once they determine they've insured too much value in a given area, they stop adding anything to their books from that area.
Could we see similar methods unfold for cyber insurance? If insurance carriers had a good way of determining how much "agg" they have in their portfolio for particular supply chain issues, we may start to see carriers pay closer attention to this. For example, too much aggregate for SolarWinds might represent a catastrophic risk to them.
March 2020 kicked off the hardening of the cyber insurance industry. Primarily driven by ransomware activity and the urgency to implement mitigating measures, rates started to tick up and a heightened scrutiny was placed on how organizations were protecting remote access protocols. Toward the end of 2020 and through all of 2021, supply chain attacks and ransomware activity led to cyber insurance being one of the most difficult lines of insurance coverage to place, combined with premium increases in the triple digits for every industry.
The most immediate consequences felt by — or driven by — the insurance industry were a great deal of IT forensics investigations and, later, changes to insurance policies. Most often, this change meant exclusions related to the SolarWinds Orion product (or Microsoft Exchange, or Accellion, Log4J, and so on). Carriers began asking, "Do you use SolarWinds Orion v2019.4?" and "Have you applied the latest patches to address the vulnerability?" and "Were you impacted by the SolarWinds Orion breach?"
The attack later led to other carriers crafting endorsements and exclusions addressing what they call "widespread events," which included higher deductibles, sub-limits (less coverage), a coinsurance percentage (the insured must pay a percentage of the overall claim) or some combination of the three.
This response is an example of how a carrier may take steps to limit their exposure to widespread issues, and ultimately protect their ability to remain financially stable. Imagine 18,000+ insureds — the number of organizations who downloaded the update — all filing a $1 million claim at once. That's $18 billion in losses the industry would rather not take on.
In a related change, some carriers have begun to release new endorsements excluding nation-state attacks of all kinds. This response is somewhat atypical: Carriers generally exclude war, but often policy wordings have carvebacks within that exclusion for cyber terrorism that, depending on the carrier, may include acts perpetrated on behalf of governments committed for religious, political or ideological reasons.
Recommendations for insured and insurers
Thankfully, we haven't seen a catastrophic impact from SolarWinds or other supply chain attacks. It's been reported that although an estimated 18,000 organizations installed the malicious update, it's so far estimated a small number of those organizations were impacted and may have lost sensitive data.2 The motivation for the attack and likely explanation for the low amount of compromised data has been deemed espionage, not disruption or other financial motivations.3
IT supply chain attacks may not be new, but SolarWinds represents a prominent recent example of how hackers have increasingly adjusted their targets and methods to gain widespread access to data and systems. The consequences for our industry are complex. Widely used IT platforms have become targets for advanced persistent threat (APT) actors around the world, and that trend likely will continue.
Ultimately, while it's incumbent upon the companies providing the product to verify their offering isn't compromised, organizations using the products should continue to vet their IT supply chain vendors. Organizations should ask the tough questions they maybe haven't asked in the past and look to validate their security practices. A software bill of materials (SBOM) could be tremendously useful. Could an SBOM on the update itself combined with a protracted patching cadence and testing period have led to less take-up of a compromised update? Quite possibly!
I would hope the insurance industry finds some common ground regarding patching cadence. I often find myself coaching my clients on underwriter expectations, and I've said more than a few times that carriers typically want to see critical patching within one or two days of release.
While that's not an untrue statement, clients are starting to push back on the advice. They want to test the update first, before pushing out to 100% of their endpoints. They want to make sure what they're implementing isn't going to adversely affect them. Generally I believe they are concerned about an update crashing their systems, leading to a system failure claim, but the point stands: If they're expected to verify their backups are free from malware regularly, they should be given the same leeway to verify that updates and patches from their vendors are suitably free from these sorts of issues as well.
In summary, the SolarWinds attack and other supply chain breaches have become a broader topic than just the cybersecurity industry, given the geopolitical forces at work and the sheer number of organizations vulnerable due to the nature of the threat. We rely heavily on our supply chains to operate and need to find collaborative ways to protect it from ATPs around the world. IT vendors, their clients and, yes, the insurance industry all have a key role to play in reducing this threat.