How large-scale cyber activity can impinge on insurability: Case spotlight on SolarWinds
The 2020 SolarWinds cyberattack was one of the largest and most sophisticated to date.
SolarWinds is a major U.S. software company providing management tools for network and infrastructure monitoring, with a client base of over 300,000 high-profile companies. These include many Fortune 500 companies, universities and government departments such as the U.S. Department of Homeland Security and U.S. Treasury Department.
The SolarWinds cyberattack was the work of a highly skilled actor. For the attack, the cyber perpetrators incorporated malware into a specific layer of SolarWinds software, enabling them to access some of the SolarWinds customers using the software. It appears that this infiltration was motivated by espionage.
On 9 June 2021, The Geneva Association held a cyber expert forum, co-organised with Allianz, to take a deep dive into the SolarWinds cyber intrusion. The event was open exclusively to the insurance companies of Geneva Association members.
Keynote speech: SolarWinds: Lessons learned
Stuart McKenzie, Senior Vice President of Mandiant, FireEye.
Stuart McKenzie, Senior Vice President of Mandiant (FireEye), openly discussed the SolarWinds event and challenges that arose for FireEye (a client of SolarWinds) while investigating the intrusion into their own systems, e.g.:
- Helping those affected by the attack with countermeasures
- Deciphering whether FireEye had done anything wrong (and how to improve their own security to prevent future intrusions)
- Deciding what information to disclose to the public and when.
On the last point, FireEye decided that transparency was best – the SolarWinds intrusion could provide many valuable lessons learned to others.
Indeed, the SolarWinds event was one of the first times that technical details about an intrusion and its sophistication were divulged publicly. Similarly sophisticated attacks have occurred, but information on the techniques employed have often remained confidential.
Identifying the different types of attackers has resulted in a better understanding of the cyber landscape. Highly skilled attacks are generally high cost and high risk for the perpetrators, so the targets are likely to be high-value organisations or government departments.
Panel Discussion: How large-scale cyber events can help shape the cyber insurance offering
(Top) Matt Prevost, Senior Vice President, Cyber Product Line Manager, Chubb; Siegfried Rasthofer, Senior Cyber Security Expert, Munich Re; Catharina Richter, Global Head, Cyber Center of Competence, Allianz. (Bottom) Stuart McKenzie, Senior Vice President of Mandiant, FireEye; Jad Ariss, Managing Director, The Geneva Association.
Participants discussed how to manage media hype around cyber events and ensure the information provided to the insurance industry – on the characteristics of the event and corresponding losses – is accurate. This will better enable the industry to assess their appetite to cover similar future events and help improve projections of future losses, both economic and insured, using realistic disaster scenarios. Information about the interconnectivity of insurance policies covering cyber risks within a portfolio and the potential for accumulation losses, of particular relevance for the industry, can guide future decisions concerning capital requirements and risk appetite and inform the underwriting process.
Working more closely with technical experts will be key in addressing software supply chain events, particularly in the areas of cyber underwriting and claims. Because victims often trust their software supply chain vendors, they may become complacent in believing their security is fully taken care of. Instead, insurance customers and society at large should increase their awareness of the risks and possible safeguarding measures, with an emphasis on more actively monitoring one’s own systems. Insurers should continue to take an active educational role in providing guidance on cybersecurity and measures to reduce risks. However, reaching a point where there are no vulnerabilities is unlikely; mitigation and containment of cyber events will be key.
Although many organisations prioritise protection against cyber threats, cost, functionality and internal negotiations may be obstacles to purchasing the optimal security products. Furthermore, there will never be a single cyber safeguarding measure that will be universally applicable across all companies due to the complexities of internal cyber infrastructures within a company. As a starting point for enhanced cyber protection, software providers should ensure all of their customers meet a minimum standard of cybersecurity. Although this would not be the panacea of all cyber protections, it would create a good baseline for setting higher standards.
The insurance industry should also focus on removing monetary incentives to carrying out cyberattacks. It will first need to analyse how cyber criminals make money and seek to regulate the use of digital currency – the most common method of payment to cyber criminals. Effectively regulating digital currency to enable authorities to follow money trails and identify cyber perpetrators may, for example, disincentivise ransomware attackers. In future, the insurance industry may engage with regulators on the potential suitability of regulation for digital currency.
Members can view the password-protected recording here.
