This article was co-authored by Oli Brew and William Altman.
Much has been written in the cyber security press in the days since Austin-based network management company SolarWinds disclosed that a software update had been compromised with malware.
CyberCube has been focusing on takeaways for our insurance industry clients. We share a few of the highlights here, mindful that the situation continues to develop. Our thoughts are based on the information available to date.
Up to 18,000 companies from around the world may have been compromised in this attack. However, one of the biggest takeaways for insurers is that (as of December 21, 2020) this attack does not appear to be motivated by an intent to destroy critical data or machines. The attackers were more likely to have been interested in gathering national security-related intelligence from strategic targets.
Given the attack is motivated by espionage, the potential loss accumulation for this event is far lower than if the attack was destructive in nature. In this regard, the SolarWinds attack differs from NotPetya - one of the most destructive cyber attacks in history. Nevertheless, it should now be abundantly clear to insurance industry stakeholders that cyber attacks with the scope of NotPetya or SolarWinds (and the potential for catastrophic losses) are possible.
How bad could this attack have been if it were destructive? To begin to answer that question we can look at the CyberCube Enterprise Intelligence Layer, which contains data on millions of companies and technological single points of failure (SPOF). Observing this database, we can see (alongside government entities) the world’s biggest private companies using SolarWinds products.
When considering the potential for loss accumulation, it is worth taking note of SolarWinds customers that are SPOFs themselves, which further underscores the potential for cascading losses from destructive software supply chain attacks.
These companies are the cloud, they are inside critical infrastructure and industrial operations, and others are in healthcare and software supply chains – potentially making their customers vulnerable.
The situation is dynamic and will likely change as new information emerges. Here are some of the other key takeaways so far:
The SolarWinds attack is ongoing and the financial impact of the attack is not yet known. It is possible that fewer than 500 companies will have had data stolen due to this attack. Not every organization that discovers indicators of compromise will be a target, but their networks will have to be forensically investigated. Loss categories could include, in order of likelihood: breach investigation and response costs, business interruption, legal costs, and reputational damage.
Notwithstanding the fact that the attack appears to be conducted by an entity with implicit or even the explicit support of the Russian government, the attack by most perspectives and benchmarks falls below the threshold of a definition of cyber war. Therefore cyber war exclusions by insurers are unlikely to be able to be invoked.
It is conceivable that this could trigger an escalation of cyber aggression by different nation-states and embolden attackers. One serious scenario for consideration is the potential result in tit-for-tat responses and there could be significant economic implications of this.
It is clear that this is a rapidly-moving situation but, given that up to 18,000 companies could have been impacted, this clearly demonstrates the potential for accumulation of cyber risks within insurance portfolios. To help our customers manage these risks we offer a number of data and analytics products and services. For example, CyberCube’s Portfolio Manager leverages multiple scenario classes to help model the risks of software supply chain attacks like SolarWinds.