A ransomware attack locking up a company’s data is bad news, given the potential for a significant interruption in ongoing business. Far worse is the possibility of a ransomware attack against a cloud services provider providing access to the company’s data. Not only is the business of the company itself disrupted, but if its suppliers, partners, vendors, law firm and audit firm are customers of the same provider, the miseries compound.
This doomsday scenario, in which a single cyberattack laterally impacts the ongoing business of tens of thousands of companies, is called a systemic cyber event. The potential outcome of such an attack became clear in 2020, when IT management software provider SolarWinds was hacked, allegedly by Russia-backed hackers. The attack exposed 18,000 SolarWinds customers to data breaches. Fortunately, slightly more than 100 were compromised. Of those, cyber insurance helped defray the remediation expenses and the loss of business income.
Today is a different story. “Having absorbed massive ransomware losses in recent years, major cyber insurers have tightened up their coverage language,” said Johnny Botros, CFO at Resilience, a privately held provider of cyber insurance founded by experts within the U.S. military and intelligence communities. “Were another SolarWinds-type attack to occur, many companies may not be covered for the losses.”
He’s referring in part to the decision by one of the world’s largest cyber insurers, London-based Lloyd’s Market Association, to exclude coverage for state-sponsored cyberattacks. Other major cyber insurers like Chubb and Beazley have taken similar actions to reduce their exposure to a systemic cyberattack.
The industry’s response is not surprising, given record-high ransomware claim frequency and severity. Industrywide loss ratios (claim costs divided by earned premiums) increased from 43 percent in 2016 to 65.4 percent in 2021, despite direct premiums that catapulted more than 92 percent from 2020 to 2021, according to the latest statistics from ratings agency S&P Global.
“From the CFO perspective, you now need to be thinking not only about your own company’s cyber risks, but the even more imposing downstream effects caused by a systemic attack simultaneously penetrating the networks of your suppliers, partners, customers and other business stakeholders,” said Botros. “If the attack is perpetrated by state-sponsored hackers, you may be uninsured for the loss in business income.”
The Net Widens
Several cyberattacks fit the definition of a systemic risk, including the SolarWinds data breach. Russia is alleged to have sponsored hackers to launch a so-called supply chain attack, a type of cyberattack focused on the weaker links in an organization’s supply chain. Approximately 18,000 customers of SolarWinds’s Orion software, from big technology companies like Microsoft and Cisco to big government agencies like the State Department and the Pentagon, downloaded the malware, subsequently dubbed Solorigate. The data of nine federal agencies and about 100 private sector companies was compromised, forcing the entities to take their systems offline and begin costly decontamination processes.
Another example of a systemic attack is predicated on the discovery of a heretofore unknown vulnerability in a widely used software product, known as a Zero Day exploit. A case in point is Log4j, an open source logging utility that is embedded in hundreds of millions of computers. In November 2021, cybersecurity researchers in China detected a Zero-Day vulnerability in Log4j. The following month, Microsoft’s Defender Threat Intelligence unit stated that hackers had begun taking advantage of the vulnerability in planning to deploy ransomware. Customers were advised to scan their IT systems to detect the vulnerability and take remedial actions.
Apprised of the Zero Day exploit, U.S. government cybersecurity officials took immediate action, issuing an emergency directive requiring all federal agencies to immediately patch the vulnerability. The Department of Homeland Security subsequently called Log4j “one of the most serious software vulnerabilities in history.”
Fortunately, the prompt response by government and industry contained the damage. In retrospect, had Chinese researchers not detected the software flaw, the malware could have infected millions of companies. This possibility is what keeps chief information security officers like Meg Anderson up at night.
“It’s an attack that doesn’t just impact us internally, since it can spread to shut down the suppliers and vendors we rely on for basic services like email and CRM (Customer Relationship Management) software,” said Anderson, vice president and CISO at Principal Financial Group, a publicly traded global financial management and insurance company, with $635 billion in assets under management. “It forces us to think about our resilience, what a lengthy outage can do to the business and how we can mitigate the impact.”
Insurance is Not a Panacea
Cyber insurance has been a key element in risk mitigation, giving companies the recourse to pass on the lion’s share of the costs of a network outage to an insurance carrier. This ability is now threatened. Over the past few months, major cyber insurers like Lloyd’s Market Association, Chubb and Beazley have reduced their exposure to losses produced by a systemic cyber incident that breaches the networks of tens of thousands of companies.
Beazley, for example, has crafted several “endorsements,” a separate amendment to its cyber insurance policy, including a revised war exclusion similar to the Lloyd’s exclusion for incidents caused by state-sponsored hackers. The endorsement effectively limits the availability of insurance protection in the event a cyberattack is deemed an act of war. The insurer also restricts insurance protection for an outage at a company’s cloud services provider that exceeds 72 hours.
Chubb has created a separate endorsement to absorb “widespread events” like an outage at a large cloud services provider that impacts “the operations of thousands or even millions of companies,” the endorsement states. To purchase the additional insurance protection, companies must pay an additional premium.
The actions by the insurers suggest the prospect of two separate cyber insurance markets in the future: One for more generic attacks against a company’s systems and network, and another for systemic cyberattacks. Insurance brokers said that the industry’s response is in line with the catastrophic potential for loss.
“A cascading cyber loss can affect a large portion of a single carrier’s book of business, due to the great number of insureds that may simultaneously suffer losses,” said John Farley, managing director, cyber practice, at the large insurance broker Gallagher. “Going forward, it’s possible that a company can be uninsured or underinsured for systemic risks, meaning the related financial losses will fall to the bottom line.”
Botros agreed. “When insurers insert exclusionary language in their policies, it means more of the financial costs of a loss-producing event must be borne by the policyholder,” he said.
Another factor in the industry’s response is skyrocketing demand for cyber insurance, fueled by the digital transformation of most every company’s business and operations. Some reports suggest that to address soaring demand, the supply of cyber insurance will need to grow 25 percent a year. The challenge is available reinsurance for cyber insurers to spread their risks. “The demand for reinsurance capital remains greater than available supply,” a report by insurance broker Marsh stated.
As a recourse, the U.S. Treasury Department has floated the possibility of creating a federal insurance backstop for systemic cyber risks similar to the government’s Terrorism Risk Insurance Program. TRIP calls for the private and public sectors to share potential losses arising from an act of terrorism on American soil. At present, the department is fielding responses to a request for information from the insurance industry.
An Effective Response
Against this backdrop, CFOs need to become more involved in their company’s cybersecurity and related risk management and insurance processes. “Cybersecurity has moved from an IT challenge to a business challenge, making it incumbent (that) the risk of a systemic cyberattack be near the top of the CFO’s agenda,” said Steve Gallucci, managing partner at Deloitte and leader of the audit and advisory firm’s global and U.S. CFO programs.
Many CFOs are already on top of the situation, following a contentious proposal by the Securities and Exchange Commission in 2022 requiring public companies to disclose their cybersecurity governance practices and expertise and report material cyber events within four business days. The SEC’s proposal is expected to be finalized next month.
In the meantime, CFOs need to ensure that the company’s information security team is collaborating with the risk management/insurance organization under the oversight of the finance department to model and quantify systemic cyber risks. Jarrod Sowell, legal counsel and chief reputation officer at Saatva, a privately held e-commerce company specializing in luxury mattresses, said that Saatva’s finance organization is a crucial ally in quantifying the risks of different types of cyber incidents. “By giving the risks a dollar value, we can contextualize the problem to strengthen our cybersecurity processes and insurance,” Sowell said.
This is not a task for the fainthearted, given the number of key business stakeholders that can be impacted by a systemic attack for significant periods of time. “If your finance & accounting cloud provider is down for one hour, that will have a different impact than if it is down for four weeks,” Botros explained.
Gallagher, Resilience and other insurance brokers and carriers have risk modeling tools that can assist these needs, as do third party cyber risk modeling firms like RMS, Reciprocity, Kovrr and Corax. Corax, for example, has an AI-enabled platform that models the cyber exposures of millions of interconnected companies worldwide. Other risk mitigation tactics include more extensive vetting of cloud providers’ security standards and frameworks (such as the ISO-27001 standard and the SOC2 framework) and war gaming varied risk scenarios.
Daniel Soo, a principal in Cyber and Strategic Risk at Deloitte, said many clients are beginning to expand their war games to address systemic incidents. “They’ll simulate situations involving nefarious actors that attack a cloud provider and then play out what might happen, offering insights into how to react and recover,” said Soo. “It’s all about resilience. The thinking is that these attacks are inevitable and will proliferate.”
Anderson’s information security team conducts tabletop exercises that analyze different systemic threat scenarios, followed by modeling the respective business continuity risks. “For example, we’ll model the risk of a lengthy outage involving critical infrastructure like a large electric, gas or telecommunications utility in the geographic regions where we operate, as well as in places like India where we don’t have operations but use many resources,” she said. “We then engage in a very intentional discussion about the risk and what we’re willing to invest in mitigating it.”
Regarding risk mitigation, Sowell, a deputy judge advocate for the Army Reserve Cyber Protection Brigade (his previous work for the Army focused on cyber and signals intelligence), touted the value of endpoint detection and response, a cybersecurity technology that monitors endpoints for malicious cyber threats. Endpoints are physical devices like desktop computers, servers and mobile devices that connect to IT systems.
“We’re using CrowdStrike Falcon Insight XDR, a cloud-based endpoint detection and response agent that we deploy on company equipment as it is issued to new users,” he said. “Our internal information technology team can then monitor and protect the geographically distributed endpoints that connect to our systems. It builds on the capabilities of antivirus software, including such critical features as intrusion detection, configurable firewalls and anti-malware software.”
Other interviewees also commended the use of XDR endpoint protection and response. “The solutions draw from AI and machine learning in looking for anomalous behaviors at different endpoints in the network, which are then quarantined to prevent spreading,” said Brian Diffin, chief technology officer in the tax & accounting division at publicly traded Wolters Kluwer, a global provider of software solutions and services. “Anti-virus software can’t catch Zero-Day exploits, but XDR can, marking a huge change in cybersecurity.”
Diffin further advised that companies pursue a so-called defense-in-depth approach, in which people, technology and operations are integrated to identify, monitor and respond to threat incidents.
Botros commented on the value of integrating information security and risk management/insurance in a separate department. “Given the potential financial cost of a systemic cyberattack, it no longer makes sense to have risk transfer sitting in the finance organization and cybersecurity residing under the CISO,” the CFO explained. “Having one functional department allows for more holistic assessments about the impact on the bottom line.
“You can never be 100 percent secure,” he added, “but you can always be more resilient—better prepared to prevent, respond and recover.”