Insured Losses from SolarWinds Hack Mount, But Could Be Worse

The cost of breaches keeps going up at a rate faster than revenue growth for many companies.

Edward Gately, Senior News Editor

January 20, 2021

9 Min Read
Cybersecurity Roundup, security roundup

The insured losses due to the massive SolarWinds hack now total $90 million and climbing.

That’s according to BitSight and Kovrr’s joint analysis of the financial impact of the SolarWinds breach to the insurance industry.

The SolarWinds attack is a cyber catastrophe from a national security perspective, the companies said. However, insurers may have narrowly avoided a catastrophic financial incident to their businesses. That’s because the insured losses haven’t spiraled out of control.

The insured losses include incident response and forensic services for companies impacted by this incident and that have cyber insurance coverage.

While the number of SolarWinds victims may grow in the following months, BitSight and Kovrr don’t expect the direct insured costs to change significantly.

To find out more about the insured losses from the attack, we spoke with Samit Shah, BitSight‘s director of insurance programs and partnerships.

Channel Futures: Could the insured losses from the SolarWinds hack been higher? Why are we not likely to see that $90 million figure increase much?


BitSight’s Samit Shah

Samit Shah: The $90 million figure could have been higher. However, some of the mitigating factors keeping it [from being] catastrophic were who it mainly affected and the impact/damage. While thousands of companies used the software across a wide variety of industries and geographies, it seemed, based on analysis on who was affected, that the focus was mainly federal government and several larger companies. The damage seemed to be more around espionage, and less around exposing personal records or causing business interruption. In the case of federal governments, they buy little to no coverage. And for larger organizations, while they [often] buy cyber insurance coverage, they tend to have high retention/deductibles.

The patch to the vulnerability was released quite quickly and publicly such that all affected organizations had a chance to quickly respond and limit the damage. [Hackers may] have laid other traps to gain access in the future. But the increased vigilance decreases the virality of the issue.

CF: What have we learned from the SolarWinds hack in terms of its impact on organizations and insured losses?

SS: The SolarWinds incident highlights the basic problem that organizations including federal entities such as the U.S. government face — reliance on a vast third-party supply chain, with limited visibility into the security posture of critical providers. Like many industries, a cyber hack has detrimental consequences. For the government, it’s not necessarily cyber insurance cost; instead, it’s the potential loss of intelligence and new costs with firewalling current networks, or, as some have suggested, rebuilding from square one.

CF: How could this hack have been much worse for the insurance market?

SS: [If the] threat actors were focused on exfiltrating data for the purposes of selling them or causing business interruption, then the situation could have been worse. They went in, found what they needed, took it, and went out trying to escape unnoticed so they could re-enter again in the future. Drawing attention doesn’t seem to have been their [modus operandi].

CF: Is the ongoing threat landscape worrisome for the cyber insurance market? If so, how?

SS: Insurers will likely be concerned that future supply chain incidents resembling SolarWinds may have widespread impact on their insured base.

CF: Is the SolarWinds hack likely prompting more organizations to obtain cyber insurance?

SS: This event, like all preceding well-known cyber events, should motivate organizations to take a harder look at their enterprise cybersecurity posture holistically, including vendor-driven exposure. Whether it is the board, senior management or the security team, cyber risk is very much an enterprise risk that needs to be managed through …

… investment in security, balanced with risk transfer to insurance. The cost of breaches keeps going up at a rate faster than revenue growth for many companies. So I’m hopeful they will look to cyber insurance to transfer more of the exposure they cannot effectively manage down.

Hackers Bypassed MFA to Access Cloud Service Accounts

The Cybersecurity and Infrastructure Security Agency (CISA) says it’s aware of several recent successful cyberattacks against various organizations’ cloud services.

Threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victim’s cloud services configuration.

These types of attacks frequently occurred when victim organizations’ employees worked remotely, and use a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, affected organizations typically had weak cyber hygiene practices. That allowed threat actors to conduct successful attacks.

Tim Wade is technical director of the CTO team at Vectra. He said managing IT hygiene and improving phishing awareness are important.


Vectra’s Tim Wade

“But it’s critically important to acknowledge that perfection in both these cases is a fool’s errands,” he said. “And so CISA’s recommendation for a robust detection and response capability is spot on. Whether against known IT hygiene-related weaknesses, or unknown weaknesses, an organization’s ability to quickly zero in on an active risk and then take appropriate action to reduce the impact is the difference between a successful security operations team and an organization finding its name in a headline story on cyberattacks.”

A key takeaway of the last quarter must be “prevention will fail,” Wade said. And overreliance on prevention is a loser’s strategy. Organizations must successfully identify and disrupt attacks in real time; otherwise, the industry will continue to see successfully executed attacks.

Brendan O’Connor is CEO and co-founder at AppOmni.


AppOmni’s Brendan O’Connor

Phishing users for their passwords has been a problem for decades,” he said.

Two-step authentication is the best way to address this problem, O’Connor said. Attackers finding unintentionally exposed data is even more dangerous.

“You don’t need to steal a user’s password if a misconfiguration or exposed API grants the entire internet access to your sensitive data,” O’Connor said.

Cyber Insurance and Ransomware

Cyber insurance is a smart buy to provide coverage in the event of malware or data theft. But it doesn’t always cover ransomware.

That’s according to Jon Toor, Cloudian‘s CMO. Ransomware attacks accounted for 41% of cyber insurance claims filed during the first half of 2020. Insurers want to make sure their clients are doing everything possible to prevent attacks to avoid expensive payouts.

In addition, many will charge higher premiums or even refuse to cover organizations that don’t have a strong strategy in place for protecting against ransomware.


Cloudian’s Jon Toor

“Cyber insurance can offset – partially or completely – the cost of ransomware payments, recovery costs and lost revenue,” Toor said. “However, it depends on the details of the policy’s coverage. In fact, ransomware attacks aren’t always covered, as a local government in Georgia discovered when its insurance carrier refused to reimburse the county for a $400,000 ransom payment.”

Even organizations that have strong cyber insurance should take steps to protect against ransomware attacks, he said. This includes having an immutable copy of their backup data, he said.

“This data immutability protects the data from encryption by hackers, thus preserving a clean copy for fast data restore in the event of an attack,” Toor said. “This can eliminate the need to …

… pay ransom and minimizes the disruption to business or operations.”

Organizations considering cyber insurance should look for these details:

  • Is a discount available if specific data storage requirements are met? Modern data protection costs little, but can save big on insurance premiums.

  • What are the coverage limitations? Specifically, will the policy cover ransom payments or other remediation costs even if the client is partially at fault? Hackers frequently trick victims into revealing information. Will this type of security lapse impact coverage?

  • Check that you are covered for the costs of a data breach, particularly if you have sensitive information such as financial or health care records. This coverage is often separate from cyber insurance.

  • What if a hacker attacks a key vendor or partner? Will that impact your business? If so, you may want to consider contingent business interruption coverage to cover such losses.

Insurance providers must fully inform organizations about their cyber insurance contract, Toor said.

“Organizations should also understand if/how reimbursement of ransomware payments and other associated costs are covered, as well as what defenses are required to get reimbursed,” he said.

Help with Recruiting Cybersecurity, IT Networking Pros

Cyber Institute for Battle Readiness (CIBR) Warriors has launched to help business find specialized cybersecurity and IT networking professionals.

The company works directly with businesses of all sizes and industries to assess their cybersecurity profile and services. It then recruits candidates for their security and connectivity needs.

An estimated 3.5 million cybersecurity jobs are expected to go unfilled this year, according to Cybersecurity Ventures. Therefore, CIBR Warriors is helping to fill this gap.

Scott Garfield is CIBR Warriors’ executive vice president.


CIBR Warriors’ Scott Garfield

“The shortage of talent is hindering a company’s ability to assess their security platforms for vulnerabilities and risks,” he said. “Many companies today lack the knowledge or infrastructure to conduct a thorough audit of the platforms and processes to make sure that they are cyber ready to safeguard their data and their clients data.”

CIBR Warriors has tens of thousands of candidates in its database and that number is growing daily, Garfield said.

“CIBR Warriors is in the recruiting business,” he said. “Every day our team of talent managers are connecting and building relationships with both active and passive candidates. In addition, our sister company, MyComputerCareer, has thousands of current and former students, many of who have experience as well as the certifications that are in high demand.”

Since the onset of COVID-19, the FBI announced a 300% increase in reported cybercrimes. That stressed the need for cybersecurity professionals in nearly every business and industry, Garfield said.

“To say that a lot of companies need help is an understatement,” he said. “With our vast network of highly skilled talent and our 100-plus years of combined experience, CIBR Warriors is uniquely positioned to assist companies with all of their cybersecurity initiatives. Whether it is training, conducting audits or assisting with staff augmentation, CIBR Warriors is here to help.”

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like