It could be one of the most important cyber attacks to date. Russian hackers have compromised a number of US government agencies and dozens of private companies via a contaminated update downloaded to SolarWinds network surveillance software.
According to media reports, the Pentagon and the Department of Homeland Security may have committed significant breaches.
While the attacks will hurt on multiple levels, cyber remains ultimately insurable, experts and insiders say. Nevertheless, the risk remains a challenge to hedge. Risk management approaches are ripe for improvement and coverage needs to be constantly adjusted to meet emerging threats, the experts add.
“Cyber risk is certainly still insurable. To suggest otherwise is to say that ownership risks are not insurable after a bad hurricane season, & # 39; & # 39; said Meredith Schnur, Marsh & # 39; s US and Canadian Cyber Brokerage leader. "The cyber insurance market continues to evolve and expand to meet the evolving nature of risk."
Schnur noted that cyber coverage was adapting to a host of changes from the mid-2000s, from new federal and state privacy laws to credit card exposure and PCI risk.
& # 39; The market has solved it. Underwriters learned how to underwrite and price that risk, ”she said. “We now experience the same with the spread of ransomware. Underwriters use outside suppliers to help ensure the control environment of their policyholders, which in turn will lead to better risk selection. Just as we have done for the past 20 years, we will ride the waves and work with insurers to create a sustainable cyber insurance market. "
Can handle risks
Catherine Mulligan, Global Head of Cyber for Aon's Reinsurance Solutions business, added that in 20 years, standalone cyber insurance has grown into a $ 7.5 billion industry that can respond to a wide variety of claims in an advanced way .
"The insurance industry has a long-standing commitment to addressing emerging risks, (and) technology is an essential fabric of society and business, so the insurance industry must continue to invest in risk management and risk transmission of the cyber threat," Mulligan remarked.
Mulligan said risk management and cyber coverage can only be successful if both are designed in collaboration with multiple parties.
As with any complex risk, the solutions require collaboration between the public and private sectors, smart technology tools to support underwriting and pricing risks, and in-depth threat and claims data to support stable, long-term capability, ”she added .
Oliver Brew, head of customer services at InsurTech CyberCube, cyber risk analysis, noted that the Russia / SolarWinds breaches appeared to be more political than purely corporate-focused.
“Many thousands of companies around the world, of all sizes and industries, purchase cyber insurance,” said Brew. “The breaches uncovered this week affect some US federal government agencies and potentially many private companies as well. At this stage, the motive seems to be espionage rather than financial, and it is not clear whether data has been destroyed or exfiltrated. "
Brew said insurers will continue to have the ability to handle cyber attacks as well as any other disaster situation.
"Insurers are financially stable and are preparing for potential disaster scenarios where multiple companies are affected by a single vulnerability (in this case a software update containing malware) or technology failure," he said.
While the types of losses caused by this latest malware attack are not yet fully known, there are measures that can be taken to minimize damage and reduce their exposure, according to Brew.
"This includes installing the SolarWinds Hotfix update, as well as working with a forensics team to identify any evidence of compromise," Brew said. "By closely monitoring systems, the impact of this event can be minimized."
Room for improvement
Current cyber insurance works well in several ways and can evolve quickly, according to Mulligan.
"Cyber insurance can and will respond to a variety of first- and third-party risks, and the (re) insurers that stand out are the ones that have invested in special attention to space," she said. “The insurance industry has responded to 20 years of evolving cyber threats. The products have transformed, technology has been introduced to support individual risk assessment and aggregation management, and the insurance industry has continued to provide insights into risk management and support to policyholders of all sizes. "
Yet there is always room for improvement. Mulligan noted that the U.S. government's Cyberspace Solarium Commission, for example, advocates deeper analysis to improve datasets.
"This would support the work underway in the private sector," Mulligan said, adding that public and private institutions should continue to talk about ways to improve. She pointed out that Aon is recommending a government study on the potential size of a cyber-terrorism event to help the industry build capacity.
Ultimately, cyber attacks will not disappear and will continue to evolve rapidly in their approach and scope.
Mulligan acknowledged this, but said risks can still be minimized.
"While perfect prevention is unlikely, awareness and consistent cyber hygiene will support a company's ability to respond to threats," she said.