A recent Microsoft Exchange vulnerability garnered widespread media attention and showcased a growing problem within the cyber risk space – namely, the extent of malicious compromises which are caused by the third-party information technology (IT) service providers relied on by organisations.
Organisations who are looking to manage their risk profile, and best navigate their cyber insurance coverage process (whether by renewals or new business quotations), are facing an increased level of scrutiny and questions.
In recent months there have been many insurance notifications caused by supply chain cyber vulnerabilities. While the magnitude of these events, and the losses that may ensue as a result are still unclear, what is certain is they make underwriters and those concerned by cyber exposures increasingly nervous.
Solarwinds is a large managed service provider, delivering software products to both the private and public sectors on a global scale. Specific to this example, is their product called Orion which allows companies to centralise their monitoring of network devices. Orion also allows organisations to cohesively manage their company’s device network updates.
Late last year, SolarWinds became aware of a critical vulnerability in Orion in which an alleged state actor was able to inject malicious code into an Orion patch. This allowed the perpetrators to access the servers of any company who used the updated patch. The code would lie dormant in a company’s server for approximately two weeks before transferring files into the actor’s own systems, leading to mass privacy breaches on a global scale, affecting an estimated 20,000 organisations. To date, however, the losses attributed to the incident have been modest and the Australian government has maintained their stance that no Australian organisations have been affected.
In early March 2021, Microsoft released a statement confirming its Exchange servers were exposed to a zero-day vulnerability compromise. In Australia it was estimated that thousands of businesses and government agencies were potentially impacted including the Western Australian parliament who confirmed that their email servers were affected by the compromise, but concluded that no sensitive data was stolen in the attack.
On March 11, the Australian Cyber Security Centre published a technical advisory warning to the public, advising them to immediately patch their software should they have been using the Exchange platform prior to the compromise becoming known. It is believed that over 7,000 Exchange servers were exposed to the attack.
In April 2021 Microsoft released another patch to address further Exchange vulnerabilities, that were identified by the US National Security Agency. It is currently unclear whether these vulnerabilities were also maliciously exploited.
Accellion provides enterprise firewall and secure data transfer solutions. In December last year and January 2021, Accellion released a series of patches to address vulnerabilities in its File Transfer Appliance (FTA) software.
A statement by the company in February suggested four zero-day vulnerabilities had been exploited by attackers. This was confirmed in a subsequent investigations report released by global cyber consulting firm, Mandiant in March 2021 which also identified that attackers had used a highly customised tool designed to facilitate exfiltration of data from the FTA system. Significant local organisations were impacted by the compromise, including the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, major consulting firms, infrastructure providers and professional services firms.
This event was highly preventable, given Accellion had repeatedly emphasised its FTA product was a legacy system at the end of its shelf life, and encouraged organisations to migrate to a newer solution. Legacy software creates even greater supply chain cyber risks, because an unsupported program is a particularly easy means for cyber criminals to compromise an organisation; legacy solutions are not as well protected as newer software. The success that cyber criminals have had with legacy third-party software means these types of attacks will only become more common.
Insurers globally have received large numbers of notifications from recent supply chain cyber events, causing them to reconsider how they approach underwriting cyber risks to account for this exposure. It appears their main concern is the potential for these events to create catastrophic aggregate losses.
While the data available to date from these cyber events suggests the losses have been modest, insurers remain concerned that their notifications could quickly turn into large losses due to the potential supply chain compromises detailed above. Clients could have failed to properly patch, and many organisations may face future risks of data compromises and exfiltration, or the risk that a residual vulnerability still resides in their system.
Insurers are also asking specific questions about the extent to which organisations have deployed and remediated Orion or Microsoft Exchange solutions used in their business. Should a client fail to satisfactorily answer insurers’ questions, exclusions or limitations on claims after the renewal/inception date may be imposed. This would impact the overall coverage a client has for issues that consequently arise.
These events have occurred against a backdrop of many insurers trying to remediate their cyber liability books more generally due to the sustained losses from large scale data exfiltration and ransomware events. This is also driving contracting of capacity, increases in retentions, and intense scrutiny of an organisation’s network security practices and their incident response capabilities.
Supply chain cyber risks will pose a significant threat to organisations, and these exposures must be carefully managed to protect ongoing business needs, operational objectives and an organisation’s stakeholders. Now more than ever it is critical that organisations partner with risk advisory firms who hold a deep understanding of cyber exposures and have the ability to support an organisation in developing their understanding of risk tolerances, mitigation strategies and the insurance solutions that will address their support needs.
Willis Towers Watson is uniquely placed to help our clients navigate these challenges and has unrivalled domestic and international expertise. Our team is ready to assist you and early engagement with us will help your organisation enhanced its cyber resilience and maximise the benefit of critical risk and insurance investments.
Anthony is a Senior Associate in our Cyber and Technology Risk Practice based in Melbourne. He manages large and complex cyber risks along with financial and executive risk placements for clients.
