SolarWinds breach: Unraveling insurance, risk implications

Some insurance industry watchers have argued recently that the rise of cyber insurance coverage is giving way to more targeted and sophisticated cyberattacks.

The insurance and risk management sectors may soon see whether that theory cuts the muster as the full impact of 2020′s SolarWinds cybersecurity breach begin to come into view.

SolarWinds, a software company based in Texas, was not a well-known company until recently. But now the firm may become infamous for being the conduit for one of the largest cybersecurity breaches in history.

According to seasoned journalist Brian Krebs, who now posts his work at KrebsOnSecurity.com: ”(T)he still-unfolding breach at network management software firm SolarWinds may have resulted in malicious code being pushed to nearly 18,000 customers.”

Unfortunately, around 18,000 SolarWinds customers are just now starting to realize the impact that SolarWinds is going to have on their organization.

Monica Minkel, vice president and executive risk enterprise leader, PC at Holmes Murphy, recently shared some thoughts about the breach and what companies can do to protect themselves. Her insights follow.

What happened at SolarWinds?

While details are still coming out, we seem to know that hackers, appearing to be Russian-sponsored, injected malware into the software update process at SolarWinds. This service, known as Remote Monitoring and Management (RMM), manages the health and automation of your IT infrastructure. RMM allows for updates to push out to users (just like those software updates you get on your phone).

Think of the RMM as the security guard of IT. A security guard needs keys to access all the offices and the building, and he knows where high-value items are located. RMM has predefined access to accounts and devices, and this allows them to monitor and update on demand. In this case, this ability to execute script was the equivalent of the security guard being the ringleader of the thieves. The hackers caused malware to be downloaded onto customer machines under the auspices of being a regular software update. No one saw it coming because it was an “inside job.”

Unsuspecting users may have included 425 or more of the Fortune 500 and multiple governmental agencies including the CDC and NSA. Hackers were cautious not to overplay their hand and carefully used their access to infiltrate high-value targets and access unknown amounts of information.

According to KrebsOnSecurity, the public acknowledgment of the SolarWinds breach came five days after cybersecurity firm Fire Eye announced the theft of security tools from their own breach that appears to be related. Emails appear to have been compromised along with a wide range of additional information. The hackers were likely inside for months and had a lot of time to quietly rifle through data, looking for the most valuable nuggets.

The impact of this cyber breach will be far-reaching, and it will take time to have a good sense of precisely what was compromised.

This supply chain hack through SolarWinds had multiple points of failure including the RMM, and very patient hackers who were careful not to alert to their presence.

What can you do to protect your company from a cyber breach?

How are companies supposed to protect themselves in an environment such as this? With enough time and enough motivation by criminals, ANY company can be compromised. So, what steps can you take to protect your organization?

Note: This is NOT an all-inclusive list and will not prevent every attack, but it does help.

First off, have proper insurance coverage. Having a cyber financial safety net for your firm is just as important as having property and workers’ compensation coverage.

You need a cyber policy — and a good one. Get quality coverage with adequate limits. The SolarWinds case tells us there are many things you cannot control about your IT environment. Have financial protection in place when all else fails.

In addition to proper insurance coverage, what else can you do?

Protect access points. Secure potential attack vectors with multifactor authentication and appropriate encryption. Be diligent about access management and remove user accounts that are not current or authorized.

What should you ask your IT vendors?

Your IT vendors have access to everything. Inquire about their security protocols and culture of updating to the most current approaches. Vendor contracts may severely limit their liability so be careful what you agree to.

Make sure there is proper financial backing of your vendor and that their insurance is sufficient (SolarWinds was not, and they even mentioned this in their 10k). A company with no money and no insurance will be no help when something goes wrong.

Ask about their annual third-party IT audit. If they don’t have one, this should be a red flag.

It is necessary to limit your data?

Most documents, emails, and records don’t need to be kept forever. Create and enforce a proper document retention policy (including electronic documentation). You don’t need to protect what you don’t have.

Is there other planning in place you should have?

You need a crisis management plan or disaster recovery plan. It needs to be comprehensive, reviewed by those who will implement and update regularly. Testing of backups and management of assets should be part of your plan. Notification to your insurance broker and cyber insurance carrier should also be part of your response plan should something happen.

Can an annual IT audit help address issues?

An IT audit from a third party can help identify items that need to be addressed. You want to be proactive in handling little things and known issues before they become problematic. These annual audits can help uncover items your team may have become complacent about or lacks proper budget or resources to address. IT audits can help you create an action plan and prioritize your various to achieve a more secure environment.

What other tips would you offer to protect against cyber breaches?

A few final recommendations:

Your commitment to security must go beyond your IT group. Executive leadership needs to be committed and promote messaging and a culture, from the top down, to protecting customer data, company data, employee data, and more.

Communication with your IT vendors should be a dialogue and a conversation, not a presentation. Know, understand, ask, and engage. Regular strategy discussions are important if your vendors are to understand the exposures of your organization. There needs to be political support internally (from leadership) for the policies, procedures, and security protocols that some would choose to ignore or circumvent.

Remember, cyberattacks and security issues represent significant threats to the long-term health of the company. When it comes to cyber risk, an ounce of prevention, is worth more than a pound of cure.

Related:

• Explosive cybercriminal activity in 2020 will persist in 2021
• 2020′s top 10 egregious password blunders
• Cyber insurance trends to look for in 2021
• Managing increasing interconnectivity’s impact on businesses