Insights

Ripple Events: Should You Report a Claim?

March 26, 2021

Cyber Liability

Ripple events are a single cybersecurity event that impacts a large number of downstream companies. In recent times, we have seen two significant ripple events involving SolarWinds and Microsoft Exchange Server vulnerabilities.

blue lock vector cyber

As these kind of attacks become more frequent, companies need to not only be proactive and have proper safeguards in place, but also report claims right away.

The Ripple Events

Texas-based SolarWinds developed the Orion software system, used by approximately 33,000 customers to manage IT resources. In early 2020, Russian cyber terrorists successfully hacked into the Orion system, planting a malicious code that was deployed to all SolarWinds customers in a software update.

The malicious code installed a backdoor to each of those customers’ operating systems, granting access to plant more malware and spy on customers and companies. Business Insider reported victims included “parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury.” Several large companies, including Microsoft, Cisco, Intel, and Deloitte, and some hospitals and universities fell victim to the hack.

In the Microsoft Exchange server attack, Chinese hackers targeted a vulnerability in the Exchange servers. Hackers were able to upload a “web shell” to thousands of servers, giving the hackers password-protected administrative access to any infected computer from any remote server. ZDNet reported on March 22, 2021, that thousands of daily attacks continue on companies that have yet to install the security patches.

Both the SolarWinds and Microsoft Exchange attacks originated from nation-state actors—in these cases, Russia and China—who have abundant resources, patience, and politically motivated interests in targeting companies that provide critical business services.

And, success begets success; once attackers see the impact that one of these ripple events has, it increases the likelihood that more attacks of similar nature will happen. It also inspires other bad actors to try different avenues or approaches.

The Ripple Effect

It’s not an exaggeration to say these broad-scale attacks are happening more frequently, with two examples of far-reaching security breaches in recent times. In both these attacks, the full extent and cost is still being tallied for both the initial targets and their customers who were also infected.

Some costs, such as the labor involved to detect and repair the breach can be calculated, while things like the cost of the reputational impact is more intangible and may not be known for several months or years.

I’ve talked before about the risk of these ripple events if you are that first drop of water causing the ripple–-specifically, how many professional service companies aggregate the cyber risk of all their clients.

What Should You Do If You Suspect a Ripple Event?

I’ve consulted with many clients impacted by these events about reporting them as claims to their cyber insurance carriers, despite no obvious financial impact from the events at the time. I do think it’s important to report the claims, and here are three reasons why.

Cover Investigation Costs

A cyber insurance policy will pay for any IT forensics investigation costs, such as the work that needs to be done to look for indicators of compromise after patching your system.

Protect Your Rights

Reporting the initial claim protects your rights under the policy if a future exploit or indicator of compromise is discovered that ties back to this vulnerability. You may not be feeling a financial impact now, but if the bad actors are using some currently unknown technique that causes you a financial loss down the line, by reporting the claim now, you’ll protect your rights to recover under the current policy period.

Get Recovery

You can expect underwriters will be asking about these types of vulnerabilities as part of the renewal process. If you are going to be judged by it in the underwriting process, you may as well have the benefit of collecting the insurance recovery available to you in the future.

Final Thoughts

So far, we haven’t seen companies exposed to these vulnerabilities be punished for reporting them as claims, provided there hasn’t been a financial loss incurred yet. We often find the opposite to be the case.

By reporting the claim, new underwriters not currently on your program may be more willing to offer a quote, since they can do so with confidence that they’re not going to be insuring a building already on fire.

For more insights like this, check out the Cyber Notebook or get more Cyber Dan insights by subscribing to our YouTube channel.

Cyber Dan Insights: Ripple Events and Cyber Attacks

ON-DEMAND WEBINARS

Property-Casualty 101: Cyber Liability

This is the fifth in an 8-part webinar series on a wide variety of P&C issues including property, general liability, auto liability, workers’ compensation, captives and risk financing, cyber liability, international and environmental liability.

WATCH NOW »

Related Blog Posts

Was this post helpful?

See all articles by Dan Burke

All views expressed in this article are the author’s own and do not necessarily represent the position of Woodruff-Sawyer & Co.

Dan Burke

Senior Vice President, National Cyber Practice Leader

Editor, Cyber Liability

As National Cyber Practice Leader, Dan drives the strategy to grow our cyber business, such as developing tools to help clients and prospects understand and quantify their cyber exposures, as well as thought leadership. He frequently speaks at industry conferences and has been quoted in various trade magazines and newsletters, including The Wall Street Journal.

415.402.6514

LinkedIn

Dan Burke

Senior Vice President, National Cyber Practice Leader

Editor, Cyber Liability

As National Cyber Practice Leader, Dan drives the strategy to grow our cyber business, such as developing tools to help clients and prospects understand and quantify their cyber exposures, as well as thought leadership. He frequently speaks at industry conferences and has been quoted in various trade magazines and newsletters, including The Wall Street Journal.

415.402.6514

LinkedIn