Ripple Events: Should You Report a Claim?

Ripple events are a single cybersecurity event that impacts a large number of downstream companies. In recent times, we have seen two significant ripple events involving SolarWinds and Microsoft Exchange Server vulnerabilities.

As these kind of attacks become more frequent, companies need to not only be proactive and have proper safeguards in place, but also report claims right away.

The Ripple Events

Texas-based SolarWinds developed the Orion software system, used by approximately 33,000 customers to manage IT resources. In early 2020, Russian cyber terrorists successfully hacked into the Orion system, planting a malicious code that was deployed to all SolarWinds customers in a software update.

The malicious code installed a backdoor to each of those customers’ operating systems, granting access to plant more malware and spy on customers and companies. Business Insider reported victims included “parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury.” Several large companies, including Microsoft, Cisco, Intel, and Deloitte, and some hospitals and universities fell victim to the hack.

In the Microsoft Exchange server attack, Chinese hackers targeted a vulnerability in the Exchange servers. Hackers were able to upload a “web shell” to thousands of servers, giving the hackers password-protected administrative access to any infected computer from any remote server. ZDNet reported on March 22, 2021, that thousands of daily attacks continue on companies that have yet to install the security patches.

Both the SolarWinds and Microsoft Exchange attacks originated from nation-state actors—in these cases, Russia and China—who have abundant resources, patience, and politically motivated interests in targeting companies that provide critical business services.

And, success begets success; once attackers see the impact that one of these ripple events has, it increases the likelihood that more attacks of similar nature will happen. It also inspires other bad actors to try different avenues or approaches.

The Ripple Effect

It’s not an exaggeration to say these broad-scale attacks are happening more frequently, with two examples of far-reaching security breaches in recent times. In both these attacks, the full extent and cost is still being tallied for both the initial targets and their customers who were also infected.

Some costs, such as the labor involved to detect and repair the breach can be calculated, while things like the cost of the reputational impact is more intangible and may not be known for several months or years.

I’ve talked before about the risk of these ripple events if you are that first drop of water causing the ripple–-specifically, how many professional service companies aggregate the cyber risk of all their clients.

What Should You Do If You Suspect a Ripple Event?

I’ve consulted with many clients impacted by these events about reporting them as claims to their cyber insurance carriers, despite no obvious financial impact from the events at the time. I do think it’s important to report the claims, and here are three reasons why.

Cover Investigation Costs

A cyber insurance policy will pay for any IT forensics investigation costs, such as the work that needs to be done to look for indicators of compromise after patching your system.

Protect Your Rights

Reporting the initial claim protects your rights under the policy if a future exploit or indicator of compromise is discovered that ties back to this vulnerability. You may not be feeling a financial impact now, but if the bad actors are using some currently unknown technique that causes you a financial loss down the line, by reporting the claim now, you’ll protect your rights to recover under the current policy period.

Get Recovery

You can expect underwriters will be asking about these types of vulnerabilities as part of the renewal process. If you are going to be judged by it in the underwriting process, you may as well have the benefit of collecting the insurance recovery available to you in the future.

Final Thoughts

So far, we haven’t seen companies exposed to these vulnerabilities be punished for reporting them as claims, provided there hasn’t been a financial loss incurred yet. We often find the opposite to be the case.

By reporting the claim, new underwriters not currently on your program may be more willing to offer a quote, since they can do so with confidence that they’re not going to be insuring a building already on fire.

For more insights like this, check out the Cyber Notebook or get more Cyber Dan insights by subscribing to our YouTube channel.