It could go down as one of the most significant cyber attacks yet. Russian hackers breached a number of U.S. government agencies and dozens of private businesses through a tainted update downloaded for network-monitoring software made by SolarWinds.
Potentially significant breaches hit the Pentagon and the Department of Homeland Security, according to media reports.
While the attacks will hurt on multiple levels, cyber ultimately remains insurable, experts and insiders say. Still, the risk remains a challenge to cover. Risk management approaches are ripe for improvement and coverage must be adapted continually to accommodate emerging threats, the experts add.
"Cyber risk is definitely still insurable. To suggest otherwise is analogous to saying property risks are not insurable after a bad hurricane season," said Meredith Schnur, Marsh's U.S. & Canada Cyber Brokerage leader. "The cyber insurance market continues to evolve and expand to meet the changing nature of the risk."
Schnur noted that cyber coverage adapted to numerous changes from the mid-2000s onward, from new federal and state privacy laws to credit card exposure and PCI risk.
"The market worked it out. Underwriters learned how to underwrite and price for that risk," she said. "We are experiencing the same thing now with the proliferation of ransomware. Underwriters are using third-party vendors to assist in underwriting their insureds' control environment, which in turn will lead to better risk selection. Just like we have done for the past 20 years, we will ride the waves and work with the underwriters to create a sustainable market for cyber insurance."
Can Handle Risks
Catherine Mulligan, global head of Cyber for Aon's Reinsurance Solutions business, added that in 20 years, standalone cyber insurance has matured into a $7.5 billion sector that can respond to a variety of claims.
"The insurance industry has a longstanding commitment to addressing emerging risks, [and] technology is an essential fabric of society and business, so the insurance industry should continue to invest in risk management and risk transfer of the cyber peril," Mulligan said.
Mulligan said risk management and cyber coverage are successful only if both are designed with cooperation from multiple parties.
As with any complex risk, the solutions will require cooperation among the public and private sectors, technological tools to support underwriting and pricing risks, and data on threats and claims to support stable, long-term capacity, she added.
Oliver Brew, head of client services at cyber risks analytics InsurTech CyberCube, observed that the Russia/SolarWinds breaches appeared to be more political than targeting businesses.
"Many thousands of companies around the world of all sizes and industries buy cyber insurance," Brew said. "The breaches highlighted...impact some U.S. federal governmental entities as well as potentially many private companies. At this stage, the motive appears to be espionage rather than financial, and it is not clear if any data has been destroyed or exfiltrated."
Brew said insurers continue to have the ability to address cyber attacks as well as any other disaster situation.
"Insurers are financially stable and prepare for potential disaster scenarios where multiple companies are impacted by a single vulnerability (in this case a software update that contained malware) or failure of technology," he said.
While the types of losses triggered by this latest malware attack aren't yet fully known, there are steps Brew said can be taken to minimize damage and reduce their exposure.
"This includes installing the Hotfix update released by SolarWinds, as well as work with a forensic team to identify any indicators of compromise," Brew said. "By vigilant monitoring of systems, the impact of this event can be minimized."
Room for Improvement
Cyber insurance currently functions well in a variety of ways and has the ability to evolve quickly, according to Mulligan.
"Cyber insurance can and does respond to a variety of first- and third-party exposures, and the (re)insurers that stand out are those who have invested in specialty attention to the space," she said. "The insurance industry has responded to 20 years of evolving cyber threats. The products have transformed, technology has been introduced to support individual risk assessment and aggregation management, and the insurance industry has continued to provide risk management insights and support to insureds of all sizes."
Still, there is always room for improvement. Mulligan noted the U.S. government's Cyberspace Solarium Commission, for example, is calling for deeper analysis to improve datasets.
"This would buttress work that is ongoing in the private sector," Mulligan said, adding that public and private institutes should continue conversing about ways to improve. She said Aon is recommending a government study about the potential scope of a cyber terrorism event in order to support the industry in building capacity. In the end, cyber attacks won't go away, and they continue to evolve quickly in their approach and scope. Mulligan acknowledged this, but said risks can still be minimized.
"While perfect prevention is unlikely, awareness and consistent cyber hygiene will support a company's ability to respond to threats," she said.