The SolarWinds breach is already one of the most significant cybersecurity incidents ever. And as with any unprecedented cyber event, this will have long-term effects on the way businesses and government consider their security programs. While many questions remain unanswered, the SolarWinds impact on the insurance sector has become clearer after an analysis we’ve completed with one of our partners. So, what should we expect the financial impact of SolarWinds on cyber insurers? And how can cyber insurers quantify a breach of this scale in the future?
Today, BitSight and Kovrr announced our new partnership and released a joint analysis of the financial impact of the SolarWinds hack to the insurance industry. We find that although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses. We estimate the insured losses to be $90,000,000, which includes incident response and forensic services for companies who were impacted by this incident and have cyber insurance coverage.
Quantifying the financial cost associated with the SolarWinds attack
Together, BitSight and Kovrr are able to produce the cost associated with the breach by breaking down the different elements into cost components. Based on the specific organization location, industry, and size, we are able to determine the cost of forensics, incident response, regulatory fines, addressing the incidents, and using public relations services to communicate information about the attack. This information is mostly derived from claims and other data sources of prior incidents.
We estimate the insured losses from the SolarWinds attack to be $90,000,000, which includes incident response and forensic services for companies who were impacted by this incident and have cyber insurance coverage.
While the number of SolarWinds victims from the attack may grow in the following months, we do not expect the direct insured costs to change significantly. We note that many of the organizations affected by this incident include Federal government agencies, who typically do not buy insurance for most risks, including cyber.
The BitSight-Kovrr analysis of SolarWinds
In order to come up with an estimation of insured costs associated with the SolarWinds attack, BitSight-Kovrr looked into multiple elements:
- What was the impact of the attack? (Sensitive data collected or stolen? Critical networks blocked? Business interruption? Etc.)
- Who was attacked? What does the business do? What is the scale of the business? How many sensitive records do they hold? How technologically dependent is the business?
- What are the necessary steps for the company to take in order to mitigate the attack and ensure it won’t reoccur?
In the specific case of SolarWinds, we now know the profile of the businesses being attacked and the number of businesses that were actively compromised by the threat actor. According to Microsoft:
- Although 18,000 companies may have been affected by the backdoor exploit of the Orion application, only approximately 40 companies were targeted by the nation state group and compromised. This should be considered the floor of companies compromised.
- 80% of the identified victims are located in the United States and the rest of 20% is spread over seven other countries including Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the UAE.
- The initial list of organizations hacked in this ongoing espionage campaign includes organizations from a wide range of industries, with 44% of them being information technology firms and 18% government agencies.
- BitSight’s analysis of the impacted organizations generally confirms these statistics.
While there are still some missing data pieces, we know that the initial phase of this attack has ended and we can begin to consider the factors that allow us to model the financial impact of the attack and come up with an accurate estimate of the insured costs associated with it.
It could have been much worse…
While the SolarWinds hack is proving to be a devastating cyber attack from a national security perspective, the attack did not evolve into a cyber catastrophe for the insurance market. Why?
We define a cyber catastrophe for insurance in the following manner:
- An infrequent cyber event that causes severe loss, injury, or property damage to a large population of cyber exposures.
- A cyber event that starts with a disruption in either a service provider or a technology, and unfolds by replicating this disruption wherever possible.
- An event resulting in an economic loss greater than $200 million.
In the SolarWinds attack, while a specific technology was targeted that has a significant customer, it appears the threat actor has avoided large scale exploitation of organizations. The threat actor mainly focused on maintaining access and collecting sensitive data. If, for example, the threat actor chose to disrupt the networks and use Solarwinds alongside other vectors to gain network access to cause business interruption or even destruction of networks, the impact of the event could have led to a catastrophe.
Insurers will likely be concerned that future supply chain incidents resembling SolarWinds may have widespread impact on their insured base. More robust modeling, working with insureds to help them better understand their third and fourth party risk, and adjustments to the way supply chain risk is underwritten may all be required for the insurance market moving forward.
About the BitSight-Kovrr partnership
BitSight and Kovrr are partnering to deliver the most comprehensive data-driven cyber risk financial quantification solution for the insurance market. Together, BitSight and Kovrr provide cyber insurers the tools required to more accurately and confidently make decisions about key areas of the cyber insurance business including underwriting, modeling, and portfolio management. For information about the BitSight-Kovrr Financial Quantification for Insurance Cyber Risk solution please visit https://www.bitsight.com/security-ratings-cyber-insurance.
