There are other types of systemic cyber risks aside from a major cloud outage.
There are other types of systemic cyber risks aside from a major cloud outage. Among them is a vulnerability in widely used software. In 2021, Chinese cyber-security researchers detected such a vulnerability in Log4j, an open-source logging utility residing within hundreds of millions of computer devices. U.S. government cyber-security officials subsequently issued an emergency directive requiring federal agencies to patch the vulnerability, calling Log4j “one of the most serious software vulnerabilities in history.”
In January 2022, Microsoft reported that attackers were taking advantage of the vulnerability to deploy ransomware. “Had the malware been exploited, it could have spread like COVID to cause catastrophic insured losses,” says Roman Itskovich, co-founder and chief risk officer at At-Bay.
Dan Frusciano, North America head of cyber underwriting at insurer Liberty Mutual, cited another type of systemic risk: “targeted malware that penetrates a SaaS [software as a service] provider’s network and expands out to multiple customers to cause a catastrophic loss. In some ways, given the many SaaS providers out there, this is more of a concern than a large cloud provider outage, as there are only a few of them.”
The SolarWinds software supply chain attack is emblematic of another type of systemic risk. Hackers used SolarWinds’ supply chain to infiltrate the networks of 20,000 companies and government agencies, including Microsoft, Cisco, Intel, the State Department and the Pentagon. The malware in the attack, known as Solorigate, is considered a game changer. As Chubb stated in a 2021 report, “Even as pervasive and costly as the Solorigate and Hafnium events were, they could have been much worse. It appears that the primary motive in each of these events was espionage, but if the intent had been to steal or destroy critical data or other information, the economic consequences could have easily multiplied.” The Hafnium incident was a series of attacks on Microsoft Exchange servers, allegedly by the Chinese state-sponsored threat group Hafnium, that is believed to have affected more than 21,000 organizations.
Solorigate appears to be a key factor in the decision by Chubb to develop a widespread event endorsement for systemic cyber incidents. Among the four widespread events covered in the endorsement is a “widespread software supply chain exploit.”
Storer’s colleague, Steve Pacheco, head of U.S. cyber and tech at Munich Re Specialty Insurance, says the threat of a systemic cyber event “keeps most cyber underwriters up at night. It’s the million dollar question.” He adds that a “systemic event doesn’t discriminate. Once it replicates, it can find its way across businesses in a broad spectrum of industry verticals.”
In response, major cyber insurers such as Chubb, Beazley, Crum & Forster and Lloyd’s have taken specific actions to reduce their exposure to systemic losses. For the most part, these actions involve coverage exclusions for war and state-backed cyber attacks, the inclusion of a sublimit confining losses from cyber cloud outages to a specified time period, and the development (by Chubb) of a cyber policy endorsement that defines widespread events and provides the customer clarity of coverage and transparency in pricing for systemic cyber events.
The actions are necessary to manage the unpredictability of systemic cyber risks and to maintain stable reinsurance capacity at a time of rapidly growing demand, driven in large part by the digital transformation of companies in all industry sectors.
