Client Alert

On December 14th, 2020, a far-reaching hacking campaign was revealed by top U.S. government officials that has been attributed to outside nation-state actors, potentially from Russia. Targets include the U.S. departments of Defense, Homeland Security, State, Treasury, Energy and Commerce. The cyberattack extended to the private sector and may impact several thousand organizations.

What we know about the cyberattack

Initial investigation indicates that the cyberattack was executed by exploiting a vulnerability in a software product provided by IT infrastructure company SolarWinds. Threat actors were able to embed malicious code into Solar Winds’ Orion software, which allowed it to launch into the networks of its users during routine updates of the software.

On December 17th, The Cybersecurity & Infrastructure Security Agency (“CISA”) issued an alert, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.

Key takeaways of the CISA alert 

  • This was an advanced, persistent threat that may have compromised networks of U.S. government agencies, critical infrastructure entities and private sector organizations as far back as March 20, 2020. 
  • The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.
  • Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
  • Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.

Potential impacts to victim organizations

Upcoming Webinar | January 20, 2021
The Top Cyber Risks for the Board of Directors
Register now.

While it is unknown exactly how many organizations fell victim to the cyberattack, it appears that the scope of the attack is widening. It has been reported that up to 18,000 SolarWinds Orion customers downloaded updates containing the vulnerability that allowed hackers access to victim networks. In addition, Microsoft has indicated  that over 40 of its global customers were targeted in the cyberattack, with a  client base that spanned from the U.S., Canada, Mexico, Belgium, Spain, UK, Israel and the UAE.*

As of this writing it remains unclear whether or not hackers actually breached any of these networks. CISA has advised that due to the advanced nature of the cyberattack, hackers may have taken steps to erase digital evidence of an intrusion, posing challenges for IT forensic investigators.

Leveraging cyber insurance

Cyber insurance may provide assistance to organizations that believe they were victimized by the cyberattack. Many stand-alone cyber insurance policies provide access to crisis services, including breach coaches, IT forensics investigators, and several other breach response experts. Those with cyber insurance should be mindful of claim and/or incident reporting obligations, requirements to utilize pre-approved insurance panel vendors and issues that may impact evidence preservation and attorney-client privilege. 

Moving forward, insureds should expect greater underwriting scrutiny that extends the focus beyond their own data security controls. Insurance applications and renewal activity will likely involve a wider underwriting lens to include more questions pertaining to the network security of key vendors. We therefore suggest implementing a robust vendor management program aimed at managing cyber risk at the vendor level. 

Related Tools & Resources

Source
Smith, Brad. Microsoft. ”A moment of reckoning: The need for a strong and global cybersecurity response.” Dec. 17, 2020.
Disclaimer
Gallagher provides insurance, risk management and consultation services for our clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance/risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general informational purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers control.
Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.
Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).