SolarWinds Hack Could Cost Cyber Insurance Firms $90 Million

‘Although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses,’ says BitSight’s Samit Shah.

Cyber insurance vendors are expected to spend $90 million on incident response and forensic services for clients who were compromised by the SolarWinds hackers.

“Although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses,” said Samit Shah, director of insurance programs and partnerships for Boston-based cyber risk vendor BitSight.

The Russian hackers behind the SolarWinds attack appear to have avoided large scale exploitation of victims, instead opting to maintain access and collect sensitive data, a joint analysis released Tuesday by BitSight and cyber risk modeling vendor Kovrr found. But if the SolarWinds hackers had been focused on interrupting business and destroying networks, the campaign could have been catastrophic for insurers.

[Related: SolarWinds To Pay Ex-CEO $312K To Assist With Investigations]

Additionally, many of the organizations affected by the SolarWinds hack are U.S. government departments. Federal agencies typically don’t buy insurance for most risks, including cyber, according to Shah. Therefore, even if the number of victims of the SolarWinds hack grows in the coming months, BitSight and Kovrr do not expect the direct insured costs to change significantly.

“While the SolarWinds breach is proving to be a devastating cyber attack from a national security perspective, the attack did not evolve into a cyber catastrophe for the insurance market,” Shah said.

BitSight and Kovrr define a cyber catastrophe for insurance as an event resulting in economic loss of greater than $200 million. Cyber catastrophes often start with a disruption to either a service provider or a technology, and then unfold by replicating this disruption wherever possible, according to Shah.

In order to come up with an estimate of insured costs for the SolarWinds attack, BitSight and Kovrr said they investigated the impact of the attack, the profile of the victim organizations, and the necessary steps for mitigation and remediation. In terms of victim profile, Shah said they focused on the scale of the business, the number of sensitive records held, and the technological dependence of the business.

BitSight and Kovrr are using Microsoft’s Dec. 17 finding that 40 of its customers were compromised through SolarWinds Orion as the floor for the number of organizations impacted. But a Jan. 2 New York Times report said it now appears that 250 federal agencies and businesses were actually affected.

Roughly 80 percent of Microsoft’s compromised customers are in the United States, with the remainder based out of Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates, President Brad Smith wrote in a Dec. 17 blog. BitSight found that two-thirds of Orion customers are headquartered in the United States, with 5 percent based in the U.K. and 4 percent based in Canada.

A decisive plurality – 44 percent – of the Microsoft customers compromised through SolarWinds are in the IT sector, while 18 percent are government agencies and another 18 percent are think tanks or NGOs. BitSight said it found that 27 percent of SolarWinds Orion clients are technology firms, 9 percent are in government or politics, 8 percent are in healthcare or wellness, and 8 percent are in education.

“While there are still some missing data pieces, we know that the initial phase of the attack has ended and we can begin to consider the factors that allow us to model the financial impact of the attack,” Shah said.

Going forward, BitSight and Kovrr said insurers will likely be concerned that supply chain incidents resembling SolarWinds could have a widespread impact on their client base. As a result, Shah said the insurance market might need to adjust how supply chain risk is underwritten in the future.