Insured Losses from SolarWinds Hack Mount, But Could Be Worse

The insured losses due to the massive SolarWinds hack now total $90 million and climbing.

That’s according to BitSight and Kovrr’s joint analysis of the financial impact of the SolarWinds breach to the insurance industry.

The SolarWinds attack is a cyber catastrophe from a national security perspective, the companies said. However, insurers may have narrowly avoided a catastrophic financial incident to their businesses. That’s because the insured losses haven’t spiraled out of control.

The insured losses include incident response and forensic services for companies impacted by this incident and that have cyber insurance coverage.

While the number of SolarWinds victims may grow in the following months, BitSight and Kovrr don’t expect the direct insured costs to change significantly.

To find out more about the insured losses from the attack, we spoke with Samit Shah, BitSight‘s director of insurance programs and partnerships.

Channel Futures: Could the insured losses from the SolarWinds hack been higher? Why are we not likely to see that $90 million figure increase much?

BitSight’s Samit Shah

Samit Shah: The $90 million figure could have been higher. However, some of the mitigating factors keeping it [from being] catastrophic were who it mainly affected and the impact/damage. While thousands of companies used the software across a wide variety of industries and geographies, it seemed, based on analysis on who was affected, that the focus was mainly federal government and several larger companies. The damage seemed to be more around espionage, and less around exposing personal records or causing business interruption. In the case of federal governments, they buy little to no coverage. And for larger organizations, while they [often] buy cyber insurance coverage, they tend to have high retention/deductibles.

The patch to the vulnerability was released quite quickly and publicly such that all affected organizations had a chance to quickly respond and limit the damage. [Hackers may] have laid other traps to gain access in the future. But the increased vigilance decreases the virality of the issue.

CF: What have we learned from the SolarWinds hack in terms of its impact on organizations and insured losses?

SS: The SolarWinds incident highlights the basic problem that organizations including federal entities such as the U.S. government face — reliance on a vast third-party supply chain, with limited visibility into the security posture of critical providers. Like many industries, a cyber hack has detrimental consequences. For the government, it’s not necessarily cyber insurance cost; instead, it’s the potential loss of intelligence and new costs with firewalling current networks, or, as some have suggested, rebuilding from square one.

CF: How could this hack have been much worse for the insurance market?

SS: [If the] threat actors were focused on exfiltrating data for the purposes of selling them or causing business interruption, then the situation could have been worse. They went in, found what they needed, took it, and went out trying to escape unnoticed so they could re-enter again in the future. Drawing attention doesn’t seem to have been their [modus operandi].

CF: Is the ongoing threat landscape worrisome for the cyber insurance market? If so, how?

SS: Insurers will likely be concerned that future supply chain incidents resembling SolarWinds may have widespread impact on their insured base.

CF: Is the SolarWinds hack likely prompting more organizations to obtain cyber insurance?

SS: This event, like all preceding well-known cyber events, should motivate organizations to take a harder look at their enterprise cybersecurity posture holistically, including vendor-driven exposure. Whether it is the board, senior management or the security team, cyber risk is very much an enterprise risk that needs to be managed through …