In March 2021, Microsoft announced that four previously unknown or ‘zero-day’ vulnerabilities in its Exchange Server software were being exploited by highly skilled and sophisticated hacking groups. Widespread exploitation of critical flaws in Exchange Servers 2013, 2016, 2019, and possibly 2010, began at the end of February, forcing the technology behemoth to release critical software patches in early March. Over the past few months, the types of exploitations seen vary from email account compromises to domain controller compromises, data exfiltration, and the deployment of Black Kingdom ransomware.
The Microsoft zero-day vulnerability attacks are significant because of the ubiquitous nature of the risk and the enormous number of companies that use Exchange Servers for day-to-day business operations. Furthermore, a systemic cyber event of this nature would usually be considered a rarity, but much to the concern of cyber insurers, the Exchange Server zero-day attacks followed shortly after another catastrophic cyber incident – the SolarWinds attack.
In December 2020, it was revealed that tech giant SolarWinds, which serves around 300,000 customers worldwide, was breached by state-sponsored hackers who abused a vulnerability on an update for its popular IT management software. SolarWinds revealed that as many as 18,000 of its customers downloaded the compromised software update, which allowed the bad actors to spy on businesses and agencies for nearly nine months.
The potential for more systemic cyberattacks of this nature - or even the possibility that huge events like SolarWinds and the Microsoft zero-day attacks will become cyber’s “new normal” - is a “very frightening prospect,” according to Katharine Hall, Aon’s cyber solutions leader in Canada. As a result, cyber insurers have reacted quickly to these events by tightening up their underwriting guidelines, reducing capacity, increasing retentions, and even introducing things like coinsurance and sublimits for ransomware.
“While we won’t get a sense of the total loss from these events for a while yet, I can pinpoint specific dates when our larger insurers called us to say: ‘We’ve looked at [these events] and we don’t think we’ve adequately represented the risk in our books, so we’re going to make these significant changes.’ Events like SolarWinds and the Microsoft zero-day vulnerability attacks made the insurance industry really analyze their books to determine whether they were collecting enough technical information to truly understand their exposure. I think a lot of insurers felt that they weren’t,” said Hall.
These huge cyber events have also added urgency to the industry’s efforts to tackle the issue of “silent” non-affirmative cyber coverage, which refers to potential cyber-related losses stemming from traditional property and liability policies that were not specifically designed to cover cyber risk. Underwriters are taking hard internal looks at their books to ensure that they’re underwriting risks that they understand and that their policies were priced for.
“What we’ve found is that coverage is being stripped off all those other policies [crime, property, boiler and machinery policies] and focused on the cyber policy, and companies need to be able to articulate [the technical information] that insurers need in order to be comfortable writing the risk,” Hall told Insurance Business. “Events like SolarWinds have triggered responses from the insurance companies, and we won’t go back to how it was before. You used to be able to get a cyber insurance policy, and not have to answer one technical question. Not one! I think these events have woken the industry up to the level of detail and the level of diligence needed in order to properly understand and manage the risk.”