SolarWinds trojan hack could cost cyber insurers £66 million

A recent worldwide hacking incident – one that even managed to compromise government systems – will likely cost cyber insurers US$90 million (around £66 million) for incident response and forensic services, experts project.

Russian state-sponsored hackers are believed to be behind the cyberattack that exploited a vulnerability on the latest update of SolarWinds’ IT management software. As many as 18,000 SolarWinds customers – which include several US-based Fortune 500 companies and some agencies of the US and British governments – downloaded trojan malware hiding within the software update.

Experts say that the attack, while a national security nightmare, was fortunately not as disruptive to insurers.

“Although the SolarWinds attack is a cyber catastrophe from a national security perspective, insurers may have narrowly avoided a catastrophic financial incident to their businesses,” BitSight director of insurance programs and partnerships Samit Shah explained in a blog post.

A joint analysis by cyber risk vendor BitSight and cyber risk modeler Kovrr found that the hackers appear to have avoided large scale exploitation of victims. Instead, the perpetrators opted to maintain access to the compromised systems and collect sensitive data, the analysis found. Both cybersecurity vendors concluded that had the attackers focused on interrupting business and destroying networks, the incident would have been classified as a cyber catastrophe – an incident BitSight defines as a cyber event that results in economic losses greater than US$200 million.

Shah also noted that many of the organisations affected by the hack are US government departments, which typically do not purchase insurance for most risks, such as cyber. Both BitSight and Kovrr also do not expect the direct insured costs to change, even if the number of victims of the cyberattack increase in the coming months.

“While the SolarWinds breach is proving to be a devastating cyberattack from a national security perspective, the attack did not evolve into a cyber catastrophe for the insurance market,” said Shah.

Other key findings of the report include:

• While 18,000 companies were affected by the backdoor exploit, only about 40 of those companies were actually targeted by the cyber attackers.
• 80% of the identified victims are located in the US, and the remaining 20% are from seven other countries including Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the UAE.
• 44% of the initial list of organisations affected by the ongoing espionage campaign were from the information technology industry, and 18% were government agencies.