Rachlin: I am the EVP, Global Insurance Industry Leader at Capgemini, with a career-long focus in understanding and addressing the connections between risk and technology. I am teaching a course on this topic at the University of Chicago this Spring.
Security: What does the SolarWinds attack mean for all organizations impacted?
Rachlin: The implications are both obvious and subtle. At the level of the obvious is the fact that organizations large and small are vulnerable to cyberattacks that they may only discover many months after they occur. This means that it is a virtual certainty that many organizations are suffering active and ongoing breaches of which they are completely unaware. More subtle though is the attack’s highlighting of the vulnerability of the technology supply chain – a vulnerability where, even the most sophisticated organizations are almost defenseless. The attack will direct attention on this highly impactful attack vector and cause organizations to reconsider both the size and the structure of their technology ecosystem.
Security: In your opinion, is this hack potentially insurable? Why or why not?
Rachlin: The answer is very much yes and no. On its face, losses emerging from the attack would be covered under most cyber insurance policies. But there are some important caveats. First, most organizations have yet to assess and discover actual losses as a result of the attack. Without deeper understanding of what the hackers did and potentially stole, claims are likely to be few. You can, after all, only recover for losses you are aware of. Second is the issue of attribution. It appears that the attack was the act of a state-based actor. As such, the attack could – depending on subjective interpretation – trigger an “act of war” exclusion which is part of many cyber insurance policies. To date, insurance companies – with a few exceptions related to broader property policies triggered by the Notpetya attack – have been reluctant to deny claims on this basis for fear that such denials would crush the market for cyber insurance. To the extent that attacks like Solarwinds become the norm, the insurance industry will be challenged to continue to provide coverage along the terms currently in force today.
Security: How can the industry handle cyberattacks such as the SolarWinds hack?
Rachlin: The SolarWinds attack teaches us, not for the first time, that there is a certain inevitability to being the victim of a cyberattack regardless of how well protected an organization might be. Increased investment and focus on cyber resilience – the ability to recover from an attack and to mitigate its impact – will be critical for industry going forward.
Security: What are some best practices when considering cyber insurance, especially to prepare for a massive breach?
Rachlin: Buyers should select an insurance company that can be an active partner in cyber resilience. More and more insurers are recognizing that their expertise in risk engineering and loss control is highly leverageable in the cyber arena. Also, policy language and coverage terms are more important than ever. Cyber insurance buyers should seek the broadest possible coverage which includes strong protections in the event of intellectual property theft, business interruption, and in particular contingent business interruption, that is losses resulting from the disruption to a key supplier or distributor whether or not the hack directly hit the insurance buyer. Given the widespread nature of breaches like SolarWinds, this form of coverage – which effectively spreads coverage across the entire supply chain – will be critical going forward.