In late May, developers of a widely-used file sharing solution disclosed a critical security vulnerability. Cyber insurers would be wise to use this breach as a reason to revisit the issue of systemic cyber risk.
MOVEit Transfer allows organizations to store and share files either internally, with partners or broadly within groups. On May 31, 2023, MOVEit’s developer disclosed that a cyber threat actor exploited a zero-day SQL injection vulnerability in MOVEit’s web application. After gaining access, the threat actor installed a webshell, which allowed for the escalation of privileges, permitting broad access in the victim’s system, and ultimately enabling the theft of significant data. The Russian ransomware group Cl0p has claimed responsibility. The attacks prompted the US Cyber and Infrastructure Security Agency to designate the exploit as a critical vulnerability, dubbed CVE-2023-34362, and to advise that organizations shut down any MOVEit file transfers until a patch was installed.
How widespread the campaign reached has yet to be determined. While only a handful of victims has been identified, the number continues to grow. MOVEit advertises that its customer base spans "thousands of enterprises, including 1,700 software companies and 3.5 million developers." Some researchers estimate that the campaign initiated months ago, and the cybersecurity firm Kroll concluded that Cl0p likely tested the exploit as far back as 2021. One indication of the potential severity of the act is Cl0p’s decision to diverge from the usual extortion practice of leaving behind a ransom demand note for each victim. Instead, Cl0p posted a notice on its leaksite advising victims to contact them. Potentially, Cl0p took this approach to lessen its own administrative burden because the data stolen and number of victims were enormous.
While still in early days for understanding the reach of the MOVEit breach, valuable lessons exist for the cyber insurance industry. For insurers, MOVEit represents another event in a continuum of attacks targeting the cyber supply chain. Insurers should recognize combining the complexity of security in the supply chain with the unpredictability of zero-day exploits can quickly lead to systemic events and widespread losses. Ultimately, cyber risk is a product of 3 factors: threats, vulnerabilities, and impact. Mitigating cyber risk depends on the capacity to control one or more of these factors.
Threats are ongoing and persistent. Scores of groups like Cl0p sit nested in jurisdictions that protect them from law enforcement. While the Cl0p group did not deploy ransomware, and only demanded payment not to publish stolen data, other groups could raise the stakes by encrypting data. Groups perpetuating cyber vandalism rather than seeking financial gain might simply wipe the data to bring about more destructive attacks. Incidents against the cyber supply chain, like MOVEit or the Kaseya campaign 2 years earlier, have the potential to cause widespread impact without meeting the criteria to trigger an exclusion.
Furthermore, as MOVEit demonstrated, vulnerabilities remain replete throughout the cyber supply chain. In its remediation, MOVEit’s developers disclosed not only the zero-day developed by the Cl0p group, but also other zero-day vulnerabilities that were found in the investigation. Nothing guarantees that threat actors had not also previously found those weaknesses or others yet to be discovered. At the same time, organizations are vulnerable not only from their own controls, but also broadly within the supply chain. Underwriting to the cyber supply chain will remain a challenge because it requires not only knowing the controls implemented, but also understanding the process to confirm that controls are consistent throughout the layers of the organization.
With vulnerabilities and threats remaining high, forecasting impact will be crucial for cyber insurers. To date, the cyber insurance industry has demonstrated resilience to losses and should not be viewed as brittle. As detailed in a recent Guy Carpenter report, Through the Looking Glass, cyber insurance now collects more than USD 14 billion in global premium. That figure represents a near doubling of the US market in 3 years and even greater growth in many non-US markets. In a very brief period, the insurance industry adeptly appreciated and mitigated risk. Past performance should encourage fresh capital and innovation to this growing space.
Understanding the mechanics of widespread events will be key to growth. Currently, continued data aggregation and refinement of loss models have yielded scenarios that could serve as proxies to estimate the impacts of events like MOVEit, but with varied circumstances and outcomes. For example, Guy Carpenter’s proprietary cyber realistic disaster scenario (RDS) model, GC CyberExplorerSM, includes a Kaseya What-If systemic ransomware scenario that reflects future attacks as a result of backdoor access being established during the initial vulnerability exploit. In addition, commercially available models also provide analysis for a mass-scale ransomware attack on an aggregation point in the digital supply chain.
Recognizing that not every cyber supply chain event should disrupt the market, events like MOVEit serve as teaching moments for the cyber insurance industry. By examining tactics of cyber threat actors, markets can better forecast worst case scenarios and inform their review terms, pricing, and risk mitigation strategies. In tandem, the continued improvement of data quality and evolution of cyber risk modeling will serve to drive market growth.