Specialty Podcast: Key Takeaways and Actions to Take Now Following the Recent MoveIt Vulnerability

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

David Finz (00:09):
Well, hello everyone and welcome to another edition of the Alliant Specialty Podcast. I'm David Finz, and with me today in this studio is CJ Dietzman, a senior vice president in our newly formed Alliant Cyber vertical. And we're here to talk about not just what we are seeing with respect to the MOVEit file transfer vulnerability, but more broadly what this means for managing cyber risk around software. CJ, with that, why don't you tell folks what's going on and what we're learning from this whole experience?

CJ Dietzman (00:42):
Sure thing. Thank you so much, David. And what an important topic with some key lessons, perspectives and some potential action items that we're strongly advising our clients to take right now. So, thrilled to be having this discussion. A couple of things, Progress MOVEit Software did indeed have a zero-day vulnerability identified wherein malicious actors were able to obtain unauthorized access potentially to data and to execute SQL statements and some other methods and techniques to potentially alter, delete or exfiltrate data from target organizations. So pretty bad. Now having said that, after identification there was a patch released, there were some hardening methods identified to Progress Software's credit, in my observation, once identified they took some prudent actions and got the message out there on how to remediate the vulnerability, how to mitigate it, and then some suggested actions for organizations to take who think they might have been subject to potential attacks.

So, in summary, I guess what I would say is organizations were either subject to this particular vulnerability or they weren't, either through third party or through fourth party were leveraging the MOVEit Transfer software. But there's actually a more important message out there, David, our clients should consider from a cybersecurity standpoint and a broader cyber risk standpoint. No doubt this was a critical vulnerability. It was a zero-day. If you watch the news wires, we can see this continues to unfold. There were some organizations that were compromised and some exposures, more will be revealed there. I think now is actually an opportune time for organizations to take a fresh look right now at all of their software IT tools and utilities that are available across their operating environment to do file and data transfers. Not only that, those software and tools, David, that the organization has deployed and is using itself.

But what about those tools and utilities and third parties that certain business partners and solution providers of our clients, what are they using that maybe the client currently has no visibility to? Our client organizations need to take this opportunity to ring fences around this potential exposure, to identify the tools, the software, the utilities, the communication mechanisms. In the era of the cloud, big data analytics, there's a lot for any organization or enterprise that's leveraging these tools and technologies; there are going to be utilities, interfaces, data transfers, connectivity. We need to make sure A, that we inventory that; B, that we assess it; C, that we mitigate any critical vulnerabilities, potential threats; D, that we have a governance process around it because I promise you this is not unfortunately going to be the last zero-day in file transfer software utilities like this.

And we can't just rely on third-party confidentiality agreements and NDAs and say, listen, we've got agreements in place with these vendors, they've got our best interest at heart. Well, they may. But we need to trust but verify. We need to apply good cybersecurity control and governance across our environment, including these file transfer utilities. Also, we have to consider what fourth parties might be doing. And in a nutshell, if an organization is leveraging an outsourced service provider for something like payroll, we may think of that particular third-party service provider in the context of the payroll business process. But if you think about for example, what apparently happened in some of these MOVEit compromises, if that payroll provider was also using a file transfer utility potential fourth party to our client, that utility and service, if it becomes compromised, could impact that third-party payroll provider, which ultimately could impact our client organization, could impact the enterprise.

It's early days, but that's what we've seen transpire with this MOVEit vulnerability and that's where some organizations unfortunately looks like they got compromised. So now is the time for organizations to inject their governance programs, their assessment and analysis programs to identify, assess, analyze and remediate these types of vulnerabilities; put some proactive measures in place to mitigate this type of issue. David, that's a bit on the security front, dare I say the technical front in consideration of these types of vulnerabilities with file transfer utilities and software. I really want to hear from you in terms of the cyber coverage, the cyber insurability, the claims aspect with something like this, what do you think?

David Finz (05:23):
CJ, that point you just made is spot on. As of today, the date of this recording, we are now beginning to see claims arise where it's not our client that was using this particular file transfer software, but rather one of their suppliers, one of their vendors. And as a result of that personal information of our clients' customers that was entrusted to this vendor has now been compromised. So, we're seeing exactly the scenario that you are describing here play out. I think that this is part of a broader picture that companies need to be looking at, how they manage both their internal usage of software, but also that of the vendors, the suppliers that they rely upon to do business. So, we can expect that underwriters are going to be asking questions much like they did with Log4j about a year and a half ago, right?

Do you use this tool? If so, have you patched? Oh, you don't use this tool. Okay, well what about your key vendors and suppliers? Now you may not have line of sight into that information to be able to answer it for all of the third parties that you conduct business with, right? But they're going to want to know what process that you have in place with these other entities. How do you share information? What is your due diligence around making sure that they're keeping your customer's data secure and what recourse do you have towards them? If there is an incident, because very often these service agreements have limitations of liability, or they prevent the insurer from subrogating against them. So, these are things that the underwriters are going to want to know about. From a policy wording standpoint, even prior to this incident, we had begun to see several insurers place limitations on coverage for neglected software or unpatched vulnerabilities.

It could take the form of a sub-limit or co-insurance and the effect of that could progressively increase as time goes on. So, it might be a situation where if there is a known exploit and you have not remediated within the first 30 days, there's a 0% co-insurance supplied, but if it's 31 to 60 days and you have an incident during that period, it might be 5% or 10% and so on. And it could increase to the point that it could really pose an impediment to a full recovery under the policy. So, the underwriters are going to be looking for insureds to be proactive about managing these things. They're going to ask about what steps you have in place to remediate, how do you keep track of critical vulnerabilities? How quickly do you apply patches when there is a vulnerability that might apply to one of your vendors, do you reach out and contact them?

Again, what recourse do you have? This really goes back to why our cyber vertical was formed and the importance of taking a holistic approach to this area of risk. Gone are the days of a simple two-page application. I think it's important for people to realize now that the underwriters have gotten a lot more savvy about assessing this exposure and they're going to want to see that our clients are being proactive and staying on top of these vulnerabilities, that they have good third-party vendor management in place and that they're able to get out in front of incidents like this. Unfortunately, as we've seen, even though this is a finite number of businesses that use this software tool, there have been some very big names impacted by it. Two national airlines, a provincial government in Canada, even the BBC. So, no organization is immune, however large or small. And I think it's just important for businesses to realize that this is an evolving threat, and they need to stay on top of it.

CJ Dietzman (09:12):
Well said David and listening to you speak there about the cyber insurance implications, how this has played out and is playing out the identification of this day zero vulnerability with MOVEit, the exploit, the attacks, the compromises, ultimately the breaches or the extortion matters that have arisen. The last thing to happen was actually the zero-day exploit to be identified. There were much earlier, dare I say, upstream breakdowns, whether it's a breakdown in vulnerability management, asset inventory, vendor governance, mitigating controls, configuration enhancement, controls that compensate for soft spots or weak spots, potential vulnerabilities and vendor software. I guess my point being, the last thing to happen is the compromise, but if we go upstream, there are probably three or four safety nets that organizationally, and nobody's perfect, but organizationally we should consider and we should put in place to at a minimum reduce the probability, magnitude and net exposure for something like MOVEit.

We can't eliminate it, but we can potentially reduce it. We can ring fences around it faster and hopefully have less pain, agony and suffering later up to and including all of the considerations that you mentioned. And I think you hit the nail on the head, David. This is why we formed the broader Alliant Cyber vertical because you and I partner together to serve clients, give them the best of the cyber insurance market and perspective, the best of cyber risk management practices, as well as the best of cybersecurity advice, recommendations and guidance. So exciting and important times.

David Finz (10:49):
The claims advocate pulls people out of the river, the risk consultant tries to figure out why they're falling in. So, we've got both ends covered, as you said, going upstream to try to get to these vulnerabilities and deal with them before they're exploited. So, with that, I think that about wraps it up for this episode. We want to thank everyone for joining us. Here at Alliant, we are all about helping our clients find the more rewarding way to manage risk. And if you'd like to learn more about our capabilities in this area, you can visit our website at www.alliant.com/cyber.