Monitoring your systems and addressing vulnerabilities may be essential to preserving insurance coverage 8 min read
Insurers heavily scrutinise organisations' ability to prevent, anticipate and withstand cyber-attacks when deciding whether or not to offer cyber insurance. In line with this trend, insurers increasingly refuse or limit cover for incidents where known vulnerabilities in organisations' systems are exploited.
'Known-vulnerability clauses' in cyber insurance policies require vigilance in maintaining appropriate security arrangements and in closing areas of weakness to preserve insurance cover.
This Insight explains:
- what known vulnerabilities are;
- the approach commonly adopted by insurers in relation to known vulnerabilities; and
- what you can do to mitigate the risk of triggering these conditions in your cyber policy wording.
In general terms, a vulnerability is a flaw or weakness in a piece of software or hardware infrastructure that can be exploited to undermine the confidentiality, integrity or availability of affected components. If we break this down further:
- a zero day vulnerability is a flaw or weakness in software or hardware that has not yet been discovered by the developers or made public, and for which a patch has not been developed. The name comes from the fact that the company has had 'zero days' to respond and push out a patch to protect users; and
- a known vulnerability is a vulnerability that has been publicly reported.
Organisations should be alert to known vulnerabilities, particularly when using:
- open source software – code designed to be publicly accessible, which anyone can see, modify and distribute;
- end-of-life/end-of-support software/hardware – software or hardware no longer supported by the vendor or receiving periodic security updates; or
- internet facing/accessible software – software solutions made available via the internet (and not only accessible through a secured corporate network).
When vulnerabilities are discovered, the software or hardware provider or vendor will typically develop and release a 'patch' or firmware update to fix or help mitigate the issue. Before this occurs, however, threat actors can seek to exploit the vulnerability to obtain unauthorised access to systems.
The Common Vulnerabilities and Exposures (CVE) List is the market-leading register of known vulnerabilities curated by the US National Cybersecurity Federally Funded Research and Development Centre.1 The CVE List is often referenced within the cybersecurity community, and referred to in cyber insurance policy wordings.
The risks of failing to patch software or continuing to use end-of-life software or hardware are well known. They were flagged by the Five Eyes in their 2021 Joint Cyber Advisory Report,2 and more recently by the European Union.3 Notwithstanding this publicity, the dangers of known vulnerabilities continue to evolve. This includes threat actors seeking to leverage third-party vendors and technology to penetrate their ultimate target, leading to a surge in software supply chain attacks and the compromise of open source libraries and tools. For example:
On 30 January 2023, Fortra became aware of a vulnerability affecting managed file transfer software GoAnywhere. A patch was made ready by 7 February 2023.4 However, several companies have since disclosed that they experienced data breaches due to harmful code being injected into the vulnerability. In fact, Clop Group has claimed that they used the vulnerability to steal data from over 100 companies who rely on the GoAnywhere tool.5
Exploitation of a vulnerability in the widely-used Java-based open-source logging tool Log4j led to 'more than 100 hacking attempts per minute',6 with the US Federal Trade Commission urging organisations to patch the vulnerability immediately or otherwise face punitive action.7 Reportedly, some IT departments are yet to patch their systems over a year later.8
Insurers have heightened their risk management expectations
As a precondition to writing or renewing cover or as a determinant in setting premiums, insurers increasingly require evidence of cyber hygiene and risk management. This includes a detailed examination of:
- organisations' cyber strategy, governance arrangements, IT security spend, the volume and type of data held, the security controls applied to protect information assets and reliance on shadow IT;
- third-party arrangements, cyber-awareness culture, testing regimes and details of any prior data breaches;
- the level of executive sponsorship of cyber security and resilience issues; and
- the extent of senior management's preparedness for a cyber-attack, including through real-time inspections of board-level tabletop scenarios.
Without this, some businesses will not be considered for cover.
Insurers are increasingly limiting or excluding certain losses from cover
Many market-standard cyber insurance wordings now limit the cover available for known vulnerabilities. These limitations generally apply to vulnerabilities where, prior to the first-known date of exploitation by a threat actor:
- the relevant software or hardware had been withdrawn or was no longer available, or had reached end-of-life or end-of-support status with the vendor; or
- the vulnerability was listed as a CVE and had a patch or fix available; and
- no action was taken by the policyholder for a certain period of time (commonly 30 days).
Restrictions on cover can take a number of forms, including total exclusions or sub-limits of liability. Some policies take a more nuanced approach, with a sliding scale of tightening sub-limits and increasing co-insurance payments based on the number of days it took for the insured to address the relevant vulnerability (down to as little as 5–10% of the maximum available cover for extended delays).
Importantly, these conditions are not tied to the organisation having actual knowledge of the issue
Known-vulnerability restrictions will apply if the software or hardware was no longer supported, or the vulnerability could be patched, whether or not you were aware of those developments – placing responsibility firmly on the insured.
On the other hand, in policies without known-vulnerabilities exclusions, coverage could be at risk for known matters not disclosed prior to policy renewal. This could occur in circumstances where a known vulnerability exists in an insured's software or hardware, and that fact is known to the insured and it is not disclosed to the insurer prior to entering into the policy.
When dealing with known-vulnerability exclusions in your cyber insurance wording, your business could be caught out in two ways:
- before the vulnerability is exploited by a threat actor; or
- in many unfortunate cases – afterwards.
'The race against the clock': you discover, or are notified of, a vulnerability in your systems
The moment a vulnerability is discovered, businesses are open to attack. Fortunately, cyber wordings with known-vulnerabilities conditions generally allow a certain number of days from when a patch or fix becomes available before excluding or limiting cover. As such, a key priority for policyholders is implementing any software and firmware updates quickly.
While it can be hard to prioritise insurance issues in times of crisis, policyholders should also consider their notification and disclosure requirements, even in the absence of a cyber-attack. This is especially the case in the lead up to policy renewal. Policyholders should consider whether they are required to disclose any actual or suspected failures in their security systems, or otherwise, whether to notify proactively – even in the absence of the vulnerability being exploited. This scenario raises complex strategic questions, best addressed on a case-by-case basis.
'Too late': you suffer a data breach exploiting a known vulnerability or end-of-life hardware
If you think a known vulnerability has been exploited, not all may be lost. Not all cyber insurance policies contain known-vulnerability conditions, and complex causation issues can arise as to whether a known vulnerability is what caused the loss.
Further, patching or improving your systems may also be crucial to prevent subsequent attacks affecting the same vulnerability, for which cover may still be available if you act quickly.
Ensuring a clear view of the software or hardware your organisation relies on is not an easy task, where the average software project has 203 dependencies and ‘involves multiple off-the-shelf components, including third-party APIs, open source code and proprietary code'.9 Organisations also rely on a combination of both direct and sub-licensing arrangements to procure their software and hardware.
It remains crucial to consider what organisational data may be assessable to various software and hardware and interfaces. At a minimum, you should understand where key risk areas may be (including, for example, critical IT and OT, CRMs or HR systems and internal functions such as wage payment).
Don't assume that your cyber policy will cover the significant costs and liabilities that can arise from cyber incidents where your business has not adequately managed risks (including software or hardware vulnerabilities). Check the known vulnerability policy wording in your terms and consider what it will mean for your coverage position if you become aware of a vulnerability.
The reality of patch management is that, even by adopting best practice (including automated patch management tools), your business may still find itself scrambling to protect against a known vulnerability. One need only consider the shopping list of eminent organisations who raced to patch the Log4j vulnerability (including the likes of Apple, Amazon, Twitter, Tesla, Google, IBM, Cisco) to realise that anyone can find themselves in a zero-day scenario. This highlights the need for organisations to have a user-friendly cyber incident response, business continuity and disaster recovery plans. They should also regularly test their ability to respond to cyber incidents and other major disruptions through tabletop exercises conducted at all levels of the business.