On March 2, 2021, Microsoft reported that it has observed targeted attacks that take advantage of four zero-day vulnerabilities in Microsoft Exchange Server to gain full access to all email on the victim’s system. What should you be doing?
A recent Alert from Lockton’s Global Cyber & Technology Practice notes that in addition to checking out Microsoft Security updates, this kind of cyber attack may trigger any cyber insurance an organization has in place. Specifically, the alert notes that the costs to respond to the attack and to comply with any notification or other legal obligations flowing from the event should be covered.
Cyber policies typically give insureds the option to notify the insurer of circumstances that may lead to loss covered by the policy. While it may be tempting for organizations running affected Exchange Server products to notify their cyber insurers, Lockton recommends doing so only if the organization discovers that the vulnerabilities being exploited are present in the system. If the organization discovers that an attack is underway, it should be reported to their cyber insurer immediately.
A good policy should also cover any cost incurred to restore or recreate any data that is damaged and any loss resulting from any interruption in the organization’s business caused by the attack. A cyber policy should also cover any legal liability the organization has to regulators and/or individuals whose private information may have been compromised.
Lockton explains that looking ahead, they expect cyber insurance underwriters to begin asking questions about the existence of vulnerabilities that make the Hafnium attacks possible—and that it is likely that insurers will decline to insure organizations that have not remediated those vulnerabilities.
Indeed, the Labor Department is reportedly including questions about employers’ written cybersecurity policies and procedures—and asking about cybersecurity attacks, and the response(s) to them as part of plan audits. Earlier this month the Government Accountability Office (GAO) called on the Department of Labor to set minimum standards for mitigating cybersecurity risks and to formally state whether it is a fiduciary’s responsibility to mitigate those risks in defined contribution plans.
