The rise of cyber risk accumulation events has highlighted the need for cyber insurers and reinsurers to understand single points of failure (SPoFs) within their customers’ digital supply chains, according to a new report published by the International Underwriting Association (IUA).

While companies are increasingly reliant on digital third-party support, supply chain perils have not received as much attention as other major cyber threats like war risks, said the white paper, which was jointly researched by the IUA and cyber risk analytics firm CyberCube.

“It is important for a company to have a thorough understanding of its external relationships so that it can factor them into a comprehensive risk management plan,” the report said.

In any digital supply chain, there are entities that provide specialty niche services, which could become an SPoF and disrupt large swaths of companies if they are hit with an outage, the report said.

“Most organizations rely on a complex array of external vendors, technologies and suppliers to achieve their business goals. But these relationships come with inherent risks,” commented Thomas Clayton, chair of the IUA’s Cyber Underwriting Group and head of Cyber at Zurich Insurance, in a statement accompanying the report.

“For insurers, there is an urgent need to pay close attention to single points of failure within digital supply chains. Often, theoretically independent supply chains of unrelated businesses can rely on a handful of leading specialist providers. An outage at one of these providers could disrupt large swaths of industry,” Clayton added.

SolarWinds Cyber Attack

The report said advanced and persistent threat actors will go to extreme lengths to achieve their objectives by exploiting weaknesses in software supply chains. The report cited several example of cyber attacks involving SPoF, including SolarWinds — a targeted software supply chain attack, revealed in December 2020, which had a worldwide impact. The hackers used compromised software updates to install backdoor access. One of the lessons learned from this hack is that supply chain attacks can have a large footprint, even with a small number of targeted victims, the report said.

When hackers target an SPoF, or use an SPoF to reach more victims, “the expected ‘footprint’ of the attack will also increase,” the report noted. “This increases the exposure to re/insurers, in a similar way to how the U.S. population moving to the coasts has increased exposure to hurricanes and earthquakes.”

“While SPoFs cannot be eliminated from re/insurers’ portfolios, understanding their concentration is critical to managing risk accumulations and minimizing cyber catastrophe losses across all coverage types. Reinsurers can also distinguish which cedents are better at managing cyber risk concentration,” the report continued.

The report went on to list the four categories of SPoF that carry the greatest potential for systemic losses for the cyber insurance industry “due to their ubiquity and the heavy reliance that businesses have on such technologies”:

Digital service providers (which include cloud infrastructure, cloud software and network services). The SPoF in this category is a provider of technology as a service, where companies outsource some or all of their security responsibility to the SPoF. These scenarios can commonly result in contingent business interruption (CBI) losses. If the SPoF is compromised, the SPoF will bear most of the costs of recovery.

Onsite software (which include operating systems and programming languages as well as operational technology). This broad category for SPoFs consists of applications and code that sit on-premises at a company. The company bears the primary responsibility for maintaining these systems and remediating them in an incident. These scenarios can commonly result in BI losses, but not CBI.

Money system. This SPoF facilitates the movement of money, which can include payroll systems, payment systems and financial transaction providers. These are attractive targets for financially motivated threat actors.

Data aggregators. This SPoF is an aggregator of protected information for other companies by virtue of its day-to-day business. Scenarios affecting these SPoFs tend to result in widespread privacy breaches.

Best Practice

In a discussion of due diligence and best practice, the report suggested that clients, who have a good idea of what their supply chains look like and can demonstrate good governance frameworks, will be more likely to obtain insurance than clients that cannot.

“Credit checks and financial viability analyses of suppliers and an understanding of the contribution of each vendor in the supply chain to a client’s own business will allow for proper operation and also enable clients to map their reliance on the vendor landscape as a whole,” the report said.

It is important to do a business impact analysis of the failure of any of those vendors and what that would look like in terms of cost, it said. This can highlight areas “to introduce mitigation strategies that will build resilience and redundancy measures.”

Ongoing monitoring is essential because “information provided to source cyber insurance represents a single point in time and is essentially an attestation that a component of an insured’s framework is compliant at a certain date — digital environments change, need maintenance, updating and patching,” the report cautioned.

“Snapshots of supply chain risk taken at a particular point in time do not consider how risks may evolve through a firm’s financial planning cycle; therefore ongoing oversight and governance are critical. This equally applies to the lifetime of any insurance contract that an organization may purchase to transfer some of the risk.”

The report went on to list 10 key underwriting considerations in supply chain risks:

• Has the organization developed a response/business continuity plan from a cyber peril exposure?

• Testing of the cyber supply chain.

• Has the organization conducted a review of their supply chain exposure to a cyber attack?

• Has the organization reviewed their suppliers’ business continuity plans/response to a cyber attack?

• Does the organization and its suppliers deliver cybersecurity awareness training to its employees?

• Identifying suppliers that use the same software (an accumulation of potential risk).

• Are control systems and/or manufacturing systems isolated from the external systems?

• Does the organization rely on one supplier to meet their needs, or are there alternative suppliers?

• Do contracts with suppliers include service-level agreements, and are there contingencies included where the supplier is unable to provide the service?

• How long would the interruption suffered by the supplier be — days, hours, weeks or months?

The report was jointly researched by the International Underwriting Association of London (IUA) and CyberCube. The IUA is
the representative body for international and wholesale insurance and reinsurance carriers operating in London. CyberCube is a San Francisco-based cyber risk analytics firm.

Source: International Underwriting Association and CyberCube