Reflections on the MOVEit cyber attack

Last May, the massive MOVEit cyber attack was discovered. To date, over 60 million individuals and more than 1,000 businesses have been impacted, leading to a surge of claim notices.

The total estimated early-stage cost has approached $10bn, with attacks and demands for ransom still ongoing and new victims emerging almost daily. The attack is an example of tech supply chain vulnerability. Many were affected by direct use of MOVEit, while others were exposed through third-party file-transfer service.

High costs for victims

Impacted organisations face significant costs, starting with notifying individual victims and regulators. They must also disclose the breach in financial reporting. Then there are legal costs for defending against litigation and follow-on regulatory actions. In the US alone, more than 45 federal class actions have been filed against the software provider and direct or downstream users alleging failure to implement adequate security, provide timely notice of the breach, and more.

Early reporting is critical

It’s important to report actual or suspected security incidents to insurers immediately. This includes ransomware, compromised business email, and irregular network activity – even if the scope seems limited.

In addition to speeding up the claims process, early reporting gives policyholders access to expert guidance. Insurers have deep experience and relationships to help engage vendors and legal advisors, and discuss settlement offers. They also have vetted resources and negotiated rates that can provide expertise and savings. If third-party litigation results, insurers can also coordinate selection of panel legal counsel and determine if a separate firm, uninvolved in the breach response, is necessary.

Structuring a cyber defense

Cyber risk comprises threats, vulnerabilities, and impact. Mitigation depends on the ability to control one or more of these factors, with the following tactics:

  • Incorporate multi-layer infrastructure defenses
  • Assess security and monitor threats 24/7
  • Conduct regular vulnerability assessments and penetration tests
  • Assess security practices and actively monitor security posture of third-party vendors
  • Install updated software patches to help prevent attacks that exploit vulnerabilities
  • Consider updating file transfer protocol to cleanse data from STP site after transfer
  • Establish an incident response plan
  • Hold mandatory employee training sessions

Kristin McMahon, senior vice president, US specialty line claims and Canada, Liberty Mutual Insurance and Ironshore