[co-author: Ken Fishkin]
As reported by Bloomberg and other news outlets, a major cyber security intrusion attributed to Russian state hackers, known by the nicknames APT29 or Cozy Bear, has sent cybersecurity experts into emergency mode as they work to determine whether their clients have been impacted by this breach. The same group of hackers attacked the State Department and the White House email servers back in 2014. The attack appears to have originated with an intrusion into SolarWinds IT Orion Platform, which is utilized by many companies to manage their IT operations. Specifically, SolarWinds Orion software versions 2019.4 HF 5 through 2020.2.1, released between March and June 2020, are considered compromised, and companies are being strongly urged to take immediate action by following SolarWinds’ mitigations.
SolarWinds is currently estimating that as many as 18,000 entities, including companies and government agencies, have been impacted by the hack and may be facing known and unknown breaches and cyber intrusions. Now is the time for clients to reevaluate their data security systems as well as third-party risk management programs. For those clients using SolarWinds Orion software in particular, special attention should be paid to servers containing sensitive and confidential information, and companies should consider communications with counsel and clients regarding potential exposure and mitigation efforts.
Affected companies should also review their cyber insurance policies to assess potential coverage for this cyber security event. Those companies should pay careful attention to the cyber policies’ notice requirements and, if appropriate, promptly report the incident or any resulting claims. Cyber insurance policies provide an array of different types of coverages, but affected companies should initially focus on the following common coverages:
- Breach Response Costs. This coverage typically insures legal fees associated with understanding any notification obligations, computer forensic costs to investigate the scope of the breach, as well as costs for notification to affected individuals, credit/identity theft monitoring, call service centers, and crisis management.
- Data Restoration. Cyber policies usually cover costs to restore or replace lost or damaged data or software because of a cybersecurity incident.
- Privacy and Network Security Liability. This third-party coverage will usually provide defense cost and indemnity coverage for claims or lawsuits brought against the policyholder for the unauthorized theft or disclosure of sensitive data such as PII or confidential business information.
- Regulatory Fines and Penalties. When an insured is subject to a regulatory proceeding or investigation because of a data breach, cyber policies can cover civil fines or penalties payable to the government or regulator (so long as such amounts are insurable under applicable law).