Adding insult to a severely injured year, the waning days of 2020 saw a massive breach aimed at the U.S. government and other private businesses. Perhaps no entity experienced the greatest fallout than SolarWinds, an Austin-based company developing software that helps businesses manage their IT infrastructure.
Orion, network monitoring software developed by SolarWinds, became infected with malicious code which then infected approximately 18,000 SolarWinds customers. Several of the impacted companies include household names such as Intel, VMware, Deloitte, and Belkin.
Businesses of all sizes should revisit their cyber insurance policies in the aftermath of this widespread attack. While SolarWinds has the resources and sophistication to procure comprehensive Technology Errors & Omissions coverage (3rd party liability insurance covering their clients) and Cyber Liability coverage (1st party liability coverage protecting damage done directly to SolarWinds), it is important for all firms to understand how their own cyber coverage responds in the event a third party causes disruption to their systems.
Third party disruptions occur quite frequently; during the summer of 2019, ransomware targeted DDS Safe, a medical records backup solution used by hundreds of dental offices in the U.S. Through DDS Safe, hackers demanded ransom from these offices by deploying ransomware called REvil (Sodinokibi) and the software developers of DDS Safe elected to pay the hackers to obtain encryption keys for these dental offices. During that same summer, twenty-two municipalities in Texas were similarly hit with a ransomware attack via their outsourced IT services provider. Thankfully, no municipality paid the ransom because they either rebuilt their networks from scratch (which may have involved use of some taxpayer money) or accessed system backups.
In the case of the DDS Safe ransomware attack, many dental offices were down for days and could not treat patients, thereby forfeiting revenue. While DDS Safe’s cyber insurance policy paid for the encryption keys, an often overlooked impact of a cyber breach is the “indirect costs” involved. While operating a small business, every penny counts so missing days of revenue could threaten already razon thin margins. Thankfully, there is a solution.
Contingent Business Interruption
Contingent (or Dependent) Business Interruption provides coverage for a business in the event a third-party service provider, in many cases an outsourced IT service provider, experiences a breach or network outage which directly impacts that business. Many cyber insurance policies contain language including both a security failure, a failure caused by a cyber breach, and a system failure, an event caused by human error on the part of the third-party provider.
If the dental offices involved in the aforementioned DDS Safe ransomware attack had a robust cyber insurance policy containing contingent business interruption, they could file a claim to recoup some of the revenue lost during the period when their doors were closed. Sometimes, third-party software providers have business interruption coverage embedded in their Technology Errors & Omissions policy providing monetary relief for clients experiencing downtime due to a breach. Regardless, it is important for businesses to still carry contingent business interruption coverage to fill any gaps that may exist with the business interruption coverage provided by the software provider’s Technology Errors & Omissions policy.
By having contingent business interruption coverage, businesses can take the job of protecting their revenue streams into their own hands, rather than relying on the coverages provided by their third-party IT services provider.