When You Thought It Was Safe to Go Back in the Cloud: Preparing for Your Cyber Insurance Renewal in Light of the Moveit Vulnerability

David M. Finz, Esq, First Vice President, Alliant Specialty Claims at Alliant Insurance Services

Introduction

The relative quiet we had witnessed in the world of cyber risk during the first half of 2023 came to an abrupt halt at the end of May, when news of the MOVEit file transfer vulnerability first broke. By now, most information security professionals have a handle on their company’s exposure to this threat. However, less attention has been devoted to the impact that this exploit will have on the underwriting process for cyber insurance. Even if your organization does not purchase this insurance, the risk management tips in this article can help reduce the likelihood and severity of losses associated with this vulnerability.

What’s happening?

Progress Software Corporation (the parent company of the software developer) has reported that vulnerability in MOVEit transfer can be exploited to allow attackers to gain unauthorized access to data, and execute SQL statements that alter or delete data. All MOVEit transfer versions are impacted by this vulnerability. Although there are limited number of organizations that use this software, corporate clients of those users are receiving notices that their own customer data has been compromised, vastly multiplying the scope of this event.

What are the coverage implications?

The first order of business for organizations has been to secure traffic to their MOVEit transfer environment. They should continue to monitor their network for indicators of compromise. The impact of this event goes beyond vulnerability management. After companies delete any unauthorized files and user accounts, reset their credentials and apply appropriate patches, they will need to consider how this exploit will inform the questions that cyber insurance underwriters will be asking in the run-up to their annual renewal. Insurers are already seeing a spate of claims rise out of the MOVEit vulnerability, and their experience of paying these losses will no doubt factor into renewal discussions.

As we witnessed following the Log4j vulnerability in late 2021, we can expect that underwriters will be asking applicants whether they use MOVEit and will want to confirm that patches have been applied. They will also want to know what steps businesses have taken to address this risk with their service providers. It isn’t feasible for underwriters to take inventory of every vendor a given insured uses, but they are likely to inquire whether the applicant has identified any third parties possessing its customer data that have used MOVEit, either currently or previously. Insureds should verify with those service providers that appropriate remediation steps have been taken.

"The MOVEit file transfer vulnerability is bound to have a lasting impact on the cyber insurance underwriting process."

Additionally, now would be a good time to revisit the contractual language contained in the service agreement with the vendor. What limitations of liability are in place that could inhibit a recovery from the vendor if your organization incurs losses arising out of the vendor’s data breach? Does the service agreement confer “additional insured” status on your organization so that you are able to tender a claim directly to the vendor’s cyber or technology liability insurer? This could prove important if the vendor becomes insolvent due to multiple client claims being made against them. Lastly, does the agreement require you to waive subrogation on behalf of your own insurer? If so, you will need to check the terms of your own cyber insurance policy to see whether you are permitted to make such a waiver. Otherwise, you could be in breach of either the service agreement or your insurance policy, depending upon whether your insurer attempts to recoup from the vendor any losses it has paid out on your behalf.

The MOVEit file transfer vulnerability is bound to have a lasting impact on the cyber insurance underwriting process. Before news of this exploit came to light, several insurers had already begun adding endorsements to their policies which applied a sublimit or coinsurance to losses arising out of “known exploits” or “neglected software.” Other insurers may follow suit, either adapting broadly-worded exclusionary language or limitations specifically tailored to this zero-day exploit. A proactive approach to risk mitigation and vendor management is essential to maintaining the insurability of your organization and reducing the risks associated with this latest addition to an already challenging threat landscape. This vulnerability also underscores the importance of working with an insurance broker who possesses expertise around cyber insurance coverage and understands the risks specific to your industry.