Another cyber-attack labelled ‘Microsoft Exchange Email hacks’ hits the news again! This attack has been concerningly described as ‘zero day’ attack. A zero-day attack means that the points of vulnerability were unknown before the attack therefore the cyber-attack occurs on the same day that the weakness is discovered in the software. Like so many things happening around the world at this point, the race is on to get on top of these attacks which are believed to be state sponsored and cultivated in China by the hacking group Hafnium. Chinese government denies any involvement. This method of attack has already been replicated and used to infiltrate companies and public bodies in more than 115 countries around the world. It is still early days, so many UK companies may still be unaware that their systems have been hacked. The European Banking Authority has reported that their system has been compromised and that there is a possibility that personal data has been exposed.
What happened?
Microsoft announced that the hacking group exploited four (4) zero-day vulnerabilities in the server’s system to enter the Microsoft Exchange Server which is used by large corporations and public bodies across the world. The calendar software of governments and data centres were also compromised. The hackers also sometimes used stolen passwords to gain unauthorized access to the system. The hackers would then take control of the server remotely and steal data from the network. The attack has affected thousands around the world.
Tom Burts, a VP at Microsoft described in a sequential order how the attack was carried out;
First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access.
Second, it would create what’s called a web shell to control the compromised server remotely.
Third, it would use that remote access – run from the U.S. based private servers to steal data from an organization’s network.[1]
What is not affected?
The identified vulnerabilities do not affect Exchange Online, Microsoft’s cloud-based email and calendar services that’s included in commercial Office 365 and Microsoft 365 subscriptions.
International Response
In response Microsoft issued a software update for its 2010, 2013, 2016 and 2019 versions of Exchange. The UK National Cybersecurity Centre, the US and the Norwegian governments are already issuing warnings and guidelines to businesses about the hacks.
But what does this mean for insurers?
This is an extra dent in the cyber security efforts of companies and public bodies yet another opportunity for a lesson to the insurance market of the potential global and high aggregate loss from just one attack. This incident is another illustration of how susceptible computer systems and servers are to cyber-attacks. Similarly, it is another indication to corporations and public bodies that foreign entities are working assiduously to identify and exploit vulnerabilities within their systems to achieve their motives, whatever they may be. So far, the impact is widespread, and victims include organisations such as infectious disease researchers, law firms, higher education institutions, defence contractors, NGOs. Cybersecurity group Huntress has reported many of their partners servers have been affected and they include small businesses for example small hotels, ice cream company, senior citizen communities, banks, local government and electricity companies[2].
In light of the recent business interruption decision from the Supreme Court, it will be interesting to see how many of these UK companies will present their claims to insurers and how insurers will respond to claims from assured whose businesses may have been interrupted by the Exchange Email hacks.
There will be gaps and exclusions in these Business Interruption policies which may not provide adequate protection against cyber risks so it is the assured with a cyber risk policy / insurance coverage who will be the most protected during and after these attacks.
Applicable cyber insurance clauses and possible response of insurers
Most cyber insurance policies cover data loss and business interruption as a result of a security breach so this will not be much of an issue for assureds with cyber insurance coverage. There are exclusions in most cyber insurance policies which may leave an assured vulnerable when hacking of this nature (Microsoft Exchange hack) occurs. Let us consider some of these exclusions and their potential impact further:
- First Party Loss
costs or expenses incurred by the insured to identify or remediate software program errors or vulnerabilities or update, replace, restore, assemble, reproduce, recollect or enhance data or computer systems to a level beyond that which existed prior to a security breach, system failure, dependent security breach, dependent system failure or extortion threat;
- Betterment
for repairing, replacing or restoring the Insured’s Computer System to a level beyond that which existed prior to any Claim or Loss;
The inclusion of this or any clause with similar wording means the assured may not be covered for the expenses and cost incurred to hire experts to identify or remediate vulnerabilities within their IT systems. Consequently, the assured will not be indemnified for the expenses or costs incurred to install the patches as recommended by Microsoft as these will be classified as updates or enhancement to the computer system beyond a level that which existed prior to the security breach.
- Infrastructure failure
We will not make any payment for any claim, loss or any other liability under this section directly or indirectly due to:
- Any failure or interruption of service provided by an internet service provider, telecommunications provider, utilities supplier or other infrastructure provider. However, this exclusion does not apply where you provide such services as part of your business.
OR
ii. failure or malfunction of satellites or of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured organization’s direct operational control.
OR
- Third party providers
- arising out of the failure of any third party provider including any utility, cloud, internet service provider or telecommunications provider, unless arising from a failure of the Insured to protect against unauthorised access to, unauthorised use of, or a denial of service attack or damage, destruction, alteration, corruption, copying, stealing or misuse by a Hacker of the Insured’s Computer system;
OR
ii. The Insurer shall not be liable to indemnify the Insured against any Loss arising as a result of the failure of a third party service provider or cloud provider unless they are hosting hardware or software that is owned by the Insured.
Could the relationship between Microsoft and its clients fall into the category of ‘other infrastructure provider’ to relieve the insurer of any liability to the assured? As software service providers of Microsoft 365 and Azure it will be no surprise to see claims being denied based on clauses with the same or similar wording. However, the assured may object to the insurer’s denial of the claim by the applying ejusdem generis rule in stating that ‘or other infrastructure provider’ should be limited to companies such as Virgin Media, British Gas or Welsh Water and not extend to software providers. According to Cambridge dictionary, infrastructure as it relates to IT means the ‘equipment, software, etc. that a computer system needs in order to operate and communicate with other computers.’ If this definition is accepted by the parties, the challenge for the insurer will be to establish that the Microsoft Exchange Server qualifies as a software needed for a computer system to operate and communicate with other computers. Rather, the function of the Microsoft exchange server is to aid with email storage and calendaring and is unrelated to other operational functions necessary to communicate with other computers.
Certainly ‘infrastructure or services that are not under the insured organization’s direct operational control’ will create less problems for the insurer to establish that the exclusion applies as this broad construction will exclude losses and expenses from incidents such as Microsoft Email Exchange Hack.
- Government intrusion
- which results, directly or indirectly, from access to, confiscation or destruction of the Insured’s Computer system by any government, governmental agency or sub-agency, public authority or any agents thereof;
Since the Microsoft Exchange Email are believed to be carried out by Hafnium which is a government backed group, it is reasonable to identify them as agents of the government of China. Therefore, assureds whose policies include a government intrusion exclusion may be denied coverage for their loss or expenses arising directly or indirectly from access to or destruction of the assured’s computer system by groups such as Hafnium.
Conclusion and the way forward
As aforementioned, it is early days and the real financial impact if any from these attacks are not yet known. However, what is certain is that hackers, whether state sponsored are not are using very sophisticated techniques to identify and exploit vulnerabilities within computer servers and networks. Therefore, companies and public bodies must continue to invest in employee training and take reasonable steps to manage and mitigate their losses from potential cyber-attacks which unfortunately will happen at one point. Among those decisions should be the purchase of cyber insurance policies that addresses the needs of the business with particular attention being placed on the exclusions clauses and ensuring that as an assured you are adequately protected against the cybersecurity risks to which you are most directly and indirectly prone .
While large corporations and government entities may have the requisite IT expertise to support them, the real concern remains for those small and medium sized businesses that do not have the resources for a complete check and cleaning of their systems. Therefore, larger corporations within the supply chain must offer their expertise to the small and medium sized businesses with which they trade to respond to this and other cyber security threats. Since Microsoft Exchange Online servers have not been affected, many small and medium sized businesses may begin to switch to using cloud-based email storage. However, this does not mean they will be immune from cyber-attacks.
Tokio Marine in their Cybersecurity Insurance Policy wording 0417 went as far as to include a list of reasonable steps that an insured should take to avoid / mitigate their loss and these along with government and industry guidelines should be a good starting point in your fight against cyber attacks and their debilitating impacts.
Reasonable steps to avoid Loss
The Insured shall protect its Computer system by:
a. having Virus protection software operating, correctly configured and regularly or automatically updated;
b. updating Computer systems with new protection patches issued by the original system or software manufacturer of supplier;
c. having a fire wall or similar configured device to control access to its Computer system;
d. encrypting and controlling the access to its Computer system and external devices including plug-in devices networked to its Computer system;
e. controlling unauthorised access to its Computer system by correctly configuring its wireless network;
f. changing all passwords on information and communication assets at least every 60 days and cancel any username, password or other security protection once an Employee’s employment has been terminated or after it knew or had reasonable grounds to suspect that it had become available to any unauthorised person;
g. taking regular back-up copies of any data, file or programme on its Computer system are taken and held in a secondary location;
h. having an operational system for logging and monitoring user activity on its Computer system;
i. remote wipe functionality is installed and enabled on all portable devices where such functionality is available
[1] Tom Burts, ‘New Nation – State Cyber attacks’ (02 March 2021) < https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/> accessed 14 March 2021.
[2] John Hammond, ‘Rapid Response: Mass Exploitation of On-Prem Exchange Servers’ (03 March 2021) < https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers?__hstc=1139630.77196394391fe1afb6fc8e7d1d6a8bc9.1615725167878.1615725167878.1615725167878.1&__hssc=1139630.5.1615725167882&__hsfp=3684379411&hsutk=77196394391fe1afb6fc8e7d1d6a8bc9&contentType=listing-page> accessed 14 March 2021.