Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
9Insurance Business ReviewJUNE 2024this exploit will inform the questions that cyber insurance underwriters will be asking in the run-up to their annual renewal. Insurers are already seeing a spate of claims rise out of the MOVEit vulnerability, and their experience of paying these losses will no doubt factor into renewal discussions.As we witnessed following the Log4j vulnerability in late 2021, we can expect that underwriters will be asking applicants whether they use MOVEit and will want to confirm that patches have been applied. They will also want to know what steps businesses have taken to address this risk with their service providers. It isn't feasible for underwriters to take inventory of every vendor a given insured uses, but they are likely to inquire whether the applicant has identified any third parties possessing its customer data that have used MOVEit, either currently or previously. Insureds should verify with those service providers that appropriate remediation steps have been taken. Additionally, now would be a good time to revisit the contractual language contained in the service agreement with the vendor. What limitations of liability are in place that could inhibit a recovery from the vendor if your organization incurs losses arising out of the vendor's data breach? Does the service agreement confer "additional insured" status on your organization so that you are able to tender a claim directly to the vendor's cyber or technology liability insurer? This could prove important if the vendor becomes insolvent due to multiple client claims being made against them. Lastly, does the agreement require you to waive subrogation on behalf of your own insurer? If so, you will need to check the terms of your own cyber insurance policy to see whether you are permitted to make such a waiver. Otherwise, you could be in breach of either the service agreement or your insurance policy, depending upon whether your insurer attempts to recoup from the vendor any losses it has paid out on your behalf.The MOVEit file transfer vulnerability is bound to have a lasting impact on the cyber insurance underwriting process. Before news of this exploit came to light, several insurers had already begun adding endorsements to their policies which applied a sublimit or coinsurance to losses arising out of "known exploits" or "neglected software." Other insurers may follow suit, either adapting broadly-worded exclusionary language or limitations specifically tailored to this zero-day exploit. A proactive approach to risk mitigation and vendor management is essential to maintaining the insurability of your organization and reducing the risks associated with this latest addition to an already challenging threat landscape. This vulnerability also underscores the importance of working with an insurance broker who possesses expertise around cyber insurance coverage and understands the risks specific to your industry.
< Page 8 | Page 10 >