Cyber Case Study | SolarWinds Supply Chain Cyberattack

cyber attack

The Cyberattack On SolarWinds Digital Infrastructure

In the final month of 2020, it was revealed that foreign hackers had orchestrated a supply chain cyberattack throughout the past year in an effort to compromise several federal agencies and private organizations. The cybercriminals first infiltrated the digital infrastructure of SolarWinds—a Texas-based technology company—before using that infrastructure to gain access to sensitive data from a range of government departments and organizations via malware-ridden software updates. The incident ultimately exploit- ed numerous SolarWinds customers and led to millions of dollars in total losses.

The attack has been dubbed as one of the largest and most sophisticated cyber incidents in U.S. history, motivating many organizations to take a closer look at security risks stemming from their supply chains and software providers. In hindsight, there are various cybersecurity lessons that organizations can learn by reviewing the details of the SolarWinds incident.

Read on for everything your organization needs to know.

Reputational Damages

Considering SolarWinds maintained a trusted and respected reputation prior to the attack, the technology company received significant criticism from customers and the public for its cybersecurity shortcomings after the incident occurred. In particular, SolarWinds was scrutinized for failing to detect the cybercriminals’ initial activity within its network and remaining unaware that Orion had been injected with malware until FireEye’s eventual discovery months later.

Further, while the method hackers used to infiltrate SolarWinds’ network is unknown, it was soon discovered that a handful of the company’s employees possessed weak passwords leading up to the incident (one employee’s password was “solarwinds123”)— paving the way for additional security criticism. Amid this scrutiny, SolarWinds’ stock price fell by 40% the week following the incident.

Legal Ramifications

In January of 2021—one month after the details of the incident became public—disgruntled shareholders filed a class-action lawsuit against SolarWinds for its cyber-security failures during the attack. Several months later, the SEC announced plans to investigate whether SolarWinds’ affected customers accurately estimated the impact of the incident within their financial records. As time goes on and additional damages come to light, it’s certainly possible that both SolarWinds and its customers could encounter more lawsuits and regulatory fines related to the incident.

Lessons Learned

There are several cybersecurity takeaways from the SolarWinds attack. Specifically, the incident emphasized these critical lessons:

Supply chain exposures shouldn’t be ignored. Above all, this attack showcased how critical it is for organizations to evaluate and address security concerns within their supply chains, including IT and software providers. Even if an organization follows proper cyber policies and procedures internally, a compromised supplier could still end up threatening its security and digital assets. Supply chain exposures can stem from various avenues— including vendors with access to organizational networks, third parties with inadequate data storage measures, and suppliers with poor overall cybersecurity practices.

While it’s not possible to totally eliminate supply chain risks, there are several steps organizations can take to help reduce these exposures and prevent costly attacks, such as:

• Incorporating cyber risk management into vendor contracts—This can include requiring vendors to obtain cyber insurance, having them issue timely notifications regarding cyber incidents, and establishing clear expectations regarding the destruction of data following the termination of contracts.
• Minimizing access that third parties have to organizational data—Once a vendor or supplier has been selected, it’s crucial to work with them to address any existing vulnerabilities and cybersecurity gaps. Moving forward, suppliers’ access to sensitive data should be restricted on an as-needed basis.
• Monitoring suppliers’ compliance with supply chain risk management procedures—This may entail adopting a “one strike and you’re out” policy with suppliers that experience cyber incidents or fail to meet applicable compliance guidelines.

Third Parties Must Prioritize Cybersecurity

As organizations begin to more closely evaluate their supply chain exposures, it’s increasingly vital for third-party vendors themselves to adopt effective cybersecurity measures. In particular, suppliers need to recognize that cybercriminals may target them in order to compromise their larger clients and take steps to prevent such incidents from occurring. After all, failing to do so could not only result in cybersecurity vulnerabilities but also contribute to reduced client trust and lost business. By upholding proper digital practices, third-party vendors can show their clients that they take security seriously, boost their overall reliability, and— in some cases—secure additional contracts.

Access controls can offer a strong defense. Although it’s unknown whether SolarWinds’ access control protocols or password blunders contributed to the incident, IT experts attest that bolstering these cybersecurity elements can play a major role in defending against hackers and subsequent attacks.

Valuable access control and password tactics include the following:

• Instructing employees to develop complicated and unique passwords for their accounts in addition to changing these passwords on a routine schedule.
• Implementing multifactor authentication measures that require employees to verify their identities in several ways (e.g., entering a password and answering a security question)
• Limiting employees’ digital access solely to the technology, networks, and data they need to perform their job responsibilities.
• Segmenting different workplace networks to prevent all networks from being compromised if a single employee’s credentials are exploited.

Effective Security And Threat Detection Software Is Critical

This incident emphasizes the importance of having appropriate security and threat detection software in place. This software can be used to better identify suspicious digital activity and reduce dwell time—which refers to how long it takes to detect cybercriminals’ presence after their initial network infiltration. Although this software may seem like an expensive investment, it’s well worth it to help continuously monitor security threats, catch perpetrators before it’s too late, and minimize the impacts of potentially devastating cyber incidents.

Necessary software to consider includes network monitoring systems, antivirus programs, endpoint detection products, and patch management tools. Also, it’s valuable to conduct routine penetration testing to determine whether this software possesses any security gaps or ongoing vulnerabilities. If such testing reveals any problems, these issues should be addressed immediately.

Midwest Insurance Group understands your organization and can help you with cyber security and threat detection software to meet your needs. Call us today at 262-646-5777 to learn more about the appropriate protection for your company against potential cyber attacks.

Liability Insurance To Protect Your Company

liability insurance

In today’s business climate of corporate transparency and accountability, an organization’s officers and directors face a myriad of employment-related exposures. Sarbanes-Oxley regulatory mandates and shareholder activism mean directors are more frequently at risk, translating to rising claims and escalating settlement costs.

In the wake of unprecedented corporate scandals in recent years, clearly, the trend of corporate accountability applies to large corporations. But privately held companies, including nonprofits, are not exempt from litigation arising out of the management decisions of their boards. They, too, are at risk.

Regardless of your company’s size, the legal cost to defend a director is substantial, as are the potential personal penalties. Due to the personal liability risk—which is not covered under a personal insurance policy—protecting boardroom talent can be a challenge. To help ensure both your officers’ and company’s well-being, a directors’ and officers’ liability insurance (D&O) policy is part of a comprehensive risk financing strategy.

D&O Fills the Coverage Gap

Unlike a commercial general liability policy that provides coverage for claims arising from property damage and bodily injury, a D&O policy specifically provides coverage for a “wrongful act,” such as an actual or alleged error, omission, misleading statement, neglect, or breach of duty.

For example, a manufacturer told one of its suppliers to increase inventory because they were expecting a large increase in production. As predicted, demand for the manufacturer’s product grew, but the manufacturer increased its inventory with another vendor. The original supplier successfully sued the manufacturer, alleging they suffered damages as a result of having relied on the manufacturer’s promise.

A D&O policy provides defense costs and indemnity coverage to the entity listed on the policy declarations, which may include the following:

  • Coverage for individual directors and officers
  • Reimbursement to the organization for a contractual obligation to indemnify directors and officers that serve on the board
  • Protection for the organization or entity itself

Indemnification provisions are typically included in the charter or bylaws of a corporation. While an important risk component, small to midsize privately held companies or nonprofit organizations often do not have the financial resources to fund the indemnity provisions, making the bylaws hollow. A D&O policy can provide an extra blanket of security in the event of a covered loss.

Coverage

A “fraud” exclusion is typically included in a D&O policy, which eliminates coverage for losses due to dishonest or fraudulent acts or omission, or willful violations of any statute, rule or law.

D&O coverage can be tailored to your needs, but be aware that D&O carriers are not consistent with their policy forms. This fact, plus the complexity of D&O claims, requires the carrier to have market commitment and deep expertise, as well as the financial resources to handle potential claims.

There are also additional forms of coverage to protect directors and officers, including the following:

  • Entity coverage
  • Payment priority for insured persons
  • Severability of the insured as well as severability of the application
  • Coverage over time, meaning coverage responds to past, present, and future directors and officers
  • Pay on behalf clause
  • Duty to defend clause

In addition, some D&O policies can be endorsed to provide employment practices liability (EPL) coverage and/or fiduciary liability.

  • While EPL endorsements under a D&O policy broaden coverage, they often do not provide a duty to defend clause and are subject to a substantial deductible. Many EPL endorsements do not provide for a separate limit of liability in addition to the limit available under the D&O policy. If the D&O limit is reduced or exhausted by payment of an employment practices claim involving the wrongful conduct of an employee, a director’s or officer’s personal assets may be at risk.
  • Fiduciary liability provides coverage for liabilities arising out of ERISA, where fiduciaries are personally liable for losses to a benefit plan incurred because of alleged errors, omissions, or breach of their fiduciary duties.

Who can bring a D&O lawsuit? According to St. Paul Travelers, statistics show that shareholders and employees are the most likely groups to sue private companies. Other parties may include corporations against themselves, and a variety of third parties, such as competitors, creditors, and regulatory bodies.

Considerations for Nonprofits

According to the Nonprofit Risk Management Center, nonprofit organizations often report some difficulty in affording the cost of D&O insurance. To minimize the annual premium, they recommend choosing only those policy provisions considered most critical. For example, a volunteer-run nonprofit without paid staff may skip employment practices coverage until it hires staff. If affording a lump-sum premium is a concern, inquire about the availability of premium financing. To defray the cost of premiums, some nonprofit organizations consider charging board members a portion of the policy cost.

We’re Here to Help

Whether you’re a nonprofit, privately held, or a public company, it is likely that your business can benefit from a D&O policy. Since there is no such thing as a “standard” policy, a professional agent is invaluable when purchasing D&O coverage. Midwest Insurance Group understands your organization and can knowledgeably help design policy language to meet your needs. Call us today at 262-646-5777 to learn more about the appropriate protection for your company against potential directors’ and officers’ liability.

2022 Workers’ Compensation Insurance Market Outlook

workers' compensation

Unlike other lines of coverage, the market for workers’ compensation insurance has remained stable across most states and industries, performing as an outlier by producing profitable underwriting results. According to the National Council on Compensation Insurance (NCCI), the private carrier combined ratio for workers’ compensation in 2020 carriers was 87, up from 85 in 2019, marking the seventh consecutive year of underwriting profit.

Nevertheless, there are still trends that could pose concerns within the market for 2022—such as COVID-19 risks, widespread labor shortages, and a rise in mega claims. Looking ahead, we predict that workers’ compensation rates will remain stable, with some organizations experiencing rate decreases and others seeing minimal rate increases.

Developments and Trends to Watch

  • Wearable safety technologyIn an effort to minimize employee injuries and subsequent workers’ compensation claims, many organizations have turned to wearable safety technology in recent These devices can help monitor employees’ behaviors on the job, alert them of hazardous situations and provide real-time safety instructions—thus promoting a safer work environment, mitigating injuries and lowering workers’ compensation costs. According to ABI Research, the wearable technology market is projected to reach $60 billion by the end of 2022.
  • Telemedicine offerings—Telemedicine, which allows employees to receive medical services virtually after they’ve been injured on the job, has continued to rise in popularity over the Especially amid the ongoing COVID-19 pandemic, telemedicine has become an increasingly attractive option for employees to receive medical services without physically visiting a doctor’s office or navigating limited clinic availability. In fact, 25 states either added or expanded telemedicine offerings for treating occupational injuries due to the pandemic, the Workers’ Compensation Research Institute reports. What’s more, a recent survey found that 83% of patients who currently use telemedicine plan to continue doing so even after the pandemic ends.
  • Qualified worker shortagesThe U.S. Bureau of Labor Statistics confirmed there were more job openings available in 2021 than there have been in the last two decades. Due to these labor shortages, many employers have begun hiring a large number of inexperienced Yet, this practice comes with workers’ compensation risks; employees with less than five years of experience contribute to 43% of workplace injuries, according to a recent survey conducted by the Golden Triangle Business Roundtable in Texas. This is likely because such workers often lack years of safety training and may be more willing to take unnecessary risks.
  • Mega claims—A mega claim is an exceptionally large claim, totaling $3 million or more incurred in the scope of workers’ compensation, these claims typically stem from employees experiencing severe (and possibly permanent) injuries on the job. The NCCI reports that mega claims have reached a 12-year high—increasing in both frequency and severity.

2022 Price Prediction

Overall: -2% to +5%

Tips for Insurance Buyers

  • Enforce workplace health and safety measures to help protect your staff from COVID-19 exposure and limit the likelihood of related claims.
  • Implement safety and health programs to address common risks, especially when using a loss-sensitive workers’ compensation
  • Consider implementing various digital solutions—such as wearable safety technology and telemedicine—to help prevent and treat injuries within your workers’ compensation program.
  • Develop an effective return-to-work program that properly supports employees in the process of healing from a work-related illness or injury and resuming job duties following their recovery.

At Midwest Insurance Group we work hard to build trusted relationships with our customers. We strive to make you feel both comfortable with and confident in our abilities by acting as your consultant. We are an organization dedicated to our customers. We seek out the best companies that offer the appropriate coverages at a fair price. Call us today at 262-646-5777.

Quick Ways To Save On Your Insurance Costs

insurance costs

It seems like everything in your life is going up, up, up. But your insurance doesn’t have to follow suit. While we can’t control rates or the market as a whole, we can give you some sure-fire ways to keep those costs low through discounts and best practices.

Because let’s face it, we’re all looking for ways to cut costs right now.

That doesn’t mean we have to cut coverage, though, as that could leave you exposed if you have an accident.

Try the following tips before you tighten your insurance belt:

  • AutoPay — Everyone likes steady money. Insurance companies are no exception, and they give discounts for automatic monthly payments.
  • Payment in Full— Same principle as autopay, except this is an even better discount if you have the cash to pay the price of the policy in one payment in full.
  • Multi-Policy — This is the big one. Combine home and auto for the biggest discounts of all. If you’ve got both, switch them to one carrier and do your wallet a favor.

These simple little tricks can help you obtain 5, 10, even 15 percent off of your total policy premium.

Enjoy the savings, and best of luck in this wild economy!

We at Midwest Insurance Group work hard to build trusted relationships with our customers. We strive to make you feel both comfortable with and confident in our abilities by acting as your consultant. We are an organization dedicated to our customers. We seek out the best companies that offer the appropriate coverages at a fair price.

Simple Cyber Security Tips To Protect You Online

cyber security

If you’re reading this, you’re online. Nearly everyone is now, from kids with phones to grandmas looking at those kids on social media.

Unfortunately, if you’re online, you’re also vulnerable to cyber-attacks. Everything from email scams to ransomware attacks is possible if you aren’t careful.

Luckily, being careful is easier than ever. Planning ahead and making a few simple changes can have a huge impact on how likely you are to experience an attack.

To make sure you’re secure online, try the following:

  • Beef Up Those Passwords — Yes, it’s annoying to change them. But change them regularly, make them longer, and use different types of symbols and punctuation.
  • Build That Firewall — Use antivirus software on your devices. There are free options and paid options. Feeling techy? Use a VPN to be even safer.
  • Check Yourself — Not sure if you’re secure? Check your info at http://haveibeenpwned.com/ to see if you have been part of a data breach.

Having your information out there can be scary. Luckily, a few basic changes can make a huge difference in you surfing the web confidently.

Now, where are those cute kitten videos?

At Midwest Insurance Group we work hard to build trusted relationships with our customers. We strive to make you feel both comfortable with and confident in our abilities by acting as your consultant. We are an organization dedicated to our customers. We seek out the best companies that offer the appropriate coverages at a fair price.

Insuring Your Business Against Cyber Liability

Cyber

According to one study done by the US Small Business Administration, 88% of small business owners feel their business is vulnerable to a cyber attack.1 These concerns may be well-founded: according to another study, 46% of all small businesses have at some point been the target of a ransomware attack.2

Business owners are required to protect their customers’ personal information. In all 50 states, Guam, Puerto Rico, The Virgin Islands, and the District of Columbia, businesses are required to notify individuals of security breaches involving personally identifiable information.3

As evidenced by news of large-scale data breaches, online hacking has become another form of risk that businesses now face every day. Like many risks, businesses can insure themselves against the financial damage a cyber-attack may inflict.

Cyber liability insurance may cover a range of risks, including:

  • Data Breach Management: Pays expenses related to the investigation, management, and remediation of an incident, including customer notification, credit check support, and associated legal costs and fines.
  • Media Liability: Covers third-party damages such as website vandalism and intellectual property rights infringement.
  • Extortion Liability: Reimburses for expenses associated with losses arising from a threat of extortion.
  • Network Security Liability: Covers costs connected with third-party damages due to a denial of access and theft of third-party information.

Cyber liability insurance is fairly new so expect a wide divergence of coverage and costs. It may be purchased separately or as a rider to your current business insurance policy. Be prepared to comparison shop to get a better understanding of coverage and costs.

Small business owners might also keep in mind that “an ounce of prevention is worth a pound of cure.” There are steps you can take to protect your business from becoming a cyber victim.

Consider these steps to protect your data.

  1. Maintain robust malware detection software and keep existing software updated.
  2. Train employees not to open links contained in emails from unknown senders. Research shows that 30% of security-related incidents are caused by internal actors.4
  3. Encrypt your important data, such as bank account information, customer credit card numbers, etc.
  4. Perform a security audit.

As obvious and simple as these precautions may sound, some businesses fall victim to cyber-attacks because of their failure to take them.

  1. SBA.gov, 2021
  2.  StaySafeOnline,org, 2020
  3. National Conferences of State Legislatures, 2020
  4. SmallBizTrends.com, 2020

For a free consultation with an experienced insurance expert, contact the Midwest Insurance Group here or call 262-646-5777.

 

Winter Months Are Upon Us Now

winter safety

While the weather outside may not yet be frightful, the winter months are upon us. And for many of us, that means freezing weather.

Even if you want a snowy Christmas, certain risks arise when snow, ice, or freezing rain are present.

And if you think this doesn’t apply to you, keep in mind that Texas was the hardest hit state for winter weather claims earlier this year!

Luckily you can ward off the worst with a few simple tips:

  • Auto-snowmobile — Transform your car into a safe winter transport. Obtain snow tires or chains, make sure to regularly service your vehicle, and have an emergency kit in case you get stuck
  • Heavy Snow — A surprisingly common claim is collapse due to the weight of ice and snow. MOST policies cover this but make sure roofs and porches are in good condition
  • Back It Up — Power loss is common during big storms. Consider getting a backup generator or a backup heat source. Also, check your policy for Spoiled Food coverage if your refrigerator goes out

You’ll be snug as a bug in a rug and cozy with confidence that you and your family are safe – no matter how the wind blows.

For a free consultation with an experienced insurance expert, contact the Midwest Insurance Group here or call 262-646-5777.