Cyber Risk Aggregation Case Study: SolarWinds
The SolarWinds attack has been an eye opening experience for many organizations as they scramble to fully understand the extent of the damage and exposure they face. As more information becomes available, analysis on the “target victims” continues to show interesting trends. Elements such as location, industry, and entity size are common qualitative factors taken into consideration when analyzing the impact and likelihood of cyber attacks. When these three elements are combined, companies can be described in a unified framework.
Kovrr developed CRIMZON™, an easy to use open framework to measure and understand catastrophic cyber risk exposure, for use in the insurance industry to monitor cyber risk across portfolios and monitor exposure trends. CRIMZON take into account location, industry, and entity size because analysis has shown a significant correlation between companies from the same location and industry having a higher tendency to use the same third-party service providers and technologies, leaving them exposed to corresponding cyber attacks. Additionally, analysis has demonstrated that entity size has a direct correlation to technologies used, cyber preparedness, security policies, cybersecurity spending, and level of sophistication of cyber attacks.
Following the SolarWinds Cyber Attack, we applied the CRIMZON framework to better understand the distribution of Orion Solarwinds (estimated installation base is approximately 33,000 clients). Kovrr used BitSight data and additional data sources to identify and build a list of companies using the technology. The next step was to use our enrichment technology to identify the location, industry (by Standard Industrial Classification - SIC) and size of each company. Then we grouped the companies by CRIMZON.
The results showed a clear accumulation of companies that belonged to specific CRIMZON, with criteria matching telecommunications and government entities in the United States and Europe. Specifically, the most popular zones included US_E_48_S [Companies located in the United States in the Transportation & Communication industry with a Small entity size] and US_I_82_S [Companies located in the United States in the Educational Services Industry with a Small entity size] - meaning companies that fit the above criteria were more likely to be affected by the attack.
Intuitively, concentrations of particular product use across a CRIMZON makes sense for products with large user bases, for example, Microsoft Office. However, SolarWinds Orion, is a niche product with a relatively low user base with clear aggregations in specific zones. While Solarwinds Orion is only one example, it is fair to assume that other technologies, although not widely used, could pose the same type of risk within a zone, meaning that other niche technologies are most likely to affect specific types of companies if exploited.
The distribution per CRIMZON shows that the US is the leading country for SolarWinds usage. The majority of companies (81%) reside in only 23 CRIMZON out of a total of 81 identified zones. From an insurance perspective, if their portfolio is diversified in its company make up based on the minimal elements [location, industry, company size], then their chance of suffering from the event and affecting the entire portfolio is reduced. This is one of the main pain points for insurers, and insights like these enable them to take more risk and expand their portfolio.