Chris Nolan / Annie Fixler
Executive Summary
The SolarWinds cyber breach was likely the largest in U.S. history, though its full breadth and impact remain unknown. As early as October 2019, Russian hackers penetrated the Texas firm’s software development environment so that when the company pushed patches to its customers, it inadvertently delivered Moscow’s malware as well. The hackers exfiltrated data from U.S. government agencies for more than a year before FireEye exposed the operation last December.
While it could take months or even years to remove the compromised software and implement other remediation measures, and although the costs to the U.S. government alone could be in the hundreds of millions of dollars, the breach was not as damaging as feared from an economic perspective, because its primary purpose appears to have been espionage. The breach did not cause large-scale business disruptions like those caused by Russia’s NotPetya attack on Ukraine in 2017. That malware spread around the world, affecting tens of thousands of companies, costing some as much as hundreds of millions of dollars.
The digital age has increased productivity and efficiency, but many firms are struggling to manage the downside risks that accompany it. Too many companies are prioritizing short-term growth and cost-cutting at the expense of cybersecurity. As the SolarWinds breach demonstrated, one company’s cyber risk can have cascading economic and national security implications.
Twenty years ago, after a wave of corporate scandals undermined public confidence in the securities market, Congress passed the Sarbanes-Oxley Act, requiring greater corporate financial disclosures. The law strengthened investor protections and confidence through better accounting standards, improved internal controls and disclosure by companies, and stronger external oversight. Poor cybersecurity is today’s systemic risk, and the potential impact is even greater. Unlike the accounting malpractice and financial scandals of the 1990s and early 2000s that prompted congressional intervention, a single company with deficient cybersecurity could inflict substantial harm on the U.S. government, company shareholders (including retirees dependent on pensions), the public, and critical national infrastructure.
The insurtech firm Intangic developed a digital-risk rating system that uses a combination of financial data and externally observable malicious network activity to price actuarial risk across over 6,000 public corporations, including projected economic and shareholder value losses stemming from breach events. This memo employs the Intangic model to analyze two hypothetical breach scenarios: one targeting a large managed service provider, and a second one targeting a regional utility. The results demonstrate how the deficiencies of a single company can yield economic losses that exceed those caused by major natural disasters.
Confronting and correcting the issue of poor cybersecurity practices will require legislative and policy remedies. This memo prescribes enhanced corporate disclosures related to risk controls, cyber breaches, and vulnerabilities to improve the quality of information available to regulators and investors. Market forces can then incentivize corporate stakeholders to improve their company’s resilience and security. The goal is to minimize the likelihood of cyber breaches on the scale of SolarWinds – or worse – in the future.
Chris Nolan is the qualitative research lead at Intangic, an insurtech firm that provides corporations with innovative solutions for rising intangible and digital asset risks. Annie Fixler is the deputy director of FDD’s Center on Cyber and Technology Innovation. She works on issues related to the national security implications of cyberattacks on economic targets; adversarial strategies and capabilities; and U.S. cyber resilience. Follow Annie on Twitter @afixler. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.
courtesy: (FDD)
