Insured losses from the SolarWinds breach will likely come in around $90 million, according to estimates from a pair of security companies, who claim insurers may have dodged “a catastrophic financial incident.”
While newly minted partners BitSight and Kovrr expect the number of SolarWinds victims to grow in the upcoming months, direct insured costs should remain close to their estimate since many of the organizations hit – particularly federal agencies – do not carry insurance against cyber risks. Government agencies make up about 18 percent of the organizations hacked.
The duo based their estimate on key attributes of the impacted organizations: the industries they serve, their locations and size, and what kind of costs they likely would rack up for incident response, forensics, regulatory fines and public relations efforts.
The insurance market avoided a catastrophe, the analysts said, because the attackers, at least so far, didn’t engage in large-scale exploitation of the organizations hacked. But they expect that the attack will raise insurers concerns over future supply chain risks that could damage their insured base.
“More robust modeling, working with insureds to help them better understand their third and fourth party risk, and adjustments to the way supply chain risk is underwritten may all be required for the insurance market moving forward,” Bitsight and Kovrr said in a report.