As if the cyber insurance market wasn’t difficult enough, a new development known as the Apache Log4j Vulnerability has surfaced and is causing quite a stir. While programmers and cyber security experts are racing to release patches to fix the issue, we wanted to make you aware of the situation as its huge ripple effect is being felt by insurance providers the world over.
Before we get too deep into the repercussions, however, let’s briefly discuss what the Apache Log4j Vulnerability is, why it’s so concerning, and what you can do today to keep your business protected.
WHAT IS THE APACHE LOG4J VULNERABILITY?
Log4j is a piece of Apache open-source software that allows developers to easily archive data and understand how their programs function. The idea is to help companies understand potential bugs or performance issues in their own software.
The vulnerability in question is a recently discovered exploitation that allows attackers to take over the computers and networks of any organization running the program. They can then execute arbitrary code on the system, which is obviously not ideal for any business.
WHY IS APACHE LOG4J SO CONCERNING?
The Log4j Vulnerability is incredibly concerning for two reasons:
- The biggest concern is just how widely used the software is. As a popular logging tool, Log4j is used by tens of thousands of software packages (known as artifacts in the Java ecosystem) and projects across the software industry. This issue can also affect cloud service and network providers.
- The other major concern is how attackers can take advantage of the flaw. Cyber attackers are able to leverage the vulnerability to launch ransomware attacks or take remote control of affected systems, essentially shutting out businesses entirely.
WHAT STEPS CAN YOU TAKE TODAY TO PROTECT YOUR BUSINESS?
Like with any other [cyber security threat], there are proactive measures you can take to help protect your system.
- Scan for Log4j with open source tools to determine if it exists in your code, and if it does, whether it contains any vulnerabilities. Anchore, for instance, offers two such tools that allow you to quickly scan a large number of packaged dependency formats.
- Review Apache’s Log4j Security Vulnerabilities page for more information on how to apply the available patches right away. We recommend prioritizing your most critical, internet-facing systems and network servers first before moving on to other assets.
- Once all your code is mitigated, conduct a thorough security review to determine if your system remains compromised.
- Report any Log4j vulnerabilities to the CISA and FBI as soon as possible.
WHAT IMPACT DOES THIS VULNERABILITY HAVE ON THE CYBER INSURANCE MARKET?
There has been a lot of discussion in the cyber insurance market recently in response to the Apache Log4j issue, which has been described by many as a denial of service vulnerability. What this means is that some carriers are halting the quoting of new business or sub-limiting ransomware coverages. More often than not, we are seeing additional subjectivities added to quotes and binders, which will affect the overall availability of cyber insurance coverage for millions of businesses around the world.
The most significant concerns that carriers have pertain to the implementation of the following risk controls, as these will impact the viability of obtaining a cyber insurance quote and the terms that will be available to you:
- Multi-factor authentication on ALL remote access to your network
- Multi-factor authentication for accessing email through any non-corporate devices
- Multi-factor authentication on ALL local and remote access to privileged user accounts
- An offline/”air-gapped” immutable backup
- Next-generation anti-virus protection and endpoint detection & response (EDR) tools
WHAT CAN YOU EXPECT FROM THE CHRISTENSEN GROUP?
On top of the existing hurdles in the market, we can expect to address this concern soon with a number of our carriers. We are simply asking that you help us take a proactive approach in providing full submissions as soon as possible.
In addition, we want you to understand that there are going to be additional underwriting questions and requirements (these will vary from carrier to carrier), so please be patient as we continue to navigate this new terrain.