Spotlight on: Microsoft Exchange attack | Victorian Managed Insurance Authority

Swift action by Cyber Safety Unit mitigates risk for VPS

In March 2021, organisations worldwide went into panic mode when Microsoft announced that previously unknown vulnerabilities in its Exchange Server software were being exploited by hackers.

Microsoft released security patches to try and stop hackers from infiltrating business systems via the vulnerability, but even with the patches in place, organisations whose servers were compromised could still be at risk.

Malicious software (such as ransomware) used by hackers can lay dormant in systems for years before it’s triggered to into running a code and causing an attack.

Future-proof caught up with VMIA’s Jack Petrie as he returned from a secondment at the Department of Premier and Cabinet’s Cyber Safety Unit, a team of specialists brought together to help the Victorian Government build cyber safety.

We spoke to Jack about vulnerability management in the context of insuring cyber risk, and asked what organisations can do to help manage their exposure.

Jack, we’d like to break this down – can you start by explaining what a vulnerability is, and why it matters?

A vulnerability is a weakness in your server, device or system’s code that can give hackers a ‘way in’ to your IT infrastructure. If a hacker exploits this vulnerability, they may enter your IT infrastructure and cause harm to the organisation.

The type of harm caused can range from causing disruption, accessing confidential data to placing ransomware on your system and more.

Walk us through what happened: how did the Cyber Safety Unit respond when Microsoft discovered the Exchange issue?

With some of the state’s public organisations relying on Microsoft Exchange servers for service delivery, it was clear from the start that this was a critical risk for the Victorian Government.

The Cyber Incident Response Service moved quickly to help manage the problem, issuing alerts, responded to breaches and monitored the situation until servers were patched.

Being able to respond in a centralised and coordinated way put the Victorian Government in a strong position to reduce the risk of harm and in turn, any insurable losses – a practical example of how things should work in these sorts of situations.

Why do organisations need to be aware of this sort of vulnerability?

An organisation’s assets and operations can be seriously harmed if vulnerabilities (like what we saw with the Microsoft Exchange servers) aren’t appropriately managed.

We’ve seen the impact of this on the global insurance market during the past year. Across the board, insurers and reinsurers have observed a rise in claims associated with cyber attacks, which has led to significant losses – something that’s pushing premiums up and affecting insurers’ ability to cover this risk at all.

Even though there are challenges associated with the management of cyber risk, prevention is the best course of action. Investing in effective risk management and harm prevention strategies is crucial and more cost effective in the long run.

VMIA has observed an exponential increase in the cost to provide cyber insurance to the Victorian Government. Prioritising investment in cyber security and risk management practices may meet some of the challenges associated with these increasing costs.

What can organisations do to manage their risk?

It’s important to actively manage cyber risk on an ongoing basis. This is because cyber-risks and malicious actors (like hackers) are evolving constantly.

Commercial insurers and reinsurers are building on how they identify risk by scanning their clients’ IT systems to identify vulnerabilities.

Cyber vulnerabilities are often time sensitive so it’s critical to define processes so organisations are in a strong position to act if IT infrastructure is compromised or a vulnerability is identified.

It’s also important to embed a culture of cyber risk management across your organisation. From board level to junior staff, everyone has a responsibility to prevent cyber attacks. That includes committing to regular training for all employees, and specialist training for anyone managing cyber risks.

Finally, developing strong working relationships within and across departments and agencies, and with other government stakeholders that support cyber security activity is important. That is a central part of the work the Cyber Safety Unit has been doing with VMIA, and more broadly across the whole public sector.

How can VMIA help?

Our risk advisory teams can explain or answer questions about your insurance cover, premiums and claims, as well as areas where you may want to strengthen your risk management.

We can also help Victorian government organisations understand where your cyber risk management practices sit in relation to the rest of the public sector through our Cyber Maturity Benchmark tool.

We’ve also developed free Cyber Risk Foundations training, which your organisation can access.

We can connect you to subject matter experts within the Cyber Safety Unit.

Any final words?

As our lives continue to become digitised, vulnerabilities like the Microsoft Exchange server will continue to challenge us and expose the public sector to harm.

But we can support the management of this risk, and prevent harm with a culture of good cyber risk management alongside strong coordination between public sector organisations.

Jack Petrie is VMIA’s Portfolio Manager for Speciality Lines, including Cyber.

He’s a keen traveller, likes keeping fit and getting outdoors to cycle, run, scuba dive and more recently, he’s taken up sailing.