In 2022, Most companies are upgrading to the latest security for their various programs and devices on a regular basis. Major programs such as Microsoft, many cloud based software as a service systems and other larger software programs are constantly updated for the latest patches, vulnerabilities and other malicious hardware that may make headlines. However, many corporate systems are older, homegrown or significantly modified and are not often updated or even supported by the original vendors or developers. This leads to major issues for everyone involved and especially cyber insurers attempting to mitigate the risk of those they insure
At one point or another, systems like Windows XP, 7, IOS 10 and others were the top-of-the-line operating systems. When companies began to adapt to the internet, they used whatever the latest system or least expensive option was at the time. But as time and technology marched on, Windows and Apple could no longer support these systems. Unfortunately, the costs and time of updating many of these out of date systems are referred to as legacy systems.
Legacy systems are as they say, a legacy of an internet and security long past their intended service date. Among the key factors that defines these:
- Legacy systems no longer receive support and maintenance, although they can’t be replaced due to being essential for many organizations
- They are based on outdated technologyand thus, are incompatible with current, more advanced solutions
- Such systems are unavailable for purchase- and rightly so.(1)
Perhaps the biggest issue with maintaining these legacy systems is the lack of security protocols. Without support for these systems, they are sitting ducks for hackers. Many of the risks facing systems today were not thought about when the original outdated software was developed. Further, many of these developers may no longer be in business or if they are only support heir most recent edition of the software
As an example of this, the NotPetya breach in 2017 was considered by many to be a wakeup call for these types of breaches for their legacy systems. The NotPetya breach was a massive attack that targeted a wide range of computers, particularly in Ukraine. But it spread to places like Germany, the Netherlands and even France as companies like Maersk, Mondelez and others. The issues was that these companies were running on much older systems that weren’t updated frequently or at all. In the Maersk breach alone, 46,000 computers were shut down in minutes, paralyzing one of the worlds largest shipping companies, and they weren’t even the direct target as they were collateral damage from NotPetaya’s attack on Ukraine’s infrastructure. (3)
The problem most companies face with their legacy systems is the cost, time and effort to reengineer entire companies to operate with a new system. This process can take years for major corporations when the cyber risk is evolving monthly. It is expensive to from something like Windows XP to Windows 10 or 11. It isn’t just the cost of the software, it may involve hardware, programming, service, resources, and time. To potential costs to change all the connected systems can be an enormous cost, especially as technology has gotten more complex.
Insurers have begun to take a stand, requiring insured to update their systems to the most recent versions of the available software. Insurers today may not even underwrite a risk that is not running the most recent software and if they do will significantly restrict coverage. It is not a function of how much it will cost, but a matter of if the risk is insurable at all. Cyber insurance carriers are now looking at all the controls in place, software being used and how current the software is in order to determine insurability. The insurance company underwriting had significantly increased in order to even consider offering terms. Some of the more significant items include
- What version of software to do you utilize for your operating and other systems?
- How often are systems updated?
- Does the insured use Multifactor Authentication and where?
- Does the client use Endpoint Detection and Response software, what brand and does it have quarantine capabilities?
- Are backups air gapped?
These are a few of the major items used in underwriting, but use of outdated software is one of the biggest concerns of the cyber carrier and how often it is updated. For example, many legacy systems may not have the ability to use MFA. Therefore, even if it was updated, it still would not pass an underwriting test. The lack of current software and updated could put companies and their insurer at risk.
Legacy systems are a drain on resources, manpower and time. They are no longer updated to combat the latest cyber threats and are just a big target for malicious actors. However, it is not the end of the world. Many companies are capable of identifying cyber risk. We recommend companies to perform an annual evaluation of their systems by an outside third party and implement changes to their security system as appropriate.