Guidance for Our Clients Regarding the Microsoft Exchange Vulnerability

This is an update to inform you of a Microsoft security incident.

On March 2, 2021, Microsoft released emergency software updates to scan log files of their Exchange product for indicators of compromise. Server versions 2013 through 2019 were impacted, showing evidence of hackers actively siphoning email communications from internet facing systems (i.e. Outlook Web Access) running Microsoft Exchange. Further on March 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-02 and Alert AA21-062A addressing critical vulnerabilities in Microsoft Exchange products. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange servers, enabling them to gain persistent system access and control of an enterprise network.

Initial reports have indicated that a group of hackers based in China may be behind the active attack, affecting up to 60,000 organizations. Microsoft has also released guidance on their Microsoft Security Response Center blog to aid an organization in recognizing if they were impacted and taking remediation steps. Microsoft’s cloud-hosted email for business (i.e. Exchange Online) has reportedly not been impacted.

For the latest information from Microsoft regarding security updates, visit their security response center.

As clients that employ impacted Microsoft Exchange Servers continue to assess the extent of this incident, we suggest you consider these steps to best position your company for any claim made as a result:

• If your organization has been impacted by the Microsoft Exchange incident or you are unsure, and you have a cyber insurance policy, you should notice your cyber insurance carrier promptly. Your INSPRO representative can assist. Cyber insurance typically covers costs for investigating and responding to cyber incidents, but carriers frequently require prior approval of incident investigation and response vendors – such as legal and forensics services – before reimbursing the cost. Early notice can avoid later disputes over what services are covered. Cyber insurance policies can also cover claims that are received subsequent to the policy period, if the carrier is put on notice during the policy period of the event that gave rise to the later claim.

Coordinating legal and forensic services, and other vendors related to incident response, needs to be in conjunction with your cyber insurance carrier to preserve rights to the most coverage available.

• Assess the terms of your contracts/agreements with critical service providers (including MSPs, MSSPs) who may have been impacted to understand their communication, remediation, response and indemnification requirements.

• If your company has been impacted but you do not have a cyber insurance policy, please reach out to your INSPRO representative who can provide guidance and recommendations regarding resources to assist your full investigation and response.

• If your organization has not been impacted, there is no need to notify your cyber insurance carrier.

MMA’s Cyber Center of Excellence team is available to you at any time to provide best-in-class answers, service, and solutions for cyber incident response and management, cyber coverage review or placement, and cyber risk management planning and optimization. Please contact your INSPRO representative for further guidance.