As the roughly 18,000 organizations, government agencies and educational institutions continue to recover from last year’s SolarWinds nation-state attack, one of the biggest takeaways from this event is that organizations need to be better educated on how to manage their third-party cyber-risks. Currently, the SolarWinds victims are experiencing the effects of what is known as a “supply chain” attack, which means that the attacker targeted a supplier (or “third-party”) of an organization instead of directly attacking their target(s). Supply chain attacks are becoming more prevalent because they are an effective way of distributing malware to a large group of targets.
While the current attacker’s sophisticated tactics impressed many security experts, this was not the first time we have witnessed this type of attack. The most notable supply chain attack, NotPetya, happened back in 2017, when hackers from Russia launched an attack on Ukraine by injecting malware into a tax software update, in an effort to destabilize their economy. While it is almost impossible to prevent a nation-state attack from occurring, there are proactive measures that can be implemented to reduce an organization’s cyber risks.
The Full Picture of Data Security
While technical data security is an integral aspect of a reasonable and legally-compliant data security plan, it should not be the sole focus of an organization’s efforts at this point. Government regulators, customer-clients and insurers have an equal measure of interest in ensuring that organizations are engaged in the complete practice of data security. Simple reliance on security tools will not be sufficient to weather charges of a lack of data security in the event of a data incident. To that end, all organizations should be concerned with ensuring that all their systems are prepared for the possibility of a software compromise.
Evaluating data collection and storage practices are a good starting point for assessing an organization’s data security. This includes knowing what sensitive or confidential data is stored, where it is stored, and for how long, as well as determining who has access to the data. From a damage mitigation perspective, evaluating client and vendor contracts is integral to this process. Organizations should be reviewing their contracts with clients and vendors with an eye towards the confidentiality clauses, security provisions, and indemnification provisions contained therein. Note that for some industry sectors, it is required to keep an organization’s board of directors informed of the state of data security as well.
Many organizations now elect to have cyber-insurance as a part of their basic coverage, however not all coverage addresses the full spectrum of concerns when data security is at issue. Organizations should review their cyber-insurance policies to assess potential coverage for the SolarWinds cybersecurity event, and should ensure that they are maintaining the prerequisite conditions for coverage. Organizations should pay careful attention to their cyber policies’ notice requirements and, if appropriate, promptly report the incident and any resulting claims.
With the potential impact of this cyber event as-yet unknown, perhaps for months or years to come, maintaining good record-keeping regarding data security governance will serve to address both insurer and regulator concerns in the event of an incident. Throughout this process, however, organizations should carefully consider how to communicate with counsel, employees, and clients regarding data security, potential exposure and mitigation efforts. As a best practice, substantive communications should be vetted by counsel to ensure legal accuracy and conformity with practice.