“Securing the Supply Chain in the Age of SolarWinds”- 3 Things You Should Know

by | Feb 24, 2021

In case you missed it, Resilience Chief Underwriting Officer CJ Pruzinsky led a discussion on February 18, 2021 with a few of our panel partners about the 2020 SolarWinds event. Elgan Jones, Chief Information Officer at Kivu Consulting and Al Shaikili, Privacy & Data Security Practice Chair at Shook, Hardy & Bacon, joined Mike Convertino, Chief Security Officer at Resilience to share their insights into emerging cyber risks and their impact on the cyber insurance market.

Here are three takeaways from our discussion: 

1. SolarWinds highlights that any company in the supply chain is at risk — both upstream and downstream can be affected.

The large impact of this attack could have been devastating and could easily have been a Doomsday event had it not been detected. SolarWinds highlights the criticality of software programs and the need for regulation of both software and supply chain programs. Significant vulnerabilities exist for organizations of all sizes when it comes to supply chain management.

Supply chain attacks have been around for years. One of the first well-known attacks was Stuxnet in 2010. Stuxnet was a downstream attack, planted in a system developed by a third party used in the Iranian nuclear system. The SolarWinds attack targeted their victims upstream by injecting malicious software code into the software development process. 

2. Vulnerabilities are everywhere. Check to see all code goes through proper vetting.  

Bad actors infiltrate your system through an outside partner or provider and exploit a potentially serious software security weakness. Code injection and backdoors are easily hidden when software companies and open source projects do not have strong security protocols and processes. Here are a few things to consider when checking your software supply chain as new risks and threat vectors emerge every day:

  • Ensure that all software undergoes rigorous security throughout the software development lifecycle like penetration testing or peer reviews.
  • Investigate any anomalies in your ecosystem.
  • Don’t put off thorough risk assessments.

3. A company can protect itself from such attacks with proactive contractual considerations.

SolarWinds showed how much risk we take on through our third party partners and vendors. While there is no silver bullet when it comes to protection, there is ample opportunity to protect your organization. Here are a few things to consider when building relationships with partners and vendors:

  • Add an addendum to your contracts or alter your MSAs to require appropriate technical and administrative security controls.
  • Ask for the right to audit  whether they are compliant with your certifications.
  • Make sure vendors are required to provide you immediate notification of cyber incidents.
  • Make sure you know who will be communicating a cyber break to customers
  • Ensure compliance with data security and privacy laws applicable to your business.
  • Check to see if there are limited liability provisions in your contract that need to be addressed.

Interested in more information about SolarWinds? Download our SolarWinds Bulletin for more insight from our team and to receive an invite to our next event: https://www.resilienceinsurance.com/solarwinds 

Disclaimer: The information contained in the Webinars and related materials are not intended to constitute advice of any kind, the rendering of consulting, or other professional services. Registering for a Webinar only constitutes an agreement to attend, not a contract for consultancy or advice.