A wide-scale cyberattack revealed how easily an entity’s IT systems can be compromised by the vulnerabilities of an entity’s software vendors and other third parties...
As the SolarWinds breach made clear, one supply chain attack can wreak havoc on thousands of organizations. The wide-scale cyberattack also revealed how easily an entity’s IT systems can be compromised by the vulnerabilities of an entity’s software vendors and other third parties.
SolarWinds Cyber Attack
In 2020, a high-profile supply chain attack occurred against SolarWinds, a provider of network management software. The vendor was unknowingly hit with a malware attack and the breach resulted in the malicious code being inserted into a software update, which was then transmitted to 18,000 SolarWinds customers, including the U.S. Department of Defense, Department of Commerce, Microsoft, and Cisco. The code created a backdoor to the impacted entities’ information technology systems, which hackers then used to install additional malware that allowed them to spy on companies and government agencies. The hackers were undetected for months, with the breach first discovered by a cybersecurity firm that noticed its own system was compromised.
The SolarWinds Attack is the most high-profile and invasive IT software supply chain attack to date. It demonstrates how dangerous embedded malware inside a legitimate product can be. If left unchecked, it can allow hackers to access the networks of many organizations using one piece of code.
Managing Third-Party Cyber Risks
The SolarWinds attack, which has now been linked to Russian-backed hackers, resulted in numerous government investigations and hearings. Most recently, the New York State Department of Financial Services (NYDFS) released its report on the cyberattack.
The NYDS Report on the SolarWinds Supply Chain Attack summarizes the SolarWinds Attack, as well as the response by NYDFS-regulated companies. It also identifies four “key cybersecurity measures” that can reduce supply chain risk.
Overall, NYDFS found that companies under its oversight responded quickly. According to the report, 94 percent of the reporting companies removed the vulnerabilities from their IT systems within three days of the SolarWinds Attack’s announcement. However, NYDFS also found that some companies were not applying patches as regularly as needed to ensure timely remediation of high-risk cyber exposure.
Most importantly, the NYDFS identifies the following cybersecurity measures as critical practices when evaluating the risks posed by vendors and similar third parties (Third Party Service Providers):
Fully assess and address third party risk. Third Party Service Provider and other vendor risk management policies and procedures should include processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors. Furthermore, contracts with critical vendors should include provisions requiring immediate notification (ideally to at least two persons in different roles at an organization) when a cyber event occurs that impacts — or potentially impacts — an organization’s Information Systems or any non-public information (NPI) that is maintained, processed, or accessed by the vendor.
Adopt a “zero trust” approach and implement multiple layers of security. Organizations should anticipate and prepare for breaches in the supply chain by incorporating supply chain risk analysis into their requisite risk assessments and risk management programs. To do this most effectively, organizations should adopt a “zero trust” mindset and assume that (1) any software installation and (2) any Third Party Service Provider could be compromised and used as an attack vector. Access should be limited “to only what is needed” and systems should be monitored “for anomalous or malicious activity.” Organizations should have layers of security and extra protection for sensitive information so that if one layer is compromised, other controls can detect or prevent an intrusion.
Promptly address vulnerabilities through patch deployment, testing, and validation. Organizations should have a vulnerability management program that prioritizes the organization’s patch testing, validation processes, and deployment — including which systems to patch and in what order they should be patched. Furthermore, an organization’s patch management strategy should include performing tests of all patches to the internal system environment with defined rollback procedures if the patch creates or exposes additional vulnerabilities.
Address supply chain compromise in incident response plans. An effective and tested incident response plan with detailed procedures and playbooks is crucial. Incident response plans should include the following, at a minimum, to address supply chain compromises or attacks: procedures to isolate affected systems; procedures to reset account credentials for users of all affected assets and users of assets controlled by compromised software; procedures to rebuild from backups created before the compromise; procedures to archive audit and system logs for forensic purposes; and procedures to update response plans based on lessons learned. Companies should also understand what assets reside in the environment — including their versions and configurations — and enable timely notifications when changes occur. The incident response playbook should include plans to respond to unauthorized changes.
As the NYDFS report notes, there is no silver bullet that will stop all supply chain attacks. Nonetheless, there are steps companies can take to reduce the risks posed by vendors and other third parties. We encourage all businesses to review their cyber security policies and procedures to ensure that include measures to mitigate third-party risk.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Are Your Vendors the Weak Link in Your Cybersecurity Defenses?
Author: Scarinci Hollenbeck, LLC
A wide-scale cyberattack revealed how easily an entity’s IT systems can be compromised by the vulnerabilities of an entity’s software vendors and other third parties...
As the SolarWinds breach made clear, one supply chain attack can wreak havoc on thousands of organizations. The wide-scale cyberattack also revealed how easily an entity’s IT systems can be compromised by the vulnerabilities of an entity’s software vendors and other third parties.
SolarWinds Cyber Attack
In 2020, a high-profile supply chain attack occurred against SolarWinds, a provider of network management software. The vendor was unknowingly hit with a malware attack and the breach resulted in the malicious code being inserted into a software update, which was then transmitted to 18,000 SolarWinds customers, including the U.S. Department of Defense, Department of Commerce, Microsoft, and Cisco. The code created a backdoor to the impacted entities’ information technology systems, which hackers then used to install additional malware that allowed them to spy on companies and government agencies. The hackers were undetected for months, with the breach first discovered by a cybersecurity firm that noticed its own system was compromised.
The SolarWinds Attack is the most high-profile and invasive IT software supply chain attack to date. It demonstrates how dangerous embedded malware inside a legitimate product can be. If left unchecked, it can allow hackers to access the networks of many organizations using one piece of code.
Managing Third-Party Cyber Risks
The SolarWinds attack, which has now been linked to Russian-backed hackers, resulted in numerous government investigations and hearings. Most recently, the New York State Department of Financial Services (NYDFS) released its report on the cyberattack.
The NYDS Report on the SolarWinds Supply Chain Attack summarizes the SolarWinds Attack, as well as the response by NYDFS-regulated companies. It also identifies four “key cybersecurity measures” that can reduce supply chain risk.
Overall, NYDFS found that companies under its oversight responded quickly. According to the report, 94 percent of the reporting companies removed the vulnerabilities from their IT systems within three days of the SolarWinds Attack’s announcement. However, NYDFS also found that some companies were not applying patches as regularly as needed to ensure timely remediation of high-risk cyber exposure.
Most importantly, the NYDFS identifies the following cybersecurity measures as critical practices when evaluating the risks posed by vendors and similar third parties (Third Party Service Providers):
Fully assess and address third party risk. Third Party Service Provider and other vendor risk management policies and procedures should include processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors. Furthermore, contracts with critical vendors should include provisions requiring immediate notification (ideally to at least two persons in different roles at an organization) when a cyber event occurs that impacts — or potentially impacts — an organization’s Information Systems or any non-public information (NPI) that is maintained, processed, or accessed by the vendor.
Adopt a “zero trust” approach and implement multiple layers of security. Organizations should anticipate and prepare for breaches in the supply chain by incorporating supply chain risk analysis into their requisite risk assessments and risk management programs. To do this most effectively, organizations should adopt a “zero trust” mindset and assume that (1) any software installation and (2) any Third Party Service Provider could be compromised and used as an attack vector. Access should be limited “to only what is needed” and systems should be monitored “for anomalous or malicious activity.” Organizations should have layers of security and extra protection for sensitive information so that if one layer is compromised, other controls can detect or prevent an intrusion.
Promptly address vulnerabilities through patch deployment, testing, and validation. Organizations should have a vulnerability management program that prioritizes the organization’s patch testing, validation processes, and deployment — including which systems to patch and in what order they should be patched. Furthermore, an organization’s patch management strategy should include performing tests of all patches to the internal system environment with defined rollback procedures if the patch creates or exposes additional vulnerabilities.
Address supply chain compromise in incident response plans. An effective and tested incident response plan with detailed procedures and playbooks is crucial. Incident response plans should include the following, at a minimum, to address supply chain compromises or attacks: procedures to isolate affected systems; procedures to reset account credentials for users of all affected assets and users of assets controlled by compromised software; procedures to rebuild from backups created before the compromise; procedures to archive audit and system logs for forensic purposes; and procedures to update response plans based on lessons learned. Companies should also understand what assets reside in the environment — including their versions and configurations — and enable timely notifications when changes occur. The incident response playbook should include plans to respond to unauthorized changes.
As the NYDFS report notes, there is no silver bullet that will stop all supply chain attacks. Nonetheless, there are steps companies can take to reduce the risks posed by vendors and other third parties. We encourage all businesses to review their cyber security policies and procedures to ensure that include measures to mitigate third-party risk.
If you have questions, please contact us
If you have any questions or if you would like to discuss the matter further, please contact me, Maryam Meseha, or the Scarinci Hollenbeck attorney with whom you work, at 201-896-4100.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
