Companies are giving vendor management a fresh look in the wake of a massive supply chain attack, re-evaluating their security practices and contracts with third-party providers.
Suspected Russian hackers launched a malware campaign that was publicly announced in December, exploiting SolarWinds Corp. software and claiming Fortune 500 companies and government agencies as victims.
The attack has incentivized companies’ legal departments to look at contracts with third-party vendors anew to make sure they’re adhering to industry security standards and that proper indemnification provisions—compensation for harm or loss in a breach—are in place.
“This incident will have us rethinking contracts,” said Brian Kint, a privacy and data security attorney at Cozen O’Connor in Philadelphia. “If contracts don’t already have risk-shifting in them, you’re going to see that more and more.”
The hit has also reignited the importance of companies practicing proper cyber hygiene to guard against data loss and exfiltration—and has caused them to reconsider who gets to access their data and how, attorneys and cybersecurity professionals say.
“Organizations are going to be upping their third-party management risk requirements even higher,” said Luke Tenery, a Chicago-based partner at StoneTurn, an advisory firm.
Vendor Due Diligence
Companies are looking into their contracts with third-party vendors to make sure there’s some sort of requirement to conduct security audits, said Al Chakravarty, co-chair of Snell & Wilmer LLP’s investigations, government enforcement, and white collar protection group in Denver.
Software contracts can include indemnification provisions that shift potential costs in the event of a breach from one party to another, and those may increase following a large-scale attack like the one on SolarWinds, he said.
“Typically indemnification standards have been either capped at however much money the contract was for or maybe a bit above that,” Chakravarty said. “That standard might change over time.”
Businesses and their in-house counsel should look at vendors’ incident history and ask them about their software patching process and the robustness of their security teams, Kint said.
Companies’ lawyers and information technology teams should ensure they have visibility over contractors and subcontractors, said Joseph Moreno, general counsel and chief compliance officer at SAP National Security Services.
Obligating subcontractors to tell client companies when they’re partnering with a different provider, or asking for permission first, can help companies better vet suppliers and mitigate supply chain risks, he said.
“Make sure they adhere to the same security standards your contractor is adhering to,” Moreno said. “That’s a key thing that’s probably been overlooked by people in the past.”
Ultimately, though, software developers need to increase their own security practices since companies can employ dozens of vendors for a variety of needs, and it’s difficult to continuously examine and vet them all, said Linn Freedman, a privacy and security partner at Robinson & Cole LLP in Providence, R.I.
Ideally, a supply chain should be so secure that when a business purchases a software product from a third party, it’s confident that each company has adopted appropriate privacy and security measures, she said.
“If we have to worry about the component parts as well, I’m not sure how companies can evaluate that risk,” Freedman said. “The companies that are in the best position to evaluate their own software security and component parts are the software makers themselves.”
Businesses are leveraging the concept of least privilege to minimize damage in the event a hacker gains unauthorized access into a system, said Neil Daswani, co-director of Stanford University’s Advanced Security Certification Program.
By giving third-party providers only access to the data sets or networks that they need to do their job, companies can better contain the damage a bad actor is able to inflict in the event a provider is compromised, he said.
The supply chain attack was sophisticated, but the vast majority of breaches result from common threats such as phishing, malware, software vulnerabilities, third-party compromises, unencrypted data, and employee mistakes, Daswani said.
“If you focus on the common root causes, you can significantly minimize the probability that you’re going to get hacked or breached,” Daswani said.
And in the event that a company’s systems are breached, having less customer data or other nonessential sensitive information on hand can mitigate security and legal risks.
“Data minimization is a really great practical control,” said Troy Hunt, information security specialist and security adviser for NordVPN. “If you don’t have the data, you can’t lose it.”
In wake of the attack, security professionals will be much more hands-on until they regain their footing on how they monitor their systems, Tenery said. Organizations are “spun up” doing due diligence despite being stretched thin from COVID-19 and work-from-home security concerns, he said.
“It’ll take time, but there are strategies like network segregation that will aid in limiting the impact of these types of attacks in the future,” Tenery said.
Moreno said the SolarWinds attack creates an opportunity for businesses to dig deep, including into their cybersecurity and information technology vendor relationships.
“It’s certainly a reminder that you’re only as strong as the weakest link in the supply chain,” he said.