I blogged a few weeks ago about the need to double down on vendor management processes in light of the SolarWinds hack. We’re posting memos in our “Cybersecurity” Practice Area with more detailed advice on what to do right now. For example, most companies should be evaluating whether they’ve been compromised and whether any legal or contractual notices are triggered. A Quarles & Brady memo outlines how your incident response plan can be deployed for this particular event:
Work with your IT team to determine whether your organization uses the Orion product and, if so, if the tainted software was downloaded and whether any steps have been taken to mitigate.
If the malware was downloaded, investigate any potential malware risks, including whether the hacker accessed your networks and whether any data has been accessed or acquired.
Consider engaging a forensics firm for the investigation. Whether you use internal or external resources, we recommend conducting the investigation under legal privilege.
If data was accessed or acquired, determine whether notices are required under notification laws or contracts.
Consider putting your cyber insurance carrier on notice as the costs may be covered under your policy.
Bear in mind that the threat actor may still have visibility into your network when engaging in incident response activities and planning and implementing a remediation plan.
Even if you don’t use Orion or did not put the update into production, determine whether any third parties that connect to your network or handle your data were impacted.
Stay on top of advisories from your vendors, government, and trusted advisors.
For companies in or servicing the banking industry, things are even more urgent due to new legal requirements that are arising out of this incident. An Eversheds Sutherland memo explains that the NY Department of Financial Services is requiring all financial institutions to immediately report whether they’ve been affected in any way — and this Sullivan & Cromwell memo says that the FDIC and other agencies have also proposed rules that would require banks to notify federal regulators of cyber incidents within 36 hours, and would require bank service providers to notify affected banks immediately.
-Liz Dunshee, TheCorporateCounsel.net January 5, 2021
Want to keep reading?
Great. Enter your email address and gain instant access to this article