Choose a Publication
Try & Buy

I blogged a few weeks ago about the need to double down on vendor management processes in light of the SolarWinds hack. We’re posting memos in our “Cybersecurity” Practice Area with more detailed advice on what to do right now. For example, most companies should be evaluating whether they’ve been compromised and whether any legal or contractual notices are triggered. A Quarles & Brady memo outlines how your incident response plan can be deployed for this particular event:

  1. Work with your IT team to determine whether your organization uses the Orion product and, if so, if the tainted software was downloaded and whether any steps have been taken to mitigate.
  2. If the malware was downloaded, investigate any potential malware risks, including whether the hacker accessed your networks and whether any data has been accessed or acquired.
  3. Consider engaging a forensics firm for the investigation. Whether you use internal or external resources, we recommend conducting the investigation under legal privilege.
  4. If data was accessed or acquired, determine whether notices are required under notification laws or contracts.
  5. Consider putting your cyber insurance carrier on notice as the costs may be covered under your policy.
  6. Bear in mind that the threat actor may still have visibility into your network when engaging in incident response activities and planning and implementing a remediation plan.
  7. Even if you don’t use Orion or did not put the update into production, determine whether any third parties that connect to your network or handle your data were impacted.
  8. Stay on top of advisories from your vendors, government, and trusted advisors.

For companies in or servicing the banking industry, things are even more urgent due to new legal requirements that are arising out of this incident. An Eversheds Sutherland memo explains that the NY Department of Financial Services is requiring all financial institutions to immediately report whether they’ve been affected in any way — and this Sullivan & Cromwell memo says that the FDIC and other agencies have also proposed rules that would require banks to notify federal regulators of cyber incidents within 36 hours, and would require bank service providers to notify affected banks immediately.

-Liz Dunshee, TheCorporateCounsel.net January 5, 2021

Want to keep reading?

Great. Enter your email address and gain
instant access to this article
Articles

Board Composition: Benchmarking ‘Business Acumen’
Articles

Codes of Conduct: New Nasdaq Rule Allows Board Committees to Approve Waivers
Articles

FPI Buybacks: Corp Fin Issues Three New CDIs on Form F-SR
Articles

PCAOB: ABA Business Law Section Weighs In On ‘NOCLAR’ Proposal
Articles

ICFR: SEC’s Chief Accountant Stresses Need for ‘Comprehensive Approach’ to Risk Assessment
Articles

Do Rule 10b5-1 Plans Still Make Sense for Insiders?

Gain full access to any of our products with a free trial

After sign up, we’ll get in touch to help you find the resources that will benefit you the most.