SolarWinds Breach: Top 3 Vendor Risks Identified

The SolarWinds supply chain breach continues to wreak havoc on Orion customers around the world, as they continue to identify and mitigate its risks. Recognizing the potentially damaging impact to companies’ operations, Prevalent released a free event and incident management assessment to its customers soon after the breach was first reported in December 2020. The goal of this survey was to enable our customers to gain much-needed visibility into the risks among their vendor communities so they can take the appropriate remediative actions.

What we learned from the results of the survey was both encouraging and revealing.

Scale and Impact of the SolarWinds Breach on Third Parties

Prevalent launched our free SolarWinds event and incident management assessment to vendors in our Third-Party Risk Networks. Analyzing the response data from these assessments shows both the scale and impact of the breach. Among the Prevalent network vendor population only a small percentage rated the impact of the breach as low to none.

• Scale of the breach: Overall, 16% of vendors in Prevalent’s Vendor Risk Networks had a version of Orion deployed that was compromised by attackers.
• Impact of the breach: 5% of assessed third parties admitted to being impacted by the SolarWinds breach. Of these, 34% considered the impact low to network, operations or security; and no third parties reported an impact critical to service delivery.

Top 3 Vendor Risks From the SolarWinds Breach

More revealing, however, were the outcomes, with more than a third of impacted parties indicating they lacked customer notifications and incident management policies.

• Limited customer notifications: 40% of impacted parties did not have a formal process to notify their customers.
• Limited incident management policy: 37% of impacted parties had no documented incident management policy for responding to the SolarWinds breach.
• Mitigation progressing slowly: 16% of impacted parties were still actively implementing controls to mitigate the attack, but only 9% had not been able to fully implement mitigation against the SolarWinds attack.

Recommendations for Improving Third-Party Risk Management Response to Breaches Like SolarWinds

Response data from Prevalent’s free SolarWinds assessment clearly shows that far too many companies were wrong-footed by this breach, exposing internal process gaps around customer notification and incident management limitations.

To address these risks, Prevalent recommends that organizations:

• Establish a customer communications plan as part of an overall incident response plan. This plan should be customizable and adaptable to your unique business requirements and include clear steps for notifying relevant parties – from customers and third parties to the public. Having such a plan in place – including triggers for activating it – would help your organization demonstrate to its key stakeholders that it is on top of the incident and is thoroughly investigating its impact.
• Build and enforce a business continuity plan that includes incident management and escalation guidelines. Crises come in many forms – from the ongoing pandemic to a breach like SolarWinds. So, having an adaptable business continuity and incident response plan in place shows that your organization is forward-thinking and planning for all contingencies.
• Implement advanced tiering and profiling to ensure that the most critical vendors are being assessed according to the risks that matter most to your business. Having a logical tiering structure will accelerate the discovery of at-risk vendors and the mitigation of risks.
• Unify periodic assessments with continuous monitoring to validate assessment findings enable a near real-time view of vendor cybersecurity and reputational risks. Having this view gives you greater confidence to spot potential risks before they impact your business.

How Prevalent Can Help

If you are still determining the impact of the SolarWinds breach on your third parties, contact Prevalent today. Through our third-party risk management solution and certified partner community, we have helped organizations gain risk visibility on such events across thousands of vendors in as little as two weeks.