<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Have you been compromised by the SolarWinds Breach? Ncontracts is here to assure you.

The SolarWinds hack has banks, credit unions, and other financial services companies asking one key question: Have we been compromised?

It's a good question.

As many as 18,000 customers downloaded the SolarWinds Orion software update that contained malicious code placed by hackers believed to be linked to Russian intelligence. Affected companies may have been infiltrated and surveilled by cybercriminals, exposing their networks and the data they contain.

As a leading provider of vendor and contract management services for the financial institution industry, Ncontracts has been busy notifying clients and discussing the issue of how to respond to the news of the SolarWinds breach and determine whether an institution is impacted.

cyber attack branded-01

Here is how we help our customers get the information they need:


1. Quickly alerting customers of the breach

On Monday, December 14, we sent alerts to every Ncontracts customer enrolled in our monitoring services that were monitoring SolarWinds as a third-party vendor. These actionable alerts let our customers know that their vendor was breached. It also detailed the steps customers should take to respond to the breach because knowing there is a problem is only half the battle — our customers also want us to tell them what to do about it. SolarWinds is also highlighted as a serious red flag in their Cyber Monitoring scores.

Ncontracts’ Cyber Monitoring service continuously collects and analyzes a broad range of highly relevant, but non-intrusive, cybersecurity signals and alerts for thousands of vendors with digital assets across the internet.

2. Making it easy to ask whether vendor’s vendors were breached (aka fourth-party risk)

Before the breach, SolarWinds listed many of its customers on its website, including the Federal Reserve Bank, MasterCard, NCR, CitiFinancial, and Credit Suisse, among others. Financial institutions with vendor relationships with these and other SolarWinds customers are rightfully concerned that their data may have been exposed in connection with the breach.

data analysis 2 branded - diversity-01

Ncontracts’s account managers and support teams have been advising and assisting Vendor Services Clients in using Nvendor to assess the risk and seek assurance that vendor’s systems and data are safe. The questions to ask each vendor include:

  • Does your organization use the SolarWinds Orion product?
  • If NO, do they use any other SolarWinds product(s)?
  • If you use SolarWinds Orion, has your organization’s network been compromised?
  • If you use SolarWinds Orion, what steps has your organization taken to ensure your network was not compromised?
  • If you use SolarWinds Orion, what has your organization done to mitigate vulnerabilities identified in the SolarWinds security advisory?
  • If you use SolarWinds Orion, are we (the financial institution) in any way at risk?
  • Do you have a formal statement we can have about this incident?

By using Nvendor, it’s easy for Ncontracts’ customers to identify which vendors have and haven’t provided the appropriate information.


3. Providing insights into notification of breach provisions in vendor contracts

Customers that use Ncontractsmanager with services benefit from Ncontracts’ team of legal experts summarizing key provisions of third-party contracts. Customers choose which categories to track, frequently electing to have us review provisions related to pricing and cybersecurity—including notification of breach provisions.

Customers that choose to track notification of breach provisions can quickly look up vendor expectations related to breaches like the SolarWinds hack, letting the institution know what it can expect when an incident occurs, if the vendor is living up to the agreement, and if it needs to negotiate stronger protections in future contracts.

4. Taking our own security seriously

Our customers deserve to know we have the right controls in place to secure data, maintain availability, protect processes, and ensure compliance and confidentiality. That’s why in 2020 Ncontracts once again completed a Statement on Standards for Attestation Engagements (SSAE) 18 audit. This rigorous accreditation demonstrates Ncontracts’ industry position as a trusted partner dedicated to adhering to the latest standards for security, compliance, and operational controls.

security branded-01

Further, Ncontracts does not use and has never used SolarWinds Orion, and we are unaffected by this recent event. Our Information Security and Technology Operations teams are constantly assessing new and evolving threats and taking steps to mitigate them.

How much time has your institution spent trying to determine the impact of the SolarWinds breach? If you’ve been preoccupied with wondering which of your vendors might be impacted, how to find out, and what it could mean for your institution, your vendor management program is missing essential tools. 

Breaches like the one impacting SolarWinds will continue to happen. Do you want each event to be a mad scramble for information, or would you benefit from having a partner that can help you figure out what you need to know and what you should do about it?

Ncontracts is here to give you the assurance you need. Let us show you how we can help.


Here is a list of important resources to help you understand what you can do:

Have you been thinking about how vendor cyber monitoring can help protect your financial institution?

Vendor cyber monitoring is a valuable tool, particularly when paired with a financial institution’s existing vendor management program.

Managing third-party vendor cyber risk touches every area of enterprise risk management from risk assessments and business continuity planning to vendor and contract management. These best practices will help you get a better handle on vendor cyber risk.

Are you wondering if your vendor management solution does everything it needs to?