As many as 18,000 customers downloaded the SolarWinds Orion software update that contained malicious code placed by hackers believed to be linked to Russian intelligence. Affected companies may have been infiltrated and surveilled by cybercriminals, exposing their networks and the data they contain.
As a leading provider of vendor and contract management services for the financial institution industry, Ncontracts has been busy notifying clients and discussing the issue of how to respond to the news of the SolarWinds breach and determine whether an institution is impacted.
On Monday, December 14, we sent alerts to every Ncontracts customer enrolled in our monitoring services that were monitoring SolarWinds as a third-party vendor. These actionable alerts let our customers know that their vendor was breached. It also detailed the steps customers should take to respond to the breach because knowing there is a problem is only half the battle — our customers also want us to tell them what to do about it. SolarWinds is also highlighted as a serious red flag in their Cyber Monitoring scores.
Ncontracts’ Cyber Monitoring service continuously collects and analyzes a broad range of highly relevant, but non-intrusive, cybersecurity signals and alerts for thousands of vendors with digital assets across the internet.
Before the breach, SolarWinds listed many of its customers on its website, including the Federal Reserve Bank, MasterCard, NCR, CitiFinancial, and Credit Suisse, among others. Financial institutions with vendor relationships with these and other SolarWinds customers are rightfully concerned that their data may have been exposed in connection with the breach.
Ncontracts’s account managers and support teams have been advising and assisting Vendor Services Clients in using Nvendor to assess the risk and seek assurance that vendor’s systems and data are safe. The questions to ask each vendor include:
Customers that use Ncontractsmanager with services benefit from Ncontracts’ team of legal experts summarizing key provisions of third-party contracts. Customers choose which categories to track, frequently electing to have us review provisions related to pricing and cybersecurity—including notification of breach provisions.
Customers that choose to track notification of breach provisions can quickly look up vendor expectations related to breaches like the SolarWinds hack, letting the institution know what it can expect when an incident occurs, if the vendor is living up to the agreement, and if it needs to negotiate stronger protections in future contracts.
Our customers deserve to know we have the right controls in place to secure data, maintain availability, protect processes, and ensure compliance and confidentiality. That’s why in 2020 Ncontracts once again completed a Statement on Standards for Attestation Engagements (SSAE) 18 audit. This rigorous accreditation demonstrates Ncontracts’ industry position as a trusted partner dedicated to adhering to the latest standards for security, compliance, and operational controls.
Further, Ncontracts does not use and has never used SolarWinds Orion, and we are unaffected by this recent event. Our Information Security and Technology Operations teams are constantly assessing new and evolving threats and taking steps to mitigate them.
How much time has your institution spent trying to determine the impact of the SolarWinds breach? If you’ve been preoccupied with wondering which of your vendors might be impacted, how to find out, and what it could mean for your institution, your vendor management program is missing essential tools.
Breaches like the one impacting SolarWinds will continue to happen. Do you want each event to be a mad scramble for information, or would you benefit from having a partner that can help you figure out what you need to know and what you should do about it?
Ncontracts is here to give you the assurance you need. Let us show you how we can help.