The massive data breach that compromised software vendor SolarWinds is far broader in scope than originally thought, federal investigators have found, with close to one-third of the victims not even running the SolarWinds Orion product that was initially considered the entry point for hackers.

This latest revelation further escalates the critical need for chief compliance officers to collaborate with their business counterparts to identify and mitigate potentially unknown threats lurking in the third-party cloud supply chain.

“‘If SolarWinds is something our vendor uses, does this vulnerability become ours?’ I would say absolutely.”

Sam Abadir, Director of Industry Solutions, NAVEX Global

The Cybersecurity and Infrastructure Security Agency (CISA) said it has uncovered evidence of “initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors.” In an alert, CISA said it’s investigating incidents that exhibit adversary tactics, techniques, and procedures (TTPs), “including some where victims either do not leverage SolarWinds Orion, or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.”

Hackers obtained initial access in some cases by guessing passwords and exploiting administrative credentials, including by gaining privileged access to Microsoft cloud software. “It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered,” CISA said.

This stunning revelation should rightfully scare any company because it means nation state hackers—presumably linked to Russia—could have the keys to steal whatever sensitive data they want that’s stored on the cloud while evading defenses and detection. “This level of compromise is challenging to remediate and requires a rigorous multi-disciplinary effort to regain administrative control before recovering,” CISA said.

A matter of compliance

Although CISA has provided guidance on open-source tools that are available to private- and public-sector companies to detect potentially malicious activity, the damage has been done. It’s at this point in which a cyber-attack—no matter how massive or small—becomes a compliance problem.

With the SolarWinds hack, a key question on the minds of many companies is, “‘If SolarWinds is something our vendor uses, does this vulnerability become ours?’ I would say absolutely,” Sam Abadir, director of industry solutions at NAVEX Global, said during a recent Webinar. The same answer applies to third parties who use Microsoft cloud software that may now be compromised.

From a regulatory compliance standpoint, data loss or exposure in the network opens a company up to potentially heavy fines resulting from violations of data privacy laws, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or the Health Insurance Portability and Accountability Act (HIPAA). From an enforcement and brand perspective, the bottom line is this: Enforcement authorities, clients, customers, patients—nobody is going to care whether the data was exposed by a third party, they’re just going to care that it was exposed.

This is the time for chief compliance officers and chief risk officers to “step up their game” and leverage cyber-security best practice frameworks, Abadir said. Examples include the National Institute of Standards and Technology (NIST) Cyber Supply Chain Risk Management project, as well as NIST’s Cybersecurity Framework.

Such frameworks don’t just focus on patching security vulnerabilities. “They discuss the need for having purposeful processes in place,” Abadir said. “Your regulatory exposure is going to be significantly smaller if you have an auditable, proven framework and a process in place that you can manage.”

Third-party supply chain risk management

Ensuring compliance throughout the entire third-party supply chain should be part of that overall purposeful process—simple governance risk management measures that many companies still seem to struggle with:

Start with an internal evaluation. Begin by taking an inventory of everything on your own network—not just physical assets, but software assets as well. “Knowing your environment is going to help you limit your exposure,” said Blake Gardner, a third-party risk manager at accounting, consulting, and technology firm Crowe, who also spoke on the webinar.

Relevant to the SolarWinds hack, obtain a list of potentially compromised SolarWinds Orion products. “Do a full evaluation of what you have in place,” Gardner said. “‘What was the last version update that we did? Do we have version control where we can go to a prior version? How can we contain [the breach] quickly?’”

Conduct a third-party evaluation. Do you know what third parties you have? Not all third parties should be treated equally from a risk management standpoint. Assess what the company considers to be its most confidential, most critical information. What are its crown jewels? Who is managing them? If those crown jewels are being managed outside the company, “you need to be talking to those third parties, asking them what has been impacted,” Abadir said. What technology do they have in place that may have been compromised?

Conduct an inherent risk assessment. An inherent risk assessment means asking very general questions of your third parties: “‘Do they have access to my network? Do they have access to my data? In what countries are they operating?’” Gardner said. You’re trying to gather as much information as possible to find out what risks the third party poses to the company, he said.

Perform due diligence from a network security and data privacy standpoint. Compliance and risk management teams should ensure the company is not only in compliance with relevant data privacy laws but also has an information security policy in place.

Ask the same of your third parties, as well; whether they align to cyber-security best practice frameworks like those offered by NIST or whether they have achieved ISO 27001 certification, an internationally recognized information security standard. Also ask to what extent they’re in compliance with regulatory frameworks like the GDPR and/or industry regulations, like HIPAA.

Also, don’t be afraid to leverage folks in the company who speak and collaborate with third parties on a regular basis. If they know the types of questions to ask, they can have those discussions in casual conversations, Gardner said. “It doesn’t need to be a formal audit.”

If at any point you’re not sure what questions to ask your third parties in performing an inherent risk or due diligence assessment, you should look in the mirror: “What questions would you ask of yourself? That’s always a great place to start,” Abadir said. “You should be asking those same things of your third party.”

For compliance officers, that may require approaching the IT team or other business units and asking them, “‘What would you ask?’” Abadir added. “This is a really great time to build bridges within your organization.”

Conduct cyber-attack fire drills. Are you doing proper incident response testing? Are you actively running drills? If a massive cyber-attack like this happened again, does everybody know their role? The same questions apply to your third parties.

Put it in a contract. From a compliance and legal standpoint, managing third-party supply chain risk can be mitigated, in part, by inserting strong language into contracts with third parties. This helps to ensure those with nontransparent or nonexistent cyber-security practices, or those that simply refuse to agree to the company’s cyber-security policies and procedures, are weeded out.

“Be prepared to pay a little extra,” Abadir said. “It takes time and it takes resources, which means it costs money.” The opposite holds true as well, that if you’re a vendor in the supply chain and someone is asking you about your security controls, they should expect to pay a premium. “Security is not free,” Abadir added.

It’s worth repeating that weeding out cyber-threats in the third-party supply chain is extremely complex to remediate. In fact, it is only becoming more complex as hackers become more sophisticated. It takes time, patience, and resources and requires both a multi-disciplinary approach and a collaborative industry approach. But the pie-in-the-sky hope is that sharing best practices and collaborative techniques will one day put the public- and private-sector one step ahead of the hackers, not the other way around.