It is no surprise that the SolarWinds cyberattack of December 2020 continues to be in the news on a daily basis. Why? First, it was likely a sophisticated nation-state attack. It likely affected upwards of 18,000 clients of SolarWinds. It definitely affected many United States Government agencies also. The attack was sneaky and continues to be very hard to find on affected networks. Most importantly, it happened in an area that many people had not previously considered a risk — a regular update on a critical vendor software package that many companies have installed, get regular updates on, and, when updates are issued, they just press the button to stay “install.”
This article is not about “who did what wrong” or “what nation-state commenced this attack.” There are enough of those articles around. What this article is really more about is, “if I am a Director, what should I be thinking about the SolarWinds attack?” Indeed as noted by former SEC Commissioner Luis Aguilar on cybersecurity:
Given the known risks posed by cyber-attacks, one would expect that corporate boards and senior management universally would be proactively taking steps to confront these cyber-risks. Yet, evidence suggests that there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks. Some have noted that Boards are not spending enough time or devoting sufficient corporate resources to addressing cybersecurity issues. According to one survey, Boards were not undertaking key oversight activities related to cyber-risks, such as reviewing annual budgets for privacy and IT security programs, assigning roles and responsibilities for privacy and security, and receiving regular reports on breaches and IT risks. Even when Boards do pay attention to these risks, some have questioned the extent to which Boards rely too much on the very personnel who implement those measures. In light of these observations, Directors should be asking themselves what they can, and should, be doing to effectively oversee cyber-risk management. (Emphasis supplied).