SolarWinds cyberattack: lessons learned

The cyberattack on SolarWinds, a US information technology company, underscores the potential vulnerability of every organization and highlights the importance that companies have structures in place to quickly respond and start the remediation process.

Speaking during a recent Marsh webcast, SolarWinds CEO Sudhakar Ramakrishna highlighted the importance of the insurance industry rewarding transparency among organizations that are the subject of cyberattacks. The focus should be on prevention by proliferating best practices and providing forums for companies that experience an attack to share their experience.

The unique and sophisticated cyberattack saw the company start taking remedial actions even while investigations are still underway. A crucial step was involving SolarWinds’ cyber insurer and its brokers at Marsh immediately, said Jason Bliss, chief administrative officer and general counsel for SolarWinds. This enabled SolarWinds to understand the scope of additional services — beyond the coverage itself — that were available via the company’s cyber insurance policy.

During the webcast, Messrs. Ramakrishna and Bliss shared information about the unique attack, how it affected SolarWinds and its supply chain, and the actions the company took — and is still taking — to remediate and improve its security.

They also noted that cyber breaches will continue to happen. “If a nation-state attacker wants to compromise your network or assets, it’s going to be a matter of when — and not if,” Mr. Ramakrishna said. But companies can take action.

 

SolarWinds cyberattack: meeting the new cybersecurity bar

The timely sharing of information following a major cyberattack like the one on SolarWinds, a US information technology company, can be critical in helping other organizations prepare for similar threats.

Speaking during the second part of Marsh’s webcast series related to the cyberattack, SolarWinds chief information security officer Tim Brown noted that the targeted and sophisticated cyberattack the company experienced last year is not generally the type of attack organizations prepare for. “Now we need to prepare for more of these as a community.”

Part of the way forward should include the sharing of information and learnings that allow other organizations to address any uncovered vulnerabilities. But as Alex Stamos from the Krebs Stamos Group said, we’re missing the critical function of a central entity that collects and shares learnings from cyberattacks in the same way the National Transportation Safety Board investigates aeronautical incidents. Although organizations targeted by threat actors should not be blamed, their collaboration and transparency is critical to help others learn from their experience, especially considering the fast evolving nature of cyber threats.

Organizations often focus predominantly on preventing an attack rather than looking across the risk spectrum, including recovery and restoration, noted Tom Reagan, Marsh’s Cyber Practice leader for the US and Canada. “If you want to move beyond prevention and start looking at resilience, you have to more actively and dynamically prepare to respond when something goes wrong.”

Considering the inevitability of breaches, Mr. Stamos said organizations should build “bend-but-not-break” defenses that focus on catching attackers early and being able to respond quickly.

Part of the response following a cyberattack is to tap into the specialized expertise that is often provided within a cyber program, making it critical for organizations to immediately contact their broker or insurer. The increase in cyber events is contributing to higher insurance pricing and a greater focus on controls implemented by organizations to improve cyber resilience.