January 5, 2021

SolarWinds Hack: Assessing the Fallout

I blogged a few weeks ago about the need to double down on vendor management processes in light of the SolarWinds hack. We’re posting memos in our “Cybersecurity” Practice Area with more detailed advice on what to do right now. For example, most companies should be evaluating whether they’ve been compromised and whether any legal or contractual notices are triggered. This Quarles & Brady memo outlines how your incident response plan can be deployed for this particular event:

1. Work with your IT team to determine whether your organization uses the Orion product and, if so, if the tainted software was downloaded and whether any steps have been taken to mitigate.

2. If the malware was downloaded, investigate any potential malware risks, including whether the hacker accessed your networks and whether any data has been accessed or acquired.

3. Consider engaging a forensics firm for the investigation. Whether you use internal or external resources, we recommend conducting the investigation under legal privilege.

4. If data was accessed or acquired, determine whether notices are required under notification laws or contracts.

5. Consider putting your cyber insurance carrier on notice as the costs may be covered under your policy.

6. Bear in mind that the threat actor may still have visibility into your network when engaging in incident response activities and planning and implementing a remediation plan.

7. Even if you don’t use Orion or did not put the update into production,determine whether any third parties that connect to your network or handle your data were impacted.

8. Stay on top of advisories from your vendors, government, and trusted advisors.

For companies in or servicing the banking industry, things are even more urgent due to new legal requirements that are arising out of this incident. This Eversheds Sutherland memo explains that the NY Department of Financial Services is requiring all financial institutions to immediately report whether they’ve been affected in any way – and this Sullivan & Cromwell memo says that the FDIC and other agencies have also proposed rules that would require banks to notify federal regulators of cyber incidents within 36 hours, and would require bank service providers to notify affected banks immediately.

Skyrocketing Cyber Insurance Premiums: Not a Fait Accompli

With recent increases to the number and cost of cyber claims, it’s not too surprising that premiums are also on the rise – some are reporting increases of 50% of the expiring rate, according to this D&O Diary blog. It also says you might end up with lighter coverage even though you’re paying more – due to decreasing liability limits and tighter underwriting standards.

To keep your fees & coverage in check, the blog suggests 11 steps to take before your next renewal negotiation. Here’s #1 – and note that even if you’ve done this in the past, you likely need to do it again due to the current WFH environment and the increase in cyber crime:

1. Perform a vulnerability assessment as soon as possible: To assess your network versus the cyber threats to your network (which you previously identified in your risk assessment), where is your network vulnerable? Is it a staffing and resource issue, where you do not have the staff to monitor your network? Is it a patching problem (where you might be two or three or more “Patch Tuesdays” behind the eight ball)? Is it a structural problem (are you still running Windows 7)? Or, is it an employee training and education that rears up every time one of your employees “clicks on a link” or attachment from which he or she doesn’t know the sender?

Many of these issues are easily remediated for very little money. Some issues will need more TLC, and others will take some money to remediate. There is little doubt remediation will be easier, cheaper and better to swallow than a theoretical $200,000 premium increase and maybe an $8 million ransomware settlement that jeopardizes your credibility with your customers and investors.

Of course, these extra efforts also come at a cost – this Bloomberg article reports that 64% of bank executives are forecasting an increase in cybersecurity spending next year. That’s on top of the 15% jump this past year – equating to almost $1 billion for each of the largest US banks.

Carbon Markets: ESG’s Next Frontier?

Last fall, the BRT said that the US should adopt a “market-based approach” to reduce carbon emissions – such as a carbon tax or cap-and-trade scheme. That was followed a couple months later by the international Taskforce on Scaling Voluntary Carbon Markets releasing this consultation document – which includes a draft blueprint for a carbon market and a roadmap for implementation (a final version is expected this month). According to the Taskforce, if carbon trading is the key to reducing emissions, the market needs to grow by at least 15x over the next decade.

If investors end up viewing participation in these trading arrangements as “material,” we could also eventually see information about them trickle into sustainability reports and even SEC disclosures – which means we’ll all have to get somewhat familiar with how they work, so that we can make sure they’re accurately described. Right now, focus on climate risk management seems to be intensifying:

We’ve been blogging on our Proxy Season Blog about BlackRock’s updated Stewardship Expectations – which say that the asset manager expects companies to disclose a plan for how their business model will be compatible with a low-carbon economy and that the boards of companies that are “on watch” and don’t show significant progress on the management and reporting of climate-related risks could see themselves getting “against” votes. And the New York State Common Retirement Fund announced last month that it has a goal to transition its portfolio to net zero greenhouse gas emissions by 2040. This KPMG memo summarizes how large companies are reporting on their “net zero” transitions.

The concept of carbon markets is also getting some traction at the state level. This White & Case memo summarizes a proposed cap-and-invest system for the transportation sector in the Northeast and mid-Atlantic region (Massachusetts, Rhode Island, Connecticut and DC). And for general climate-related risks, financial institutions are also getting more state-level scrutiny, with the New York Department of Financial Services recently encouraging banks to set up governance and risk frameworks to manage climate change risks. We’re constantly posting new resources in our “ESG” Practice Area – including industry-specific developments.

Liz Dunshee