Keep One Eye on Pandemic Fallout, One on the Longer Term, Says Global Risks Report 2021

Last year will forever be defined by COVID-19’s devastating impact across societies and economies. However, the global pandemic also intersected with a range of other threats to accelerate and exacerbate preexisting global challenges and drive unexpected outcomes. Organizations will now need to appreciate how these issues might develop if their strategies and business models are to stand the test of time.

Trends and Reverberations

The Global Risks Report 2021, prepared by the World Economic Forum in collaboration with Marsh & McLennan and other partners, reflects on disparities in the socioeconomic fallout from the COVID-19 pandemic and the implications for the next decade. Strengthened by the insights of more than 650 global risk experts and leaders, the report contains four broad messages, detailed below.

1. Societies will likely continue to grapple with the long-term impacts of the pandemic on their economies. An already sluggish global economy at the end of 2019 is expected to see that growth has dropped by 4.4 percent in 2020, while governments collectively expended almost USD 12 trillion in fiscal measures to support their citizens through the crisis. The road to recovery remains arduous and vulnerable to setbacks from new surges of the virus in the foreseeable future, while pressures on household purchasing power, business reluctance to invest in fixed assets, and government debt crises may also hold back growth.

Downside scenarios set out a global gross domestic product that may be, by the end of 2022, 8.5 percent smaller than pre-pandemic projections—a total loss to economic output in the order of USD 23 trillion. While recently announced large-scale stimulus measures are welcome for many, the challenge ahead is how to transition successfully from providing “life support” in the form of unemployment aid, rental assistance, and tax reliefs to the transformational agenda of revitalizing and restructuring economic ecosystems, sectors, and businesses with an eye toward a sustainable future.

2. Inequality, already on the rise pre-pandemic, was significantly exacerbated by the crisis along multiple dimensions. Massive waves of employment loss globally have endangered the livelihoods of millions of people and may be consolidated in the recovery. Small businesses, youths (aged 15-24), unskilled workers, working parents, and minorities—overrepresented in sectors hardest hit by the pandemic—saw retrenchments and closures at multiples of national averages. Female-owned businesses in North America closed at nearly twice the rate last year of their male-owned counterparts, and Black-owned businesses in the United States suffered closures 2.4 times more than those that were white-owned.

At the same time, lockdowns across the world have interrupted important pathways to socioeconomic mobility, with the education of billions significantly disrupted and workplace constraints throwing a new spotlight on digital divides. Livelihood impacts and disparities have amplified mental health challenges, which will reverberate for many years. Forty percent of adults in the United States have experienced increased anxiety and depressive disorders over the past year, disproportionately so among the young (18-24 years old), racial and ethnic minorities, essential workers, and caregivers.

3. Escalating fractures in domestic politics threaten democracy and the rule of law. Trust in governments, public institutions, and businesses across the world has greatly diminished, often catalyzed by widespread misinformation, mounting social polarization, and hyper-partisanship. Trends suggest that mobility rights have become more constrained, Internet freedom has declined, and surveillance has increased. Pro-democracy and anti-government protests have been intense against injustice, authoritarian behaviors, and shortcomings in national pandemic responses. In some countries this sets a new tone for the future; elsewhere, achieving unity and restoring confidence in public institutions will be hard work.

4. Geopolitical schisms may grow as the pandemic accelerated the existing global trend toward a more protectionist stance. The US-China rivalry continues to intensify; foreign direct investment restrictions across advanced economies have expanded markedly on national security grounds; and challenges stemming from state-on-state cyberattacks have become more acute. While the pandemic may have created turmoil for the cross-border supply of critical goods, moratoria on trade disputes provide hope for the ability of global trade to underpin the recovery and the 40 million US jobs in export sectors, of which 98 percent are with small businesses.

Pressures on several fronts introduce the prospect of a disorderly shakeout for different sectors, which it will be vital for businesses to anticipate at a time of inherent fragility. With governments in all economies holding center stage and keen to seize opportunities for a fundamental reset, it is likely that the implementation of industrial strategy and thematic priorities will generate not only winners and losers, but also disruptive discontinuities in business ecosystems. Regarding the digital agenda, technology giants came out of 2020 with stronger, more diverse revenue streams, with enhanced investment power, and better positioned to compete on more strategic agendas—but also facing a plethora of government-led lawsuits, investigations, regulatory proposals, and legislation across the world. How this plays out will have ramifications for companies in other sectors, whose technology agendas have become more ambitious and more accelerated because of the crisis.

Finally, stakeholder scrutiny has significantly increased. The focus on environmental performance has risen and corporate ethics are on radars, with workforce diversity, supply chains, and employee exploitation among top issues considered. Meeting employee expectations that companies take stances—and quickly—on key issues may take leaders out of their comfort zones and present commercial dilemmas.

Oversight Imperatives

As they take stock of this turbulent risk landscape and guide management teams, boards might wish to reflect on four approaches that will help enhance the resilience of their organizations.

First, there has been much valuable discussion in recent years about disruptive risks. The past year, though, has pressed firms to appreciate the likelihood of concurrent crises, the validity of more extreme scenarios, and the existence of ignored tail risks that were lurking in risk registers all this time. This argues that companies should develop tougher stress tests to understand how they would stand against different eventualities.

Second, the crisis has made firms acutely aware that resilience is not a fixed standard, but an evolving, active process in which organizational muscles are stretched and honed. The most advanced businesses are able to flex trade-offs between agility, efficiency, and robustness with confidence, even at times when data and intelligence are weak.

Third, as boards look to the next year, it will be important to have one eye on near-term surprises and setbacks and the other on longer-term transformations. If companies only do the former, the price of survival may be obsolescence.

Fourth, organizations need to find the right balance between human capital and technological capital and anticipate associated risks accordingly. There’s no question that technology and data have underpinned governmental responses to the pandemic and enabled firms to keep working during the crisis—but the ability to reshape working practices, motivate employees, and retain talent in the recovery will be critical for ongoing success.

Richard Smith-Bingham is an executive director of Marsh & McLennan Advantage and a key contributor to the Global Risks Report 2021.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

What a Biden White House Might Mean for Boards

Editor’s note: This excerpt is pulled from the January/February 2021 issue of Directorship magazine, launched this week. For more key regulatory themes to keep an eye on, as well as further insights into the themes listed below, read the full article here.

“Regulators are in a strong position to drive change. What is more powerful is for the change to come from the top down within business organizations.” So said Laura Cha, chair of the Hong Kong Exchanges and Clearing at a January World Economic Forum conference. In her speech to business leaders, Cha challenged directors to “step up in driving the ESG agenda of their companies.”

Her words were prescient, and US-based directors would be wise to heed them now. As the Joseph R. Biden Jr. administration begins its work, boards that have not been Washington-minded may experience culture shock. The White House under President Donald J. Trump and Vice President Michael Pence focused on deregulation. By contrast, an administration led by President Biden and Vice President Kamala Harris will likely focus on restoring regulations. This is especially true now that both chambers of Congress are controlled by a Democratic majority, albeit by slim margins, after twin victories in Georgia Senate runoff elections. Democrats will control committees and the legislation and nominations brought to the floor, with Vice President Harris casting the deciding vote in the event of a tie. Directors can expect many additional regulations and bills—if not laws—increasing regulatory requirements for companies and the boards that govern them.

A renewed focus on regulation would have two distinct implications for boards. First, board oversight of regulatory compliance must sharpen because companies will have to deal with new or restored regulations. Second, boards themselves are likely to contend with new requirements stemming from the Dodd-Frank Act that were put on ice under the Trump administration. The following key themes should help boards gain an advantage as we enter a new year with a new presidential administration.


In light of the current national emphasis on civil rights issues, we may see Congress revive diversity bills under renewed or new sponsorship. For example, the Improving Corporate Governance Through Diversity Act, if reintroduced by its original sponsor Rep. Gregory Meeks (D-NY), would ask the US Securities and Exchange Commission (SEC) to “require the submission of data relating to diversity.” A similar bill could be reintroduced in the Senate by Sen. Robert Menendez (D-NJ). Rep. Carolyn Maloney (D-NY) is likely to bring back the Diversity in Corporate Leadership Act, which would require the SEC to “establish a Diversity Advisory Group to study and make recommendations on strategies to increase gender, racial, and ethnic diversity on the boards of issuers, and to “amend the Exchange Act of 1934 to require issuers to make disclosures to shareholders with respect to gender, racial, and ethnic diversity.”

In parallel with congressional initiatives to increase disclosure requirements, the SEC under a new chair will likely focus on company disclosures on board diversity. The SEC’s scrutiny may extend to compliance and disclosure interpretations (C&DIs) about board diversity. C&DIs—likely more familiar to general counsel and corporate secretaries than to most directors—are interpretations by the SEC’s Division of Corporation Finance intended to provide guidance on rules. It is possible that at some point this year the SEC will expand further the guidance it offered last year. One example: in a Feb. 6, 2020, update on Regulation S-K, the SEC added a question and answer about Item 401(e) that requires discussion of what led to the conclusion that a person should serve as a director, as well as a related provision under Item 407(c) requiring a description of how a board implements policies on nominee diversity “such as their race, gender, ethnicity, religion, nationality, disability, sexual orientation, or cultural background.”


The Biden administration will almost certainly strengthen laws affecting working conditions and pay equity, and Congress will likely reintroduce legislation on this topic. In a November fundraising message to Democrats, Robert Reich, former labor secretary under President Bill Clinton, called for an “FDR moment.” Reich, using language that some may find hyperbolic, wants to “reverse Trump’s efforts to take away workers’ health care” and “protect all workers against wage theft.” He also wants to bolster workplace safety inspections to make it easier for businesses to classify workers as independent contractors, and “ensure millions of workers receive the overtime pay they deserve.” In Congress, among the bills likely to be revived is the Corporate Freeloader Fee Act that was introduced by Sen. Sherrod Brown (D-OH) to “impose an excise tax on employers with low-wage employees.”

The new year will also be a time to remember the Dodd-Frank Act. The long-pending pay-for-performance rule proposed in 2015 may be finalized. Section 953 of Dodd-Frank mandated that the SEC pass a rule requiring public companies to disclose “the relationship between executive compensation actually paid and the financial performance of the issuer, taking into account any change in the value of the shares of stock and dividends of the issuer and any distributions.” Legislators who passed the law were concerned that some executives were being overpaid in relation to their performance. The rule defines pay as the total reported in the compensation tables of the proxy, with some modifications, and it defines performance as total shareholder return (TSR) over each of the company’s five most recently completed fiscal years compared to peers.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

US 2021 Cyber Agenda May Affect Liability, Disclosure, and Enforcement

Structural and technological changes have been set in motion by COVID-19, creating new cyber-risk and security challenges that will likely endure even after the pandemic ends. There is no shortage of cyber-threat actors attempting to take advantage of this situation, and the majority of cyberattacks continue to be financially motivated.

While cybersecurity has seen strong progress over the last decade in terms of threat information sharing and cyber-resilience measures, it is still easier to attack than defend in cyberspace. Every year, cybercrime becomes cheaper, easier, and faster, making a variety of companies more vulnerable to attacks than ever before. After all, all companies are tech companies nowadays.

Last year, of course, was no exception. As boards seek to oversee companies’ risk assessments, investments, and cyber-defense tactics to ensure their businesses adapt to meet post-pandemic cyber challenges, they must take stock of the complex and varying types of cyberattacks businesses faced in 2020.

Over the past twelve months, massive amounts of downtime due to business disruption caused by cyberattacks and large troves of highly sensitive data made the private sector particularly vulnerable to ransomware, supply-chain compromise, distributed-denial-of-service (DDoS) attacks, and data breach attacks. As cybercriminals devised new ways to profit, such attacks grew in volume, sophistication, and impact.

DDoS extortions, where attackers extort companies by threatening DDoS attacks, made a resurgence in 2020, with the New Zealand stock exchange among financial institutions targeted. Even Amazon Web Services suffered a record-setting attack last February.

While DDoS attacks have caused significant problems, ransomware dominated the headlines last year. In fact, 2020 saw seven times more ransomware attacks than 2019. However, it is far from just a volume issue, as ransomware operators, driven by profit, think of new and innovative attack strategies. Attackers now almost always steal sensitive data in addition to encrypting the target company’s network or devices—called “double-extortion” ransomware—and extort victims by threatening to either publish data online or to auction off victims’ data on the dark web. Among companies that experienced double-extortion ransomware attacks last year were Banco de Costa Rica and a trio of financial technology providers including Cognizant Technology Solutions Corp., Finastra, and Pitney Bowes. There has also been staggering growth in the ransomware-as-a-service (RaaS) market, with Intel 471 tracking 18 new RaaS groups in 2021.

The US Securities and Exchange Commission (SEC) has issued multiple alerts warning of increasingly advanced ransomware attacks on registrants as well as their third-party service providers. As the massive SolarWinds breach starkly highlighted, even entities with relatively robust cyber defenses are vulnerable to attacks through third-party suppliers. Sophisticated attackers recognize this and are increasingly devoting attention and resources to targeting third-party service providers and other organizations down the supply chain that allow them to compromise many networks at once. Companies everywhere should pay more attention to supply-chain vulnerabilities as potential attack vectors for data breaches, ransomware, and other cyberattacks. 

Indeed, there is no end in sight, with damages from cybercrime projected to reach $6 trillion globally in 2021. Despite ever-growing investments in cyber defense, an increasingly anxious public feels that the oversight of federal agencies, boards, and CEOs fails to meet their expectations. The lack of a generally accepted framework for the evaluation of cyber risk, agreed-upon best practices, or unifying standards adds to the uncertainty and complexity for senior executives and directors of understanding the true nature and extent of an organization’s cyber-risk exposure. Given this emerging reality, the legislative and regulatory agenda must evolve to address these economic, national security, and stakeholder impacts. 

The Expected Cyber Agenda Under the New Presidential Administration

President Joseph R. Biden Jr. has said his administration will make cybersecurity a top priority at every level of the government. Moreover, in stark contrast to the previous administration’s agenda, the focus on data privacy issues will intensify as will collaboration with Europe and the global community. Vice President Kamala Harris has a track record of such focus; as attorney general in California, she spearheaded privacy efforts that ultimately led to the state’s adoption in November of the California Privacy Rights Act (CPRA), which established a new regulatory agency to police data privacy.

Changes in US Senate leadership and anticipated greater collaboration with the US House of Representatives will likely spur bills to address the governance of cybersecurity, incident reporting, and consumer privacy. Senators Sherrod Brown and Pat Toomey have agreed to furthering technology concerns in the Senate Banking Committee. It is widely expected that Senator Jack Reed will reintroduce a bipartisan bill to require disclosure to investors of information on whether a company’s board has a member with cybersecurity expertise. Moreover, the Cyberspace Solarium Commission, mandated by the National Defense Authorization Act of 2019, recommended various legislative initiatives that may advance, including amending the Sarbanes-Oxley Act of 2002 to mandate corporate accountability and certain cybersecurity disclosures by publicly traded companies.

Leadership changes expected at financial services regulators and at the Consumer Financial Protection Bureau will likely coincide with a host of new regulations as well as a revitalization of consumer protection efforts. Further, market participants should anticipate an increase in examinations and enforcement actions from all independent regulators and other oversight agencies, such as the Financial Industry Regulatory Authority.

States legislatures and regulators are expected to continue to prioritize cybersecurity and data privacy. Some may align with the CPRA and others with the New York Department of Financial Services cybersecurity requirements, which cover all financial institutions operating in New York. The lack of a comprehensive federal cyber regime has and will continue to contribute to the diversity of state initiatives, which may be reminiscent of state blue sky laws from the early 1900s.

Without question, the legislative and regulatory landscape in 2021 will include a variety of measures that seek to improve the accountability for and governance of cyber-related concerns.

How Boards Can Act Now

While there is no one-size-fits-all solution, there are specific defensive investments that companies can implement to mitigate risk from costly cyberattacks—and to preempt new regulations and legislation.

The first step in improving cyber defenses is to know what needs protection by quantifying cyber-risk exposure and deriving a risk appetite. Companies should conduct a 360-degree review across the enterprise that covers external exposures, such as those created by third-party service providers. A discussion around risk appetite, addressed in the NACD Director’s Handbook on Cyber-Risk Oversight, should cover the following principles:

Corporate Values: What risk will we not accept?
Strategy: What are the risks we need to take?
Stakeholders: What risks are stakeholders willing to bear, and to what level?
Capacity: What resources are required to manage those risks?
Financial: Are we able to adequately quantify the effectiveness of our risk management and harmonize our spending on risk controls?
Measurement: Can we measure and produce reports to ensure proper monitoring, trending, and communication?

Managing supply-chain risk from third-party service providers has become an essential part of corporate risk management. As supply-chain attacks leverage the existing trust between vendors and customers, they can be incredibly difficult to prevent and detect. Today, unfortunately, many companies remain underinvested in this area.

Companies should ideally try to evaluate the cyber-risk exposure of prospective service providers before engaging them as trusted third-party partners, and one way to achieve this is through security ratings. These ratings, from companies such as SecurityScorecard, provide a standardized snapshot and ongoing monitoring of a company’s cybersecurity capabilities to help it make strategic risk decisions.

Advanced companies can also use security ratings alongside strategic risk metrics to do the following:

Align cyber-risk scenarios with material business exposure.
Roll the reporting of cyber risks together with financial exposure to inform risk-management decisions.
Measure the improvement of cyber-risk reduction over time.

Companies must also ensure sound technology hygiene. A large part of this involves implementing proactive vulnerability and patch management programs and applying secure coding standards across internal and external applications, but it also includes managing supply-chain exposure, integrating enterprise-wide security, and performing regular risk-assessment evaluations and incident-response exercises.

With cybersecurity and data privacy on the legislative and regulatory horizon, boards should act now to ensure their security programs will meet potential requirements and stay up to date as Congress and regulatory bodies proceed with their related plans.

Christopher Hetner has served in various executive roles in both the private and public sectors, including senior cybersecurity advisor to the chair of the SEC, senior member of the US Department of the Treasury Financial Banking Information Infrastructure Committee, cyber-risk advisor to the National Association of Corporate Directors, and global chief information security officer of GE Capital. Robert Peak has served in senior capital markets policy roles including at the SEC, where he worked on the Commission’s issuance of its 2018 cybersecurity guidance. He has advised commissioners, members of Congress, and board members, and is a thought leader in securities trading, regulation, and enforcement.

The views expressed in this presentation are the views of the author and do not necessarily reflect the views of the author’s employer or any other entities with which the author may be associated.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

10 Actions for Boards in Response to Political Violence

The tragic siege of the US Capitol on Jan. 6 was shocking, adding a new burden of questions and actions for boards in its aftermath. And national security officials, law enforcement leaders, and politicians from both sides of the aisle agree: more politically motivated violence is likely.

The events of 2020—particularly the COVID-19 pandemic and racial justice protests—created a greater imperative for companies to consider their positions on environmental, social, and governance (ESG) matters. Worker safety, job security, and company actions that may affect reputation all became important matters for boards to oversee. The recent political violence adds a new level of urgency to addressing ESG issues. As companies weigh enterprise-risk scenarios that could result from potential ongoing political violence, here’s what boards can do.

1. Consider the risk of political violence on your company’s business model. As a result of the violent activity at the Capitol, some companies took swift action to avoid the impact of the violence or to preserve their reputations. Social media companies promptly terminated accounts linked to the violence, home-sharing companies cancelled reservations or issued warnings that they would remove users promoting violence, a book publisher revoked a book contract with a related party, and a popular fundraising site removed all fundraising intended to cover the cost of travel to potentially violent political events. In each case, the risk of staying silent was too great. 

Each company needs to consider the potential that its products or services might be used to effect or contribute to political violence. Companies that fulfill government contracts, especially those related to homeland security, intelligence, or the military, have an even more urgent need to consider the direct impact on their abilities to conduct business as a result of insufficient vigilance. 

Every company should examine its unique characteristics and business model to determine whether it faces specific risks. Outside legal counsel can assist with a thorough review.

2. Understand the impact of this moment on your brand. In this politically polarized time, customers and suppliers are increasingly seeking and drawn to companies and brands that profess political ideals that align with their own. Determine what your company is prepared to say publicly and make sure your managers understand any limitations they have to speak on behalf of the company. 

3. Discuss the company’s policies and practices around political activity. Companies must make clear to their stakeholders what types of political activity are considered appropriate for employees at all levels so that future concerns and prohibited employee activity are addressed in a fair, consistent, and timely manner. Leadership should craft internal policies to address these new workplace concerns with the goal of ensuring worker safety and protecting the company’s brand and business operations. 

To be clear, this review should not support one party affiliation or political view. Management should ensure policies and procedures are based firmly on the best interests of the company and its various constituencies. Remember that “tone at the top” will be important. If these discussions become contentious, boards and C-suites should invite outside legal counsel or other advisors to lead and manage the discussions.

Offering a clear public statement now about a company’s policies regarding political violence creates grounds for remedial action in the event of transgressions by rogue employees and may soften any reputational blowback.  

4. Reexamine guidelines for employee communications. Companies should have well-defined policies on the kinds of conversations and activities that are allowed in the workplace. These should incorporate what defines “appropriate” utilization of workplace email and other company infrastructure. After the events of Jan. 6, one company fired an employee who was photographed wearing his company-issued badge while inside the Capitol building.

Some organizations may also want to review their employee social media policies, even if such activity occurs using personal accounts outside of work hours. For example, what would happen if an employee openly discusses plans for violence or seeks to encourage others to affiliate with a violent group? While this scenario may seem far-fetched for your business, it is better to be clear and upfront about company policy and the consequences of policy violation than to be caught unprepared and unsure about the next steps to take in such an instance.

5. Update crisis plans. Some individuals who stormed the US Capitol have been publicly identified and fired from their organizations. Going forward, companies should have a plan in place in the event that an employee commits or advocates for any behavior that violates company policy.

Boards can help create or update crisis plans that cover the following: prohibited employee activity, the possibility of future political violence against the company itself and its employees, and domestic terrorism in any community connected to the business. These plans should include proposed communications with employees as well as external stakeholders and should outline steps the company would take to address the specific crisis.

6. Refresh workplace safety and violence programs. Threats have been made against numerous corporations in recent weeks—especially technology companies that have been drawn into the debate around their roles in political violence. Consider whether your workplace safety measures and training account adequately for potential domestic terror activities. Programs and policies should be reviewed to ensure that they clearly delineate company policies regarding employee behavior in the workplace that will and will not be tolerated—and to protect employees and other stakeholders who may be put at physical or other risk by domestic terror activities. Provide reminders and training to employees and repeat them at regular intervals.

7. Provide your leaders and front-line personnel with additional training. The threat of political violence or political contention in the workplace is not typically covered in human resource training. Boards can push management to consider offering additional education or training to ensure that human resources, legal, and security personnel are prepared to evaluate any allegations or navigate related situations. Consider whether law enforcement or other expert personnel might be helpful in educating staff on how to identify and respond to extremist groups’ activity.

8. Create a pathway for confidential reporting. Many companies have communication channels to anonymously report harassment or allegations of fraud. Organizations should consider expanding hotlines or creating new ones through which employees can report prohibited activity or discussions of political violence, or related matters that violate company policy. Make sure employees are aware that they have anonymous access to report behavior that makes them feel uncomfortable or unsafe. 

9. Keep an eye on institutional investors. Large institutional investors have the power to upend the corporate landscape; several have already done so with regard to boardroom composition by issuing powerful statements in support of board diversity. If they determine that political violence poses a systemic concern, their statements and actions will reverberate widely.

10. Do not be complacent. Experts suggest that political violence is likely to ebb and flow. While many will rightfully breathe a sigh of relief during periods of relative quiet, take such opportunities to thoughtfully review policies and practices so that your company is prepared when the next incident or upheaval occurs. 

Helene R. Banks, a partner at law firm Cahill Gordon & Reindel LLP, provides guidance to boards and C-suites concerning corporate governance and ESG matters, and is widely published on these topics.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

SolarWinds Supply-Chain Attack Besets Boards with Implications

In 2020, we saw a rapid increase in cyberattacks while the COVID-19 pandemic ravaged the globe. A report by Crowdstrike in September, for example, noted that it had seen more attacks in the first half of 2020 than in all of 2019. Cyber criminals seized the crisis as an opportunity to further monetize attacks by proliferating ransomware and leveraging more commonplace fraud techniques at record levels. Amid this turmoil, a widespread and persistent attack that would further disrupt our confidence in the software supply chain and shatter our trust in enterprise software quietly lingered.

The attack on SolarWinds, disclosed in the company’s December regulatory filings, and subsequent victims including FireEye, Microsoft Corp., and numerous US federal agencies, tears at the fabric of standard risk management and security practices. This is a stark reminder that no amount of risk ranking, vendor profiling, or controls will thwart a persistent, capable adversary, or compensate for systemic vulnerabilities in an organization’s approach to managing a software supply chain and its supporting technologies.

Although the attack used a few new and refined mechanisms to compromise SolarWinds and other organizations (such as low-level compromises of the software development process and the subversion of cloud identity management technology), it was the attackers’ skilled penetration and prolonged period of remaining undetected that was the most astonishing. In fact, had they not attacked FireEye (with a world-class incident response practice in its Mandiant Solutions branch), they may have gone undetected for even longer. The attackers’ approach to target a small set of specific victims using SolarWinds’ supply-chain entry point even though they had potential access to more organizations is also remarkable.

Ultimately, the SolarWinds attack requires a shift in the way companies assess cyber risk in their supply chains as well as the way they view other associated risks. This refactoring will require time for new approaches to develop and mature, but three takeaways from the attack are clear today.

First, an organization cannot simply rely on a combination of questionnaires and outside information about the vulnerabilities and practices of critical suppliers to assess the likelihood of a breach of their systems, which may then harm other organizations. While this approach may have historically served the need to rapidly risk-rank suppliers and limit extending trust to low-performing organizations, it does not adequately address those suppliers that score well in these processes and that are then placed into positions of trust with high-risk access to data and networks.

Second, security and technology leaders will need to focus more on the essential (“key”) suppliers, which are unique to each organization. The level of trusted access that suppliers have enjoyed, even for those critical to business processes, will need to shift, and “essential supplier” blessings (which sidestep risk and security processes) will become a thing of the past. This increased scrutiny of key supplier risks requires that businesses reduce their number of software suppliers. There should be no more “preference buying” across business and technology teams who have largely similar needs but use different and duplicative software simply because of siloed operations and personal preferences. Chief information officers (CIOs) should consolidate software suppliers, and chief information security officers (CISOs) can reduce risk by exercising intense scrutiny over whether remaining suppliers should continue to have critical, trusted access.

Finally, businesses must consider leveraging cloud infrastructure to replicate capabilities that may have historically been delivered through installed, difficult-to-customize, and potentially insecure software. Use of cloud allows organizations to leverage the high level of assurance that cloud providers have built into their infrastructure, further consolidate technology vendors, and use new security design approaches such as zero trust—a relatively new concept in secure computing that focuses on regularly validating the identity and integrity of users and equipment before establishing trusted relationships. If executed correctly, the result is a more resilient enterprise built on cloud-provided infrastructure that has been constructed with a security-by-design approach instead of the inherited flaws of legacy technology environments.

Directors have additional factors to consider when engaging management on the implications of the SolarWinds attack and on software supply-chain risk. Some questions to frame the discussion include the following:

Does the organization have a process to risk-rank vendors based on their level of access to critical data and ability to disrupt the business?
Has the organization adequately identified whether it could be targeted with the goal of compromising other companies, and has it integrated this scenario into its cyber-risk management planning?
Do we need all of our suppliers? Who within the organization is accountable for the proliferation of software suppliers? (As the number of suppliers grows, supply-chain complexity and exceptions to security controls—not to mention risk— also increase.)
If the use of a software supplier requires the company to grant a security policy exception, who makes decisions around exceptions and how are they tracked? (A well-publicized page from a SolarWinds configuration manual suggested that customers exclude the product from basic malware protections for proper functioning. This requirement is not unique to SolarWinds and has been commonplace among software providers since firewalls and antivirus software were created. There are countless examples of CIOs calling CISOs to say, “We have this product going live tomorrow and the firewall is breaking it. We need an exception to our security policy, or we will miss our deadlines.” If these conversations are happening at your organization, the board and management should consider that institutional processes likely require some review.)
Who in the organization is responsible for tracking new developments about the SolarWinds attack? Are they regularly analyzing the company for related compromises and vulnerabilities as new information is made available? (We do not yet know the full extent of the SolarWinds attack—including a complete list of its victims, the techniques used, or all the suppliers compromised. A new compromised supplier was publicly identified as recently as two weeks ago, almost a month after the original attack came to light. It’s likely we will be learning about the depth of this attack for some time yet.)

There is, however, some better news. While the implications are still not fully known, it is believed that the SolarWinds attack was designed as an intelligence-gathering operation. As noted, the attackers appear to have had the ability to compromise thousands of organizations, but instead chose their victims carefully, and have not weaponized the attack in a destructive way thus far. While it is easy to contemplate a more sinister outcome, boards should instead focus on building resilience into their companies’ software supply chains and understanding their potential exposures.

Derek Vadala (@derekvadala) is cofounder and CEO at VisibleRisk, a joint venture between Moody’s Corp., a global integrated risk assessment firm, and Team8, a cybersecurity-focused company creation platform. Vadala leads a team that is focused on creating a standard benchmark for communicating cyber risk to boards and senior business executives in order to improve the global dialogue about this important issue.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.