A Note from Network Services: A Follow Up on the Recent Orion SolarWinds Vulnerability

Many of our clients continue to be pressured by state and federal regulators regarding the Orion SolarWinds breach, and have asked CU*Answers for additional clarification regarding our process since announcement of the attack.  As you may recall, CU*Answers announced on December 16 that we do not use Orion SolarWinds and are not directly affected by this breach.

The background on the breach is that the SolarWinds attack has likely been ongoing since March of 2020.  SolarWinds is a company supplying a product called Orion which is a network monitoring service to thousands of companies as well as many agencies of the federal government.  At this point it is deemed a supply chain problem and will take months if not years to determine the full impact.  For a more detailed understanding of the breach please see the following from Homeland Security:  https://www.dhs.gov/news/2020/12/17/joint-statement-fbi-cisa-and-odni

CU*Answers has a process for vendor risk management and evaluation.

  1. AuditLink reviews our most recent vendor risk assessment, and determines which vendors should be contacted.  These are Tier 1 and Tier 2 vendors primarily, having access to member information.
  2. AuditLink and Network Services reaches out to specific vendor representatives and ask for an attestation that they have done their review of their own systems and vendors to determine if Orion is used throughout their networks.
  3. AuditLink and Network Services keeps Executive Management informed of any updates requiring engagement of our Incident Response Protocol.
  4. AuditLink updates our vendor management portal as needed.
  5. Internal Audit works with AuditLink and Network Services to document our efforts and inform the Board of Directors of any identified risks and actions.

As the breach continues to unfold, AuditLink requests our credit unions to update us with any relevant communications they may receive from their vendors or supply chains.  As mentioned in our communication of December 16, should CU*Answers learn a third-party vendor is affected, CU*Answers will respond in accordance with its contractual obligations to clients, any applicable laws, and its own internal Information Security Program.

If you would like to discuss your approach to managing or monitoring this breach with your critical vendors, do not hesitate to reach out to AuditLink.