Joel Williquette: Responding to the SolarWinds breach

glowing keyboard
Photo Bloomberg Finance LP

All institutions, even those with a solid cybersecurity defense, were vulnerable to 2020’s SolarWinds Orion cyberattack. Community banks should be ready for a future cyber event.

By Joel Williquette, ICBA


In December, the U.S. was shocked to learn about a cyberattack on the SolarWinds Orion Platform. The breach pushed malicious code to an estimated 18,000 customers, including federal agencies and many private companies, between March and June 2020. Since that time, ICBA has been in close contact with regulators and government partners, meeting between two and three times a week.

The SolarWinds-related breach is what’s known as a zero-day attack. It bypassed all defenses because it exploited a trusted mechanism. That means organizations were vulnerable even if they had immaculate cyber hygiene, with up-to-date patching and cybersecurity.

The goal of the attack wasn’t to disrupt—it was to spy on the government and big technology companies. One of the goals was to gain insights into how to break into secure systems in the future.

What does the SolarWinds breach mean for community banks? Here’s a breakdown from a policy and practical standpoint.

Like drills in sports, you need to regularly practice your incident response plans so you are prepared to respond to cyber incidents immediately.

How to prepare for another breach

Community banks need to be ready for other breaches. The best way to prepare is to revisit your incident response plan. Like drills in sports, you need to regularly practice your incident response plans so you are prepared to respond to cyber incidents immediately.

Cyberattacks and breaches are an all-hands-on-deck situation. The more knowledgeable individuals you include in the response, the more effective it will be. Here are a few commonly overlooked ways to marshal the needed resources.

  1. Contact your insurance company. One often overlooked step in community bank incident response plans is to contact your insurance company early in the process. That may seem like a task for down the line, after you have determined the scope of an incident, but it should be one of the first calls you make. Insurance companies have a lot of experience dealing with cyberattacks, will guide you through the information you need to collect during the incident and can often suggest incident response companies they’ve worked with in the past. Even if you already have an existing incident response vendor, having access to more resources can only help.
  2. Promote a self-defense strategy. Reach out to other community banks in the area and coordinate incident response, cyber breach and disaster recovery plans. Coordinating banks can help one another, providing stop-gap support as needed, in the event one of them falls victim to a disruptive cyber event.
  3. Recognize the emotional wear of a breach. No one really talks about it, but responding to a major cyber event can be emotionally exhausting for bank staff, including senior leadership. That can reduce the effectiveness of the bank’s response. If your bank has recently retired executives or board members, it can be worthwhile to include them in the response plan.
  4. Talk to your regulators and law enforcement ahead of time. If you’ve never had to notify your regulators about a cyber incident or engage law enforcement, now is the time to practice. Make sure you and your staff are comfortable having these conversations and know who to speak with.

Who is protecting banks’ data?

Community banks are among the best-protected and resilient businesses in the country. The Gramm-Leach-Bliley Act (GLBA) and other supervisory regulations require financial institutions to protect nonpublic, sensitive customer data (NPII).

The same cannot be said for retailers, technology companies, fintechs and others that process or store consumer financial data. That makes customer data stored in other, more vulnerable locations an attractive target for hackers. Yet the work of sorting out the results of disclosed data often falls back on financial institutions. ICBA will continue to advocate for the security of customer data. Participants in the payments system and all entities with access to customer financial information should be subject to and maintain well-recognized standards similar to those detailed in the GLBA.

Community banks are required to submit sensitive bank information during exams and when filing suspicious activity reports (SARs). ICBA advocates that community banks should not have liability in the event of a breached government system.

The Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and Federal Reserve Board are soliciting comments on a proposed rule that would require banks to notify their federal regulators within 36 hours of any computer-security incident. While ICBA welcomes any effort by the supervisory agencies to work in partnership with community banks and provide them with resources to respond to cyber events, we are concerned about a new regulatory burden when community banks are already among the most highly regulated when it comes to information security.

In the months ahead, ICBA will remain a valuable source of information related to the SolarWinds breach and other cybersecurity issues while working to ensure breaches at other entities do not become the burden of community banks.


Do you have questions?

Regulators have asked that community banks with questions about the SolarWinds attack and government breaches reach out to their regulator directly. Regulators are available to discuss the breach’s impact and provide information on their status and security. ICBA is also ready and available to ask regulators questions on behalf of community banks.


Joel Williquette (joel.williquette@icba.org) is ICBA’s senior vice president of operational risk policy