Remember the cyber attack at US information technology major SolarWinds? In early 2020, hackers broke into the company’s systems and added malicious code into the company’s software. The cyber attack spread to its clients and went undetected for months, with hackers being able to spy on organizations including elite cybersecurity firms and important US government departments.
In a lengthy lawsuit after the attack came to light, the company was held responsible for poor security practices which allowed hackers to break into the systems of their clients that used its software called “Orion”. Solarwinds had 33,000 customers that used Orion then, including up to 18,000 installed updates with hacked codes that left them vulnerable.
According to the lawsuit, the simple phrase “solarwinds123” was used as the password for an update server, which made things easy for hackers. At the US congressional hearing held in March 2021, SolarWinds CEO Sudhakar Ramakrishna blamed the weak password on an intern. Regulators and lawyers were quick to point out the company is still liable, under the clause of vicarious liability.
What is vicarious liability?
Vicarious liability is when you or your business are held responsible for the actions of another person or party. Most commonly, this is the legal framework at play when you are sued over mistakes made by your contractors, employees, or agents.
It arises in situations where one party is supposed to be responsible for, and have control over, a third party and is negligent in carrying out that responsibility and exercising that control.
For instance, if your business handles customer data and the contractor who handles your data or accesses your infrastructure faces a data breach, your business will face regulatory action. You can also be sued by your consumers, partners, or any third party who is directly or indirectly affected by that particular incident.
The liability is explicit in cases of insider jobs. “An employer is vicariously liable for the negligent acts of his employee which cause injuries to a third party, provided that such acts were committed during the course of and within the scope of the employment,” according to the US legal provisions.
How to limit your vicarious liability
Put simply, you should be able to prove without a doubt that you took the best precaution possible in that situation, in order to limit or avert vicarious liability arising out of a cyber incident. While seeking expert help from a cyber security and reputation management company is always advisable, managers can focus on these simple steps to get their defense posture right:
1. Filter web content: Firewall that restricts accessing certain web pages using office machines and networks goes a long way in countering malware infestation.
2. Get insurance: Cyber liability insurance helps organizations meet the financial consequences of any incident. Seek expert help to assess the extrinsic value of the data that you handle and choose the appropriate insurance coverage plan.
3. Scan, spot, patch, update: Ensure timely updating of software and hardware. Weed out shadow IT and legacy tech. Conducting security assessments of vulnerabilities from time to time updates your cyber defense and helps the board assess the effectiveness of security training.
4. Get the intelligence right: An entire board of governance cannot be made cyber-aware, but executive decision makers can counter this situation to a great extent by gaining timely cyber alerts from a trusted source. Timely intelligence backed by deep analysis helps in setting up incident response plans.
5. Have actionable incident response plans: There is no way to predict third-party cyber incidents, but that does not absolve you from any liability arising out of them. Cyber intelligence helps you in predicting possible situations and setting up a strong incident response plan. A well-paced, actionable plan establishes lines of accountability, maintains open lines of communication with the parties involved, and, above all, gives you legal protection.
6. Train them right: Employees are low-hanging fruits for phishing attackers. Train them on the necessary precautions to avoid making a costly mistake for the company. Frequent phishing tests can help keep your employees on their toes.
Taking the proper steps to protect your business largely rests on your ability to collect, analyze, and act on intelligence data while also implementing precautionary measures. To learn more about how ZeroFox can help, download A Buyer’s Guide for Threat Intelligence.