The SolarWinds attack exposes the vulnerability of the supply chain and the potential for a single compromise at source to cause significant issues to tens of thousands of enterprise customers. 

Detecting vulnerabilities is difficult enough, and organisations already face challenges where known vulnerabilities in software are exploited before they are able to install patches or indeed before patches are developed. The SolarWinds incident adds a further complication and will cause organisations to question whether they can blindly rely on upgrades from trusted providers (upgrades which, all things being equal, should strengthen, not weaken, their systems). Alterations made and vulnerabilities introduced at source obviously compromise the entire supply chain, even if organisations otherwise have robust security in place. 

Such systemic compromises present various legal issues. Lack of clear information about the scope of the cyber event is a good starting point. In circumstances where organisations make use of the services provided by the compromised third party, that third party will be closest to the key information, even while the organisations are feeling the effects of valued systems being offline, or left vulnerable. It will be hard for those organisations to assess their exposure, update their own customers, or otherwise manage the fallout of the incident if they are left in the dark. Equally, however, the third party requires time to investigate the issue in order to provide any appropriate updates. In the meantime, however, the organisations may be left assessing their regulatory or contractual notification obligations as well as their liability and reputational risks in something of a vacuum. 

The full extent of the SolarWinds fallout remains to be seen. The novel nature of the issue, combined with the number of impacted organisations (including Governmental bodies and a cross-section of Fortune 500 companies), will mean that supply chain risks receive new attention.