Over the past year, cyber incidents have made headlines and, in turn, caused sleepless nights for boards of directors, senior executives and their legal advisors. In the wake of hospitals, food producers, pipelines and businesses in every industry disrupted by ransomware attacks, the Biden administration has said addressing cyber incidents is “essential to national and economic security.”[.]“Enhancing the Nation’s Cybersecurity Executive Order, EO 14028 (May 21, 2021). Regulators and other government agencies have gotten the message and are stepping up a gear with new initiatives and actions to improve cybersecurity practices, the management of which has for many years been left to the private sector.
In the face of these impending harms and rising expectations, software supply chain risks have burst into the mainstream, largely due to a series of high-profile incidents over the past year. (The most notable of these incidents involved network monitoring software produced by SolarWinds and an open-source logging utility integrated into a range of applicable services and known as “Log4j.”) As a result, cyber-regulators have noted and advised businesses to take action. on this risk, which is often managed by IT professionals without significant input or involvement from legal counsel or senior management.