The past 12 months have seen an increase in cyber incidents tied to the software supply chain. In late 2020, a backdoor to the SolarWinds Orion platform was discovered allowing threat actors to drop malicious code and launch attacks on government agencies and private companies as the Orion release with the embedded backdoor was deployed via routine updates.

Solarwinds was not an isolated event. Cybercriminals continued to infiltrate software and equipment providers throughout 2021, embedding malicious code into new releases or in a simpler iteration, exploiting newly discovered vulnerabilities to infiltrate thousands of organizations’ networks.  

Attacks performed through suppliers are not new – the 2015 attack on Target was operated through their HVAC provider and started to raise awareness about security weaknesses tied to an organization’s suppliers. What’s new with attacks on the software supply chain is that by targeting fairly common applications, criminals are able to propagate cyber attacks on a broad set of organizations. The more common the software, the wider the net cast by criminals.  

Small and medium size organizations are highly susceptible to such attacks as they don’t always have the resources to systematically upgrade deployed applications and systems and patch vulnerabilities.

To account for exposures to the software supply chain, Cowbell added an 8th individual Cowbell Factor to its proprietary risk rating: Supply Chain Cowbell Factor. The new factor is compiled using a process similar to other Cowbell Factors: 

From a variety of risk signals and sources (technographics data, external scanners, insurance applications and exploits and vulnerabilities database) Cowbell relies on a series of algorithms to normalize and standardize the raw information and model a Supply Chain rating for each industry and account.

Supply Chain algorithms

The output is a benchmark of each account against its industry peers and relative to Cowbell’s growing risk pool of 17 million accounts in the U.S. as of November 1st, 2021. (Note that this pool now represents more than 50% of U.S. businesses with up to $250 Million in revenue).

The new Supply Chain Cowbell Factor feeds directly into Cowbell AI-assisted risk selection and underwriting providing much needed visibility into the level of exposure of individual accounts to emerging Software Supply Chain threats.. 

It also adds to Cowbell’s ability to rapidly respond to newly discovered software vulnerabilities and adjust its risk selection on the spot while immediately notifying policyholders that they might be impacted and providing guidelines to remediate the risk (most often an upgrade to a newer version of the software). 

Our initial analysis of the Supply Chain Cowbell Factor reveals segments that are most at risk by industry, revenue, geography and technology stack. We invite readers to be on the lookout for our next blog that will detail the findings of our detailed  analysis on the Supply Chain Cowbell Factor.