The Wolters Kluwer Outage: A Cybersecurity and Service Retrospective

As an information security professional, a whole constellation of things keeps me up at night. Phishing. DDOS attacks. Malware. Malicious code. The list is endless.

That's why recent attacks at Wolters Kluwer, one of the world's largest providers of accounting and compliance software and services—boasting 100% of the top 100 U.S. accounting firms and 90% of the world's top banks as customers—struck so close to home.

Wolters Kluwer Outage: A timeline of what happened

My knowledge of this particular event is informed by what was shared by journalists, bloggers, and public commentary and communications from Wolters Kluwer.

Based on that information, here is a quick timeline of the situation and when incidents occurred:

• Security blogger Brian Krebs reached out to Wolters Kluwers' security team on Friday, May 3, pointing out a flaw where the company's software was "open and writable by any anonymous user," and vulnerable. A contact at the company said she would “check with the team" and return with an answer.
• According to CNBC, an attack on the firm started on Monday, May 6, around 8:00 a.m. ET. Via Twitter, Wolters Kluwer claimed to be "undergoing unscheduled maintenance" shortly thereafter.
• The company then took many of their systems, including communications, offline to prevent the problem (later confirmed to be malware) from spreading further. This made it nearly impossible for customers to reach the company for information about the incident.
• With little understanding about the situation and minimal information provided from the company, many customers took to social media to air their grievances, as an Accounting Today article pointed out.
• On Tuesday, May 7, the company confirmed they "have discovered the installation of malware" via Facebook and "immediately took offline a number of applications...out of an abundance of caution."
• At 1:45 p.m. ET on Wednesday, May 8, the company announced that CCH Axcess, the company's tax preparation, compliance, and workflow management tool, was back online. The company admitted facets of the tool, including e-filing capability, were not yet operational. Some users complained that the tool was not operational at all.
• On the afternoon of Thursday, May 9, the company stated they were "working around the clock to restore service," and some services were already up and running. "We have seen no evidence that customer data and systems were compromised or that there was a breach of confidentiality of that data...at this time, we have notified law enforcement and our investigation is ongoing," the company wrote.
• Users claimed functionality of the tools on social media by the morning of Friday, May 10, but the full impact of the incident is yet to be seen.
• On Sunday, May 12, the Internal Revenue Service approved a seven-day extension for 990, 1120, and 1065 filings affected by the software outage.

The impact for financial and compliance professionals

Talk about cybersecurity is not "technobabble" only to be understood and acknowledged by your IT department. (Read that last sentence again.) It is imperative that everyone in the organization have a working knowledge of IT risk and what cybersecurity incidents look like. "If you see something, say something" does not just apply on the streets of a large city or in the TSA line.

For those in the position to purchase, install, and use software closely related to managing your company's critical information, managing IT risk is a requirement. A discipline of rigorously vetting software vendors is a necessity. Before you sign up with a vendor for accounting, finance, risk, compliance, or other critical business use, fully understand two things: what the company's security safeguards are and how a company responds to customers in the event that things do go wrong.

What to look for in a provider's cybersecurity measures

There are many areas to look at in assessing a vendor's cybersecurity strengths. Below are the top five that I have my team focus on:

• Built in the cloud. Tools can be reconfigured to work on the cloud but are inherently more vulnerable to attacks than those built in the cloud from the ground up. It's like a house: the nicest roof in the world won't do you much good in a rainstorm if your foundation is cracking. The security flaw initially discovered by Brian Krebs cannot happen in a native cloud environment, as these file directories simply do not exist this way.
• Independent services. At their essence, the assets composing Workiva solutions—automated emails, connected spreadsheets and docs, and other tools and features—are functionally independent microservices. This greatly minimizes the risk of a total shutdown when services experience issues or hardware inevitably needs replacing. The old cloud computing analogy of "cattle, not pets" rings true here.
• Segregation of duties. Similarly, on our team, we minimize risk by not giving absolute access to major components of Workiva solutions to just one person. This isolates the risk of downtime in the event of an attack and ensures a group consensus on major decisions. The military uses the same tactic.
• A culture of security. If anyone, anywhere in the organization, raises a red flag about a cybersecurity concern, it gets addressed immediately. Our cybersecurity team has a voice directly to our CEO, who takes concerns seriously. The culture of Workiva is based on an innate caring and understanding of our customers’ needs—including the need to keep their data safe and accessible.
• Documentation on request. Want to see our SOC 2 report? Does "SSO with SAML and two-factor authentication" or "SCIM provisioning" mean anything to you? Take a deeper look at the specifics of our cybersecurity measures.

What to look for in a provider's customer service

As Bloomberg presented it, the situation with Wolters Kluwer "presented a case study in how not to communicate with customers over a hack." So, inversely, this presents an example of what companies should look for from a customer service standpoint. Here's what Workiva focuses on as a cloud platform vendor:

• Customer validation. Our customers love us, but don't take our word for it. Numerous reviews of Workiva on Gartner Peer Insights or G2 Crowd all mention customer service. "Customer service is clearly their top priority," says one reviewer.
• Support hardwired into contracts. Service Level Agreements (SLAs) in our contracts define the level of service customers should expect from us. One of those is the response time of our support line—expect a response to your question within two hours, no matter the time of day.
• A dedicated customer success manager. Many Workiva customers opt to get access to an assigned customer success manager or professional services manager. It's like an added member of your team, and you will always know who will pick up the phone.
• Communication plans. Whatever happens, no matter the kind of service disruption, you deserve quick, transparent communication about what is going on. We conduct a root cause analysis for problems and then share that information with our service teams on the front lines, so they can inform you with the most up-to-date information.
• Multiple communication options. There should be a number of ways to reach out to customer service. Here at Workiva, if you have a burning question, you can call our customer support number (1-800-706-6526), night or day. Or, you can reach out to your individual customer success manager or account owner. Want to look up the answer yourself? Check out our Success Center.
• Transparent culture. We always want to share the most timely, important information with customers. That is something instilled from executive leadership on down. It might be why our list of awards is growing larger each year.

In closing

No company is completely immune to cybersecurity incidents, and any company that claims to be is wrong. Understand the preparedness of your vendors and look for maturity certifications such as SOC 2 or FedRamp.

Going beyond traditional IT risk assessment, you will also want to understand the processes and services that your vendors will deliver in the event of an incident. As highlighted by the Wolters Kluwer incident, there are clear, binary, right-and-wrong ways of preparing for and responding to a security or malware attack. Be mindful not only of the functionality of the tools your provider has, but what goes on behind the scenes as well. Your data, your department's work, and your reputation very well could depend on it.

Download your copy of our Vendor Cybersecurity Checklist to see the full list of what to ask a potential or current software provider—and what your next steps should be in reaction to the Wolters Kluwer outage.