Hello. I just found out one of our GLBA vendors uses SolarWinds, and they of course had a breach. I went back through and reviewed the Soc report as it was my understanding the newer SSAE/18 was supposed to address the vendor's vendors. There is no mention of SolarWinds in the SOC. Now it was only a SOC 1 type 2 is that possibly why it wasn't mentioned? We use NContracts and they monitor and send notifications when there is a major incident but we/I have to know who the vendors are first. I gut is to strongly request a SOC 2 Type 2 from this vendor to better test their cyber security. In the mean time I plan on asking for a copy of the test that verifies none of our member's data was compromised.