April 27, 2021
DFS ISSUES REPORT ON THE SOLARWINDS SUPPLY CHAIN ATTACK
Report Finds that DFS-regulated Companies Responded Quickly to the Attack
Report Identifies Key Cybersecurity Measures to Reduce Supply Chain Risk
The New York State Department of Financial Services (“the Department” or “DFS”) today released a report on the Department’s investigation of the New York’s financial services industry’s response to the supply chain attack of the information technology (“IT”) company SolarWinds (“the SolarWinds Attack”). During the SolarWinds Attack, hackers corrupted routine software updates that were downloaded onto thousands of organizations’ information systems.
“This incident confirms that the next great financial crisis could come from a cyber attack,” said Superintendent of Financial Services Linda A. Lacewell. “Seeing hackers get access to thousands of organizations in one stroke underscores that cyber attacks threaten not just individual companies but also the stability of the financial industry as a whole.”
The report summarizes the SolarWinds Attack, the response by DFS-regulated companies, and key measures to prevent or mitigate against future supply chain attacks.
The Department found that DFS-regulated companies generally responded quickly. For example, 94% of the reporting companies removed the vulnerabilities from their IT systems within three days of the SolarWinds Attack’s announcement. However, the Department also found that some companies were not applying patches as regularly as needed to ensure timely remediation of high-risk cyber exposure.
In the report, DFS identifies the following cybersecurity measures as critical practices:
- Fully assess and address third party risk.
- Adopt a “zero trust” approach and implement multiple layers of security.
- Timely address vulnerabilities through patch deployment, testing, and validation.
- Address supply chain compromise in incident response plans.
The report furthers DFS’s commitment to improving cybersecurity and sharing information to protect consumers and the industry. DFS has also issued multiple alerts regarding ongoing cyber threats, including the SolarWinds Attack, weaknesses in Microsoft Exchange Server, and an ongoing cyber fraud campaign identified by the Department.
DFS’s first-in-the-nation Cybersecurity Regulation took effect in March 2017. DFS’s Cybersecurity Regulation has served as a model for other regulators, including the U.S. Federal Trade Commission, multiple states, the National Association of Insurance Commissioners, and the Conference of State Bank Supervisors. In 2019, DFS was also the first financial services regulator to create a Cybersecurity Division to oversee all aspects of its Cybersecurity Regulation across New York’s financial services industry.
A copy of the report can be found on the DFS website.