Following the SolarWinds cyber espionage attack (the “Attack”) and the resulting focus on supply chain risk, the New York Department of Financial Services (NYDFS) has issued a report detailing the impact on and responses by its regulated covered entities to the Attack. Although there have been no reported instances of active exploitation of DFS-regulated companies as a result of the Attack, the networks of approximately 100 DFS-regulated companies were compromised as a result of the Attack.
When the Attack was announced in December 2020, the NYDFS alerted its regulated entities and made clear its expectation that any impacted regulated entities should report infected instances of Orion (the impacted SolarWinds product) and provide information to the NYDFS. The NYDFS report summarizes the information gathered by the regulator in the course of its engagement with those impacted entities. Of these 100 entities, NYDFS interviewed 88 and has compiled an analysis of effective response tactics and lessons learned.
In addition to its recent enforcement actions, the NYDFS has positioned itself as an active regulator in both the cybersecurity preparedness and cyber risk management arena, with alerts and guidance covering SolarWinds, Microsoft Exchange Server vulnerabilities, an ongoing cyber fraud campaign, and a risk framework for cybersecurity insurance underwriting over the past several months. The NYDFS’ handling of these market-wide incidents is an instructive guidepost for its expectations as regulated entities detect and respond to cybersecurity threats, as well as its willingness to use its existing but relatively untested cybersecurity requirements to obtain additional information sharing from its regulated entities outside of the examination or enforcement contexts. In its initial SolarWinds alert, DFS characterized the reporting obligation as stemming from regulated entities’ obligation to report any cybersecurity event that has “a reasonable likelihood of materially harming any material part of the normal operation(s),” per 23 NYCRR 500.17(a)(2). To the NYDFS’ credit, it is now sharing the results of those efforts to assist regulated entities in gauging reasonable security and response timeframes, which may in turn inform industry standards going forward.
The report notes that responding entities relied on a variety of public and private sector sources for threat intelligence regarding the attack, including SolarWinds, FireEye, CISA, and DFS. The report also states that overall, the entities responded “swiftly and appropriately” to the attacks and pointed to the fact that 94% of these entities removed the vulnerability within 3 days of discovery by disconnecting vulnerable systems and/or patching them. A significant number of entities disconnected vulnerable systems within 24 hours of discovery. Despite the rapid response, the report notes that some of the entities had failed to apply SolarWinds patches that had been previously released. Had the entities applied these particular patches in a timely fashion, they would have avoided the Sunburst or Supernova vulnerability.
The NYDFS report contains a list of cybersecurity program enhancements that covered entities should implement to reduce supply chain risk.
- Third-party risk management. In addition to contractual provisions and due diligence, material agreements with critical vendors should include requirements for immediate notification to at least two individuals in different roles at the entity in the event of a potential cyber event.
- Manage and monitor supply chain risk. Adopt a “zero trust” mindset for supply chain risk and incorporate this into risk assessments and risk management programs.
- Incident response plans. In addition to engaging in tabletop exercises and ensuring alignment with business continuity plans, incident response plans should include procedures to address supply chain compromises. At a minimum, these procedures should address: (i) isolation of affected systems; (ii) resetting account credentials for users of affected assets or users of assets controlled by compromised software; (iii) rebuilding backups; (iv) archiving logs for forensic purposes; and (v) updating response plans based on lessons learned.
- Vulnerability management. Notwithstanding the fact that the SolarWinds attack used the patching process as an initial threat vector, entities should ensure their vulnerability management programs include timely patch management and testing.
This specific guidance for reasonable security protocols may be useful both in relation to the specific SolarWinds vulnerabilities as well as in preparation for the next potential third-party, supply chain cybersecurity event.