On April 27, 2021, the New York State Department of Financial Services (“DFS” or the “Department”) released a report regarding its investigation into the response by DFS covered entities to the SolarWinds supply chain attack. Following the attack, DFS sought input from covered entities that had used the compromised version of the SolarWinds Orion software, directing them to notify the Department immediately if they were affected by the SolarWinds attack. In its report, DFS concluded that covered entities generally responded quickly, but it characterized the patch management protocols of several regulated organizations as immature, especially with respect to timely remediation of high-risk vulnerabilities. The report also identified four “key cybersecurity measures” to reduce supply chain risk. These measures effectively establish the Department’s expectations that DFS-regulated entities adopt these “rigorous third party risk management” protocols and procedures.
The report highlighted the unique risks posed by supply chain cyberattacks – and software supply chain attacks specifically – given that malware can be embedded in a product signed by the vendor, making it much harder to detect or prevent. In addition, DFS found that, despite the fact that SolarWinds had privileged access to their networks, some entities had not classified it as a critical vendor. This may be due in part to how organizations focus on certain factors when calculating a vendor’s “risk rating,” such as the number of records containing personal information that a vendor holds. As the SolarWinds attack demonstrated, organizations are well advised to review their approach to third-party vendor cyber risk rankings and corresponding risk management. DFS indicated that the investigation it conducted in response to the SolarWinds attack was part of an “ongoing effort to improve information sharing and transparency,” which it found was lacking in some organizations’ response to the attack.
Finally, while acknowledging that no “silver bullet” exists that would prevent all supply chain attacks, the report makes clear that DFS expects regulated entities to adopt a more rigorous approach to third party risk management. Notably, the content and tone of the DFS report suggests that the Department expects regulated entities to follow the report’s guidance. Indeed, calling the SolarWinds attack “a wake up call” that presents an “existential threat” to the financial sector, the report warns that “the next great financial crisis could come from a cyber attack.” It also indicates that the Department “is exploring ways” to further assess the risk of inadequate third party risk management. Accordingly, DFS-regulated entities are well advised to consider reviewing their cybersecurity plans, protocols, and procedures in light of the guidance outlined in the report.
DFS in its report highlights the following four measures for organizations to adopt or evaluate.
1. Comprehensive assessment of, and contractual protections with, third party service providers
While DFS-regulated entities are already required under DFS’s Cybersecurity Regulation1 (“Cybersecurity Regulation”) to conduct due diligence into the cybersecurity practices of Third Party Service Providers2, the report emphasizes DFS’ expectation that such protocols enable these organizations to monitor those practices and assess the “overall cyber hygiene” of their critical vendors. The report also states that DFS-regulated entities should attempt to secure contractual provisions with critical vendors that allow for the monitoring of these practices. Finally, the report indicates that contracts with critical vendors should require notification “immediately” upon the occurrence of a cyber event that impacts – or potentially impacts – the organization’s non-public information or information systems3.
2. Treat all third party service providers as potential attack vectors.
Incorporating guidance from the National Security Agency, the DFS report states that DFS-regulated entities should use a “zero trust mindset” when incorporating supply chain risks into their risk assessments and risk management programs. To do so, DFS states that organizations should assume that software installations and third party service providers are already compromised, implement layered access controls over sensitive information, and restrict access to information “to only what is needed.” Such a zero-trust model has started to get attention from other government bodies and regulators, including a recent NIST effort to further define what constitutes a zero-trust approach to security. Despite the growing interest, guidance on the use of zero-trust models remains advisory and corporate adoption appears limited as organizations continue to evaluate whether that approach is appropriate for their cybersecurity programs.
3. Prioritize patch deployment, testing, and validation
Third, the report emphasized that DFS-regulated entities’ vulnerability management programs should include an effective patch management strategy. According to DFS, these programs should not only identify which systems to patch and the order in which they should be patched, but should also include a means to test patches and roll them back if they create additional vulnerabilities. This guidance is particularly noteworthy given that DFS found that several DFS-regulated entities lacked the proper “patching cadence” to ensure that high-risk cyber vulnerabilities were remediated in a timely manner. At the same time, DFS noted that some covered entities were not vulnerable to the SolarWinds attack because they had failed to apply patches for years—including the patches that introduced the vulnerability.
4. Incorporate supply chain risks into incident response plans
DFS identified the following procedures, which are not addressed directly in the Cybersecurity Regulation, that the Department believes should be included in incident response plans:
- Procedures to document the versions and configurations of assets in the organization’s environment and to respond to unauthorized changes;
- Procedures to reset account credentials for users of all affected assets and users of assets controlled by compromised software;
- Procedures to rebuild from backups created before the compromise; and
- Procedures to archive audit and system logs for forensic purposes.
DFS also recommended table top exercises to increase awareness and evaluate preparedness as well as ensuring that an organization’s incident response plan is aligned with its overall business continuity plan.
1 23 NYCRR Part 500
2 Under the Cybersecurity Regulation, a Third Party Service Provider is a “Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity.”
3 The Cybersecurity Regulation defines “information systems” broadly to cover any “discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information.” The definition also covers certain specialized systems such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. See 23 NYCRR 500.01(e).
DFS-regulated entities would be prudent to examine this guidance closely as well as the learnings from the Department’s enforcement actions, which appear to be increasing in frequency. For example, organizations are well advised to appropriately classify the severity of identified supply chain risks and may wish to consider documenting the measures to address them with a corresponding timeline for implementation. Organizations also may wish to consider other resources, such as the National Institute of Standards and Technology’s (NIST) draft Cyber Supply Chain Risk Management Practices for Systems and Organizations, when undertaking efforts to enhance their supply chain resiliency.
To read our previously-published analysis of DFS’s first enforcement action against First American Title Insurance Company, click here.