Richard Hudson is a Senior Manager with Treliant. He has over 25 years of experience in information security, compliance, risk management, business continuity and information technology. He has worked on staff and as a consultant for companies in the financial services, insurance, healthcare, information technology, and asset management sectors. Prior…
Department of Financial Services Issues Cybersecurity Alert to Regulated Entities Concerning Microsoft Exchange Email Servers
- Source: dfs.ny.gov
Treliant helps firms prepare for compliance with regulatory guidance and expectations. On March 9, 2021 the New York State Department of Financial Services (DFS) issued a press release regarding Microsoft Exchange Email servers having cybersecurity vulnerabilities.
The press release includes an industry letter to the Chief Executive Officers, Chief Information Officers, Chief Information Security Officers, Senior Information Officers, and Data Privacy Officers of all of its regulated entities specifically highlighting the exploitation of four vulnerabilities in Microsoft Exchange Server as reported by Microsoft.
Press Release Highlights:
- On March 2, 2021, Microsoft reported that four vulnerabilities were discovered in the Microsoft Exchange servers from 2013 and later (including 2016, 2019). The vulnerable servers appear to host Web versions of Microsoft’s email program Outlook on their own machines instead of cloud providers. It also appears that widespread exploitation of the vulnerabilities is ongoing and began sometime before March 2.
- Microsoft also released several security updates for vulnerabilities affecting the on-premises versions of Microsoft Exchange Server. The Common Vulnerabilities and Exposures (“CVE”) exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
- As of March 5, 2021, the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities recommends immediate patching of the vulnerabilities and preserving forensics of the cyber event.
- DFS has also reminded regulated entities that they are to report Cybersecurity Events within 72 hours at the latest as required by 23 NYCRR Section 500.17(a).
Chief Information Security Officers (“CISO”) and their teams may need to be ready to demonstrate that they have addressed the vulnerabilities and be ready for a thorough look at the underlying processes by the regulators.
Our professionals include but are not limited to, former CISOs and Internal Auditors. We understand how to make your cybersecurity programs work effectively and to prepare for more in-depth regulatory examinations which inevitably are coming soon.