DFS Issues Report on the Solarwinds Supply Chain Attack 

  • Source: dfs.ny.gov

Treliant Takeaway:

Treliant helps firms prepare for compliance with regulatory guidance and expectations. On April 27, 2021 – The New York State Department of Financial Services (DFS) issued a Press Release regarding their Report on the Solarwinds Supply Chain Attack (attack).

The report (a) finds that DFS-regulated companies responded quickly to the attack and (b) identifies key cybersecurity measures to reduce supply chain risk.

Chief Information Security Officers (CISOs) and their teams need to be ready to demonstrate compliance with cybersecurity regulations and be ready for a thorough look by the regulators at the underlying processes, including decisions around DFS cybersecurity compliance.

Press Release Highlights:

  • During the SolarWinds Attack, hackers corrupted routine software updates that were downloaded onto thousands of organizations’ information systems.
  • DFS-regulated companies generally responded quickly. g. 94% of the reporting companies removed the vulnerabilities from their systems within three days of the SolarWinds Attack’s announcement.
  • DFS also found, however, that some companies were not applying patches as regularly as needed to ensure timely remediation of high-risk cyber exposure.
  • DFS identified the following cybersecurity measures as critical practices:
    • Fully assess and address third party risk.
      • include processes for due diligence and contractual protections
      • contracts with critical vendors should include provisions requiring immediate notification when a cyber event occurs that impacts or potentially impacts information systems or any NonPublic Information (“NPI”) that is maintained, processed, or accessed by the vendor.
    • Adopt a “zero trust” approach and implement multiple layers of security.
      • incorporate supply chain risk analysis into risk assessments and risk management programs
      • have layers of security and extra protection for sensitive information so that if one layer is compromised, other controls can detect or prevent an intrusion
    • Timely address vulnerabilities through patch deployment, testing, and validation.
      • patch management strategies should include performing tests of all patches to the internal system environment with defined rollback procedures if the patch creates or exposes additional vulnerabilities
    • Address supply chain compromise in incident response plans.
      • Include table-top exercises
      • Align the incident response plan with the business continuity plan

Firms should revisit this process periodically and strongly consider an outside review of their cybersecurity related activities.

Our professionals include but are not limited to, former CISOs and Internal Auditors. We understand how to make your cybersecurity programs work effectively to comply with DFS’ Cybersecurity regulations and to prepare for upcoming in-depth regulatory exams.

Author

Richard Hudson

Richard Hudson is a Senior Manager with Treliant. He has over 25 years of experience in information security, compliance, risk management, business continuity and information technology. He has worked on staff and as a consultant for companies in the financial services, insurance, healthcare, information technology, and asset management sectors. Prior…