New York and Illinois Regulators Recommend Third Party Cybersecurity Review For Specific Vulnerabilities

Alston & Bird

This month, the Illinois Department of Insurance issued guidance to insurers recommending assessments in response to a Microsoft Exchange vulnerability, detailed in the guidance.  In the Bulletin dated May 5, the Department encourages regulated entities to “assess the risk to their systems and consumers and take steps necessary to address vulnerabilities and customer impact.” The Bulletin states that such assessment should identify “any use of these products by critical third parties.”

The Illinois Bulletin follows similar guidance from the New York Department of Financial Services (NYDFS) regarding Microsoft Exchange and SolarWinds’ vulnerabilities:

  • In an “Industry Letter” issued in March, the NYDFS discussed Microsoft Exchange vulnerabilities and encouraged regulated financial companies to identify “any use of these products by critical third parties” as part of mitigation.
  • In December, the NYDFS also issued guidance encouraging regulated financial companies to assess their exposure to SolarWinds vulnerabilities, including assessing “any usage of these products by third parties that have access to your network or your data.” (See our previous blog on the NYDFS response to SolarWinds.)

This guidance is an interesting example of regulators providing specific guidance in response to particular cybersecurity vulnerabilities as those vulnerabilities emerge.  Given the recent industry focus on supply chain attacks, both New York and Illinois proactively suggest that regulated financial institutions assess third parties’ exposure and response to these specific vulnerabilities. If sustained, this focused approach may constitute an expansion of other process-oriented cybersecurity requirements in multiple third party protocols and existing statutes and regulations, including New York’s financial Cybersecurity Regulation and the NAIC Model Law 668, adopted in a dozen states.

[View source.]

Written by:

Alston & Bird

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.