New York Department of Financial Services Issues Report on SolarWinds Cyberattack

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP

On April 15, 2021, the New York Department of Financial Services (NYDFS) issued a report on the recent SolarWinds cyberattack. A copy of the report is available here. NYDFS called the attack a “wake-up call” to regulated financial institutions and insurers that should cause them to immediately assess and, if necessary, improve their own cybersecurity posture in order to avoid victimization in future attacks.

NYDFS characterized the SolarWinds attack as a “widespread, sophisticated espionage campaign” by Russian foreign intelligence actors that resulted in “the most visible, widespread, and intrusive information technology supply chain attack” successfully completed to date. According to the report, the attack opened back doors into thousands of organizations around the United States and involved the theft of sensitive data from over 100 private sector companies, as well as at least nine federal agencies. NYDFS noted ominously that the attack highlighted the obvious “vulnerability to supply chain attacks” within the financial services industry.

The report noted that many of the companies affected by the attack did take critical steps to quickly mitigate some of the risks, including:

  • Checking system integrity and audit logs for indicators of compromise
  • Disconnecting affected systems from their networks
  • Applying security patches to affected systems
  • Isolating affected systems by blocking access to the internet
  • Isolating affected systems by blocking specific external DNS domains
  • Decommissioning Orion and replacing it with another monitoring product
  • Applying mitigation scripts to affected systems

Finally, the report offered a novel solution to preventing the expected flood of future supply chain cyberattacks – the implementation of a “Zero Trust” network architecture as part of a company’s updated risk assessment policies. This cybersecurity standard assumes there are no implicit and internal trust privileges granted to assets or user accounts on a network. Verification on a zero trust network is constantly required at every aspect of network usage.

Both companies and the government are still analyzing the damage and long-term implications of the SolarWinds attack. While the NYDFS report does not create any new rules or regulations, it does provide guidance for regulated entities. Companies in the financial services sector would be wise to follow the recommendations in the report and implement those lessons learned. Companies are now “on notice” of the damage caused by such an attack, as well as ways to prevent it. As such, victimization by similar attacks in the future is unlikely to find a sympathetic ear with NYDFS.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Faegre Drinker Biddle & Reath LLP | Attorney Advertising

Written by:

Faegre Drinker Biddle & Reath LLP

Faegre Drinker Biddle & Reath LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.