This month, the Illinois Department of Insurance issued guidance to insurers recommending assessments in response to a Microsoft Exchange vulnerability, detailed in the guidance. In the Bulletin dated May 5, the Department encourages regulated entities to “assess the risk to their systems and consumers and take steps necessary to address vulnerabilities and customer impact.” The Bulletin states that such assessment should identify “any use of these products by critical third parties.”
The Illinois Bulletin follows similar guidance from the New York Department of Financial Services (NYDFS) regarding Microsoft Exchange and SolarWinds’ vulnerabilities:
This guidance is an interesting example of regulators providing specific guidance in response to particular cybersecurity vulnerabilities as those vulnerabilities emerge. Given the recent industry focus on supply chain attacks, both New York and Illinois proactively suggest that regulated financial institutions assess third parties’ exposure and response to these specific vulnerabilities. If sustained, this focused approach may constitute an expansion of other process-oriented cybersecurity requirements in multiple third party protocols and existing statutes and regulations, including New York’s financial Cybersecurity Regulation and the NAIC Model Law 668, adopted in a dozen states.