Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

New York Department of Financial Services Issues Report on SolarWinds Cyberattack

Share

On April 15, 2021, the New York Department of Financial Services (NYDFS) issued a report on the recent SolarWinds cyberattack. A copy of the report is available here. NYDFS called the attack a “wake-up call” to regulated financial institutions and insurers that should cause them to immediately assess and, if necessary, improve their own cybersecurity posture in order to avoid victimization in future attacks.

NYDFS characterized the SolarWinds attack as a “widespread, sophisticated espionage campaign” by Russian foreign intelligence actors that resulted in “the most visible, widespread, and intrusive information technology supply chain attack” successfully completed to date. According to the report, the attack opened back doors into thousands of organizations around the United States and involved the theft of sensitive data from over 100 private sector companies, as well as at least nine federal agencies. NYDFS noted ominously that the attack highlighted the obvious “vulnerability to supply chain attacks” within the financial services industry.

The report noted that many of the companies affected by the attack did take critical steps to quickly mitigate some of the risks, including:

  • Checking system integrity and audit logs for indicators of compromise
  • Disconnecting affected systems from their networks
  • Applying security patches to affected systems
  • Isolating affected systems by blocking access to the internet
  • Isolating affected systems by blocking specific external DNS domains
  • Decommissioning Orion and replacing it with another monitoring product
  • Applying mitigation scripts to affected systems

Finally, the report offered a novel solution to preventing the expected flood of future supply chain cyberattacks – the implementation of a “Zero Trust” network architecture as part of a company’s updated risk assessment policies. This cybersecurity standard assumes there are no implicit and internal trust privileges granted to assets or user accounts on a network. Verification on a zero trust network is constantly required at every aspect of network usage.

Both companies and the government are still analyzing the damage and long-term implications of the SolarWinds attack. While the NYDFS report does not create any new rules or regulations, it does provide guidance for regulated entities. Companies in the financial services sector would be wise to follow the recommendations in the report and implement those lessons learned. Companies are now “on notice” of the damage caused by such an attack, as well as ways to prevent it. As such, victimization by similar attacks in the future is unlikely to find a sympathetic ear with NYDFS.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Jason G. Weiss

Jason G. Weiss leverages a past career as a cybersecurity and computer forensics Supervisory Special Agent with more than 22 years of decorated service at the FBI to guide clients through the complex and high-stakes issues associated with cybersecurity incident preparedness and response and compliance. View Jason's full bio on the Faegre Drinker website.

About the Author: Peter Baldwin

Peter Baldwin draws on his experience as a former federal prosecutor to counsel clients facing government investigations and cybersecurity issues. View Peter's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

May 3, 2021
Written by: Jason G. Weiss and Peter Baldwin
Category: Cybersecurity
Tags: cyberattack, NYDFS, zero trust network

Post navigation

Previous Previous post: New York Department of Financial Services and National Securities Corporation Agree to $3 Million Settlement in Cybersecurity Enforcement Action
Next Next post: Second Circuit Addresses Critical Issue in Data Breach Class Actions: Article III Standing Based on Allegations of Future Misuse of Personal Data

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT