On April 15, 2021, the New York Department of Financial Services (NYDFS) issued a report on the recent SolarWinds cyberattack. A copy of the report is available here. NYDFS called the attack a “wake-up call” to regulated financial institutions and insurers that should cause them to immediately assess and, if necessary, improve their own cybersecurity posture in order to avoid victimization in future attacks.
NYDFS characterized the SolarWinds attack as a “widespread, sophisticated espionage campaign” by Russian foreign intelligence actors that resulted in “the most visible, widespread, and intrusive information technology supply chain attack” successfully completed to date. According to the report, the attack opened back doors into thousands of organizations around the United States and involved the theft of sensitive data from over 100 private sector companies, as well as at least nine federal agencies. NYDFS noted ominously that the attack highlighted the obvious “vulnerability to supply chain attacks” within the financial services industry.
The report noted that many of the companies affected by the attack did take critical steps to quickly mitigate some of the risks, including:
- Checking system integrity and audit logs for indicators of compromise
- Disconnecting affected systems from their networks
- Applying security patches to affected systems
- Isolating affected systems by blocking access to the internet
- Isolating affected systems by blocking specific external DNS domains
- Decommissioning Orion and replacing it with another monitoring product
- Applying mitigation scripts to affected systems
Finally, the report offered a novel solution to preventing the expected flood of future supply chain cyberattacks – the implementation of a “Zero Trust” network architecture as part of a company’s updated risk assessment policies. This cybersecurity standard assumes there are no implicit and internal trust privileges granted to assets or user accounts on a network. Verification on a zero trust network is constantly required at every aspect of network usage.
Both companies and the government are still analyzing the damage and long-term implications of the SolarWinds attack. While the NYDFS report does not create any new rules or regulations, it does provide guidance for regulated entities. Companies in the financial services sector would be wise to follow the recommendations in the report and implement those lessons learned. Companies are now “on notice” of the damage caused by such an attack, as well as ways to prevent it. As such, victimization by similar attacks in the future is unlikely to find a sympathetic ear with NYDFS.