On December 18, 2020, NYDFS issued a supply chain compromise alert arising out of the SolarWinds hack. Some hot takes on Friday’s NYDFS guidance :
– If a regulated entity has been affected by the hack either directly, or indirectly through an affiliate or third party service provider, the entity should give notice to NYDFS right away – err on the side of disclosure
– NYDFS considers notice essential to understanding the full scope of the attack
– NYDFS will use this information to formulate a supervisory response that seeks to assist affected institutions and prevent further damage – the transparency necessary for an effective government response
– This is not a “gotcha” moment, but an opportunity for NYDFS to marshal resources to assist firms in responding to the attack and coordinate a response with other government agencies (FBI; DHS; etc.)
– Coincidence? On the same day NYDFS issued this specific guidance around its established cybersecurity regulation, federal banking regulators noticed a proposed rulemaking for the first time that requires notification to an entity’s principal federal regulator of a “computer-security incident.”

The guidance may be found here: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20201218_supply_chain_compromise_alert