On April 27, 2021 NYDFS issued a report on the SolarWinds attack and regulated entities’ response. Per interactions with 100 regulated entities it found that:
• Some NYDFS licensees actually detected the attack before it became public but didn’t share
• No licensee reported that hackers actively exploited the network, consistent with other reporting that financial services companies were not actively targeted
• Licensees responded to the SolarWinds Attack swiftly; 94% of impacted companies removed the vulnerability introduced from their networks within 3 days by disconnecting and/or patching
• Some licensees’ patch management programs are immature and lack proper “patching cadence” needed to ensure timely remediation of high-risk cyber vulnerabilities
• Some licensed entities using its Orion product did not classify SolarWinds as a critical vendor, even though Orion had privileged access to the company’s network
• ENFORCEMENT TAKEAWAY: “This attack confirms the importance of vigorous third party risk management, which starts with a thorough assessment of an organization’s third party risk. . . [Cyber risk ] is an existential threat and we urge the industry to treat it as such.”
The report may be found here: https://www.dfs.ny.gov/system/files/documents/2021/04/solarwinds_report_2021.pdf