Lessons Learned From The SolarWinds Cyberattack, And The Future For The New York Department Of Financial Services&39 Cybersecurity Regulation – Financial Services – United States
In December 2020, a cybersecurity company alerted the world to a major cyberattack against the American software development company, Solarwinds, via the company’s Orion software product (solarwinds attack). The Solarwinds attack went unnoticed for months, as hackers were reported to have accessed Orion’s source code as early as March 2020. 1 Orion is widely used by businesses to manage information technology resources, and according to Solarwinds, Form 8-K filed with the Securities and Exchange Commission, Solarwinds had 33,000 customers using Orion as of December 14, 2020.
The solar wind attack is alleged to have been part of a sophisticated and widespread cyber-espionage campaign by Russian foreign intelligence service actors that focused on stealing sensitive information held by U.S. government agencies and companies. who use orion. 2, the hack was perpetuated through solarwinds sending routine system software updates to its customers. 3 Solarwinds unknowingly shipped software updates to its customers that included pirated code that allowed hackers to access customer information technology and install malware that helped them spy on solarwinds customers, including businesses private and government entities, thus exposing up to 18,000 of their customers to cyberattack.
Reading: Despite solarwinds cyberattack predicted benefit
The New York Department of Financial Services (DFS) alerted DFS-regulated entities of the Solarwinds attack on December 18, 2020 via the “Supply Chain Compromise Alert”. 4 The Supply Chain Compromise Alert included guidance from the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency, Solarwinds, and other sources, and reminded regulated entities of their obligations under the new york cybersecurity (cybersecurity regulation), adopted in 2017, which requires dfs-regulated entities, including new york banks, insurance companies, and producers and other financial services companies, to develop a comprehensive security program implement specific cybersecurity controls, assess cybersecurity risks posed by third-party service providers, and notify dfs of “cybersecurity events” (which includes certain unsuccessful cyberattacks) that have a “reasonable probability” of causing material damage to the operations of the institution or that they want notification to any governmental or supervisory entity. 5
dfs followed up its supply chain compromise alert with its report on the solarwinds cyber espionage attack and institutional response (solarwinds report), published in April 2021. 6 in the solarwinds report, dfs discusses remediation from approximately 100 of its entities to the solar wind attack and dfs’s recommendations on ways organizations can strengthen their cybersecurity practices to protect against future cyberattacks. overall, dfs found that its regulated entities responded “promptly and appropriately” with 94% of affected businesses removing vulnerable systems caused by solarwinds hackers from their networks (or patching them) within three days of notification of the attack. however, dfs noted gaps in the cybersecurity policies of several regulated entities, including irregularities in patch and patch management systems, the identification of third-party service providers as critical providers, and the need for greater information sharing and transparency. among regulated entities with respect to cybersecurity breaches. .
Interestingly, the dfs observations as detailed in the solarwinds report, and specifically those related to the need for better cybersecurity preparedness by companies and their third-party service providers and the need for greater transparency and sharing of information between companies regarding real or perceived cyber threats. , aligns with the principles outlined in President Biden’s Executive Order on Enhancing the Nation’s Cybersecurity, published May 12, 2021, applicable to the federal government and government contractors. this could signal a new wave of state cybersecurity laws and regulations, if not federal regulation in the foreseeable future.
This advisory provides a brief overview of the dfs findings detailed in the solarwinds report, and the outlook for dfs’ cybersecurity regulation compliance, as well as potential changes to those rules, based on the findings. and dfs observations.
response of dfs regulated entities to solarwinds attack and identified weaknesses in patch management systems
As detailed in the solarwinds report, dfs found that its monitored companies generally responded to the solarwinds attack quickly and appropriately, cleaning their systems of infected software within three days of notification by taking down, patching, or apply a mitigation script. Remedial steps taken by more than half of regulated companies to mitigate risks associated with solar wind attack included, but were not limited to:
- assessed system integrity and audit trails for indicators of compromise;
- affected systems disconnected from their networks; and
- security patches applied to affected systems.
About a quarter or less of dfs-regulated entities took the following remedial steps:
- Isolated affected systems by blocking internet access;
- Isolated affected systems by blocking specific external dns domains, based on cybersecurity and infrastructure security agency guidance;
- decommissioned orion and replaced it with another monitoring product; and
- mitigation scripts applied to affected systems, as recommended by solarwinds.
While these remediation steps allowed dfs-regulated entities to address the risks associated with the solarwinds attack once identified, dfs found that several companies could have addressed the risks posed by the solarwinds attack (if not by preventing it by complete) by implementing a patch management system.
according to dfs, the patch management programs of several dfs-regulated companies were not mature at the time of the cyberattack, and the lack of an adequate “patch cadence” 7 likely caused a lag in the companies’ ability to ensure timely remediation of high-risk cyber vulnerabilities. For example, it is reported that hackers inserted malware named “sunburst” into Solarwinds’ Orion Software in February 2020, and Solarwinds unknowingly distributed Orion Software updates containing Sunburst malware to its customers between March and June 2020. 2020.8 dfs found that some of the companies found to be vulnerable to sunburst malware in December 2020 had not applied patches released by solarwinds in August and October 2020 that would have removed sunburst, and some companies had not applied patches since 2018, and Two companies hadn’t applied patches since 2017. Fortunately, there have been no reports of hackers exploiting vulnerabilities caused by Sunburst (or Supernova) malware; 9 however, the supervised entities must guarantee the adequate cadence of patches to avoid material damage due to vulnerabilities that may result from future cyber attacks.
dfs recommendations for regulated entities in the future
dfs reports key observations and recommendations for dfs-regulated entities to prevent supply chain attacks and reduce supply chain risks, based on industry standards for cyber security measures. Key recommendations outlined by DFS include that supervised entities should:
- ensure that third-party service providers and other vendors’ risk management policies and procedures include due diligence processes and contractual protections that ensure the company can monitor cybersecurity practices and cyber hygiene overview of critical suppliers. These policies should include provisions that require external service providers to immediately notify the regulated company when a cyber event occurs that affects or could potentially affect an organization’s information systems or non-personal information that the provider maintains, processes or agree.
- Take a “zero trust” approach and assume that any third-party software installation and service provider could be compromised and used as an attack vector. In this regard, third-party service providers’ access to a company’s network systems or non-public information (NPI) should be limited to only what is needed, and systems should be monitored for anomalous or malicious activity. Regulated entities are also expected to implement multiple layers of security for additional protection of sensitive information to limit compromises.
- have a vulnerability management program that prioritizes patch testing, validation processes and deployment, including the systems to be patched and the order or priority of patches. in addition, a regulated entity’s patch management strategy should include testing of all patches in the internal system environment with defined rollback procedures if the patch creates or exposes additional vulnerabilities.
- have an effective and proven incident response plan with detailed procedures and playbooks. dfs also notes that cybersecurity fundamentals such as knowing your environment and understanding where assets reside in the environment, including their versions and configuration, should be built into playbooks. To address supply chain compromises or attacks, incident response plans should include, at a minimum:
- procedures for isolating affected systems;
- procedures for resetting user credentials account for users of all affected assets and users of assets controlled by compromised software;
- procedures for rebuilding from backups created before the compromise;
- procedures for archiving logs audit and system forensic purposes; and
- procedures for updating response plans based on lessons learned.
See also: Photos: China has one of worlds largest bitcoin mines — Quartz
dfs recommends that regulated entities engage in “tabletop” exercises to test and refine incident response plans, noting that incident response plans should be aligned with an organization’s business continuity plan.
dfs also notes in the solarwinds report that there is a need for greater transparency and effective information sharing between dfs-regulated entities regarding cybersecurity breaches, which would have allowed organizations that detected the intrusion before December 13, 2020 alert others. . dfs found that some of its regulated entities publicly disclosed that they blocked an intrusion before the intrusion was widely known to others. Based on this finding, DFS has indicated that it plans to improve information sharing and transparency, suggesting that future changes in cybersecurity regulation may encourage DFS-regulated entities to share information about cyberattacks. Currently, financial institutions may share information with each other and report to the federal government activities that may involve money laundering or terrorist activity (including those involving or linked to cyberattacks) under section 314(b) of the USA Patriot Act. ee uu. (section 314(b)). dfs could adopt a voluntary information-sharing approach similar to section 314(b) of the usa patriot act. uu. for cybersecurity violations not covered by section 314(b).
perspective of future changes in the regulation and application of cybersecurity
dfs has been the most active state government functional regulator focused on cybersecurity regulation, and the issuance of the solarwinds report is one of many examples of how dfs continues its efforts.
After adopting the cybersecurity regulation in 2017,10 and publishing several alerts informing its regulated companies of cyberthreats and providing reminders of the obligations under the cybersecurity regulation, in July 2020, dfs initiated its first enforcement action under cybersecurity regulation against the second largest title insurance provider in the united states11 in february of this year, dfs released the first united states cyber insurance risk framework and alerted dfs-regulated entities about the growing cyber campaign to steal npi. 12
With regard to managing supply chain risks, DFS-regulated businesses should expect future changes in cybersecurity regulation and related guidance that emphasize the importance of:
- effective third-party risk management and identification of critical vendors that have access to sensitive information and npi;
- improved information sharing between regulated entities regarding cyber security breaches;
- adequate patch management systems, with validation, implementation and prioritization processes, as well as mandatory patches and patch management system testing on a routine basis; and
- mandatory tests of incident response plans that include cybersecurity fundamentals and “tabletop” exercises.
additional considerations for banks regulated by dfs
dfs may refer to federal regulations and guidelines to develop additional requirements related to incident response plans. DFS-regulated banks and other insured depository institutions are also subject to regulation and supervision by the federal banking agencies, and in December 2020 the federal banking agencies proposed a computer security incident reporting rule that would require organizations banking entities notify their primary regulators of the occurrence of certain computer security incidents as soon as possible and no later than 36 hours after the banking entity believes in good faith that the incident occurred. 13 Under the proposed rule, banking service providers would also be required to notify the banking organizations for which they provide services of computer security incidents that the service provider believes in good faith could interrupt, degrade, or impair the services provided during four hours or more. Oversight agencies’ increased focus on real-time information sharing of cybersecurity incidents that can be disruptive and damaging to supervised institutions and industry will likely require certain institutions to improve their controls and processes for monitoring, testing, and reporting over time. In addition, while it appears that the proposed rule would have a collaborative purpose and is not intended to be used as a means of identifying and vetting supervised institutions that are perceived to have insufficient cybersecurity risk management controls, institutions should be prepared to administer any oversight or examination scrutiny that may arise from fulfilling their current and future obligations to share information with their regulators and other institutions regarding known or suspected cybersecurity incidents (if, for example, a cybersecurity incident exposes a insufficient vulnerability or control resulting in increased oversight or examination, scrutiny and/or enforcement action).
Overall, the solarwinds attack provided dfs with a real-time opportunity to assess the cybersecurity readiness of its regulated entities and identify areas for improvement for its regulated entities in managing third-party service provider risk, as well as areas of improvement for the regulation of cybersecurity. Solarwinds’ report provides insight into DFS’s expectations of DFS-regulated entities, as well as plans for the future of cybersecurity regulation and related guidance.
1 see gen., the united states is preparing sanctions against russia for the solarwinds cyber attack and sec form 8-k, solarwinds corporation.
2 business insider, december 20, 2020, the former head of us cyber security. US official Chris Krebs says officials are still tracking the ‘scope’ of the Solarwinds attack.
3 Solarwinds unknowingly shipped software updates to its customers that included pirated code that allowed hackers to access customer information technology and install malware that helped them spy on solarwinds customers , including private companies and government entities, thus exposing up to 18,000 of their customers to cyber attack. View Press Release – April 27, 2021: DFS Issues Report on Solarwinds Supply Chain Attack | department of financial services (ny.gov).
See also: James Howells Lost 181M Bitcoin in Dump: the 11M Plan to Get It Back
4 see, the supply chain compromise alert. dfs advised its regulated entities to respond immediately to assess the risk to their systems and consumers, and take the necessary steps to address vulnerabilities and customer impact. the alert included various resources to complete those tasks.
5 in 2017, dfs adopted the cybersecurity regulation, 23 nycrr part 500, which requires all dfs-regulated financial services entities to implement a risk-based cybersecurity program and to report any unauthorized access (or attempts) to their information systems. dfs was the first in the united states to adopt such regulation, and in 2019 dfs became the first financial regulator in the nation to establish a dedicated cybersecurity division. See, Arnold & porter advisory, new york department of financial services issues final rules on cybersecurity (February 22, 2017).
6 see solar wind report. it is estimated by dfs that approximately nine federal agencies and approximately 100 companies were compromised.
7 dfs defined “patch rate” in the solarwinds report to refer to how often an organization reviews systems, networks, and applications for updates that fix security vulnerabilities.
8 see, solar wind report.
9 id. following the removal of the sunburst malware, on december 24, 2020, solarwinds became aware of another vulnerability, dubbed “supernova”, which was found in the same versions of orion that had the sunburst malware, as well as other versions of orion that had been distributed to customers. solarwinds released additional patches addressing supernova and informed its customers that the patches released on December 14 and 15 also removed the vulnerability in versions of orion containing the sunburst malware. Solarwinds released additional patches to address both Sunburst and Supernova on January 25, 2021. However, the Sunburst and Supernova vulnerabilities in Orion software allowed hackers to gain access to the exposed institutions’ internal network and non-public information. As of the date of the solarwinds report, there are no reports or indications that hackers exploited vulnerabilities resulting from the sunbeam or supernova at any financial services organization.
10 see, arnold & porter advisory, new york department of financial services issues final rules on cybersecurity (February 22, 2017).
11 see, arnold & porter’s blog post, ny’s department of financial services brings its first cybersecurity regulation enforcement action (Aug 3, 2020). see also, arnold & blog post by porter, nydfs fines residential mortgage servicers $1.5 million for breach of new york cybersecurity regulation (March 16, 2021).
12 see arnold & porter’s blog post, nydfs warns of a growing cyber campaign to steal npi and reminds entities of part 500 reporting obligations.
13 See, Computer Security Incident Reporting Requirements for Banking Organizations and Their Banking Service Providers, 86 fed. registration 2299 (January 12, 2021); see also, arnold & gatekeeper notice, federal banking agencies propose a cybersecurity incident reporting rule for banks and their third-party service providers (December 23, 2020).
The content of this article is intended to provide a general guide on the subject. specialist advice should be sought on your specific circumstances.
See also: What is Risk Diversification?