Clifford Chance

Focus is on supply chain risk as DFS urges companies to adopt "zero trust" approach and timely address vulnerabilities.

The SolarWinds hack "should serve as a wake-up call" to the financial industry's vulnerability to third-party supply chain attacks, the New York Department of Financial Services ("DFS") warned in its recently-released report of its investigation into the hack. The report provides useful guidance to regulated companies, highlighting that supply chain attacks can be particularly pernicious because the hack of one supplier can create vulnerabilities for hundreds or thousands of downstream companies who use that supplier's product.

Third-party service provider risk is already a focus of DFS's Cybersecurity Regulation, 23 NYCRR § 500, which defines "Third-Party Service Provider" as a vendor who provides services to a regulated entity and maintains, processes or otherwise is permitted “access to Nonpublic Information through its provision of services.” 23 NYCRR § 500.01(n). Under the Regulation, regulated entities must "implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third party service providers." 23 NYCRR § 500.11(a). Moreover, based on the risk profile of the regulated entity, these policies and procedures should generally provide for a risk assessment, due diligence, and contractual protections relating to third-party service providers. In line with these provisions, regulated entities should be managing supply chain risk as part of their operations.

When the SolarWinds hack was made public in December 2020, DFS instructed the companies it regulates to notify the Department if they used infected versions of the SolarWinds software. In response, nearly 100 DFS-regulated companies contacted the Department and provided information about their response to the hack. DFS analyzed the responses of these companies and presented its findings in this report.

Overall, DFS found that:

• DFS-regulated companies responded quickly and removed the vulnerabilities from their networks in a matter of days.
• Of the 88 regulated companies that contacted DFS, none reported that the hackers behind the SolarWinds attack had actively exploited their networks.

Informed by its assessment of the firms impacted by the SolarWinds hack, DFS identified four critical practices for managing cybersecurity risk in third-party vendors:

Fully Assess and Address Third Party Risk

When onboarding new suppliers and third-party vendors, companies' policies should incorporate processes for due diligence. Additionally, contracts with third-parties should contain provisions that (1) allow the companies to monitor the cybersecurity practices of critical vendors and (2) require prompt notification if the third-party suffers a cyber incident that may impact the companies' information systems.

Adopt a “Zero Trust” Approach and Implement Multiple Layers of Security

Companies should incorporate third-party risks into their annual risk assessments required by DFS' Cybersecurity Regulation. See 23 NYCRR § 500.09. To do this effectively, DFS recommends that companies assume that any software installation and any third-party service provider could be compromised and used as an attack vector. To mitigate this risk, third-party access to sensitive data should be limited to only what is necessary, and systems should be monitored for malicious activity.

Timely Address Vulnerabilities Through Patch Deployment, Testing, and Validation

When third-party service providers release software patches, companies should include a patch testing, validation, and deployment process as part of their larger cyber-vulnerability management program. The patch deployment process should allow for the possibility that the patch will need to be rolled back in the event it creates or exposes additional vulnerabilities.

Address Supply Chain Compromise in Incident Response Plans

DFS reinforced that having an effective and tested cyber-incident response plan is an essential component of compliance with its Cybersecurity Regulation. These plans should account for the possibility of a supply chain attack and should at minimum contain the following provisions:

• Procedures to isolate affected systems;
• Procedures to reset account credentials for users of all affected assets and users of assets controlled by compromised software;
• Procedures to rebuild from backups created before the compromise;
• Procedures to archive audit and system logs for forensic purposes; and
• Procedures to update response plans based on lessons learned.

DFS additionally advised that companies conduct tabletop exercises of responses to mock cyber incidents to increase awareness, establish roles, and evaluate preparedness for responding to future incidents.