The massive SolarWinds security breach, which affected not only the private sector, but federal, state and local governments, has caused some to question whether to share data with the government. On Friday, December 18, the New York Department of Financial Services (NY DFS) made it very clear that regulated entities—including banks, insurance companies, and financial advisors—will have no choice but to share information related to this historic hack, even when the normal reporting standard under the NY DFS Cybersecurity Regulation has not been met.
Under this alert, NY DFS regulated entities must immediately report whether they have been affected in any way by the SolarWinds hack, reportedly the work of advanced state-sponsored actors, most likely Russian. This reporting requirement goes beyond the requirements of the NY DFS landmark Cybersecurity Requirements for Financial Services Companies, 1 which generally requires entities to report attacks that may cause material harm to a material part of their normal operations.
This expanded reporting requirement demonstrates NY DFS’s serious concern that the SolarWinds hack is “active and ongoing,” and will pose significant systemic risks to the financial system beyond what is currently known, because this adversary has also “compromised organizations that were not using SolarWinds Orion.”
More generally, the alert evidences the importance of a public-private partnership, starting with enhanced information sharing in the face of these advanced threats. As companies across all industries deal with this latest breach, it is also worthwhile to recall the liability protections for information sharing that the Federal Government provided in 2015.
Background
SolarWinds is a software company that provides a ubiquitous tool used to help its customers manage and monitor their networks. As widely reported in the press, advanced state-sponsored hackers broke into SolarWinds and implanted malicious software into an otherwise legitimate update to SolarWinds’ software. When SolarWinds’ customers (including many large corporations and government agencies) updated their software between March and June of this year, a backdoor was installed on their servers allowing the hackers ready entry into their systems and the ability to deliver a malicious payload of their choosing. A report from Microsoft estimated that more than 17,000 of its customers may have installed the malicious upgrade.2 Government agencies, businesses, and pretty much everyone else working in cybersecurity have been consumed with responding to and investigating the full extent and impact of this hack ever since it recently came to light in December.
NY DFS, seeking to do its part, has now issued an alert requiring that any entity regulated by NY DFS immediately file a report if the entity has been “directly impacted by the affected SolarWinds Orion products,” or if the entity has been notified of an impact by an affiliate “who has access to [its] network or [its] nonpublic information.” NY DFS is asking regulated entities to provide information on the specific versions of affected products used, whether other SolarWinds products are used, how the entity has responded to the breach, and the identity of any affiliates or third parties to the regulated entity that have also been affected. NY DFS wants all regulated entities to immediately assess the risk to their systems and consumers, and take all steps necessary to address vulnerabilities and customer impacts. Part of that assessment should involve identifying any internal usage of the affected products and any usage of these products by third parties that have access to the regulated entity’s network or data.
Significance
In requiring a regulated entity to report any direct impact, NY DFS is broadening the current requirement for mandatory notification when an event may cause “material harm to a material part of the normal operations” of the regulated entity. Given the “sophistication and persistence of the malware, and the adversary” involved in the SolarWinds hack, NY DFS is asking “any affected institution to file a notice immediately.”
NY DFS’s drive to gather more information about the scope of impact on financial institutions of the SolarWinds hack is likely motivated by its long-running concern regarding the potential systemic cybersecurity risks to the American financial system—a concern which motivated its strict vendor cyber due diligence requirements. As painfully illustrated by the SolarWinds hack, a widely-used vendor or service provider can result in a concentration of cybersecurity risk to the broader financial system, and beyond.
In addition, given the sophistication and identity of the attackers, NY DFS is urging regulated entities to be alert for new developments in this extraordinary compromise and to respond quickly to new information. NY DFS is ensuring that it has as much information as possible to defend against an attack whose true objectives and implications are as yet far from certain—with more bad news expected to come.
Conclusion
NY DFS understands that cybersecurity and operational resilience are not necessarily solo pursuits. Certain attacks, including the SolarWinds hack, are so pervasive and pernicious that they require regulated entities and regulators to circle the wagons and share more information.
We should also expect that this experience will generate lessons learned that will filter quickly into the rulemaking, examination, and enforcement priorities of NY DFS and other regulators in 2021.
In addition, it is worth recalling the value of private-to-private information sharing, whether directly between companies or via an Information Sharing and Analysis Center (ISAC), like the Financial Services ISAC. Acknowledging the importance of a public-private partnership to battle cybersecurity threats, the US Government passed the Cybersecurity Act of 2015 (otherwise known as the Cybersecurity Information Sharing Act or CISA),3 which expressly provided for liability protection—including protection from antitrust laws—for the sharing of cyber threat indicators (e.g. malware) or defensive measures between or among companies. It also facilitated the sharing of information between companies and the Federal Government through the so-called civilian portal of the Department of Homeland Security.
As Friday’s NY DFS alert has made clear: the time to circle the wagons is now, and it starts with information sharing.
---------------------------------------------------------------------
1 23 NYCRR § 500 et seq.
2 https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/.
3 6 USC § 1501 et seq.
[View source.]
