Following the SolarWinds cyber espionage attack (the “Attack”) and the resulting focus on supply chain risk, the New York Department of Financial Services (NYDFS) has issued a report detailing the impact on and responses by its regulated covered entities to the Attack. Although there have been no reported instances of active exploitation of DFS-regulated companies as a result of the Attack, the networks of approximately 100 DFS-regulated companies were compromised as a result of the Attack.
When the Attack was announced in December 2020, the NYDFS alerted its regulated entities and made clear its expectation that any impacted regulated entities should report infected instances of Orion (the impacted SolarWinds product) and provide information to the NYDFS. The NYDFS report summarizes the information gathered by the regulator in the course of its engagement with those impacted entities. Of these 100 entities, NYDFS interviewed 88 and has compiled an analysis of effective response tactics and lessons learned.
In addition to its recent enforcement actions, the NYDFS has positioned itself as an active regulator in both the cybersecurity preparedness and cyber risk…
