The report highlighted the unique risks posed by supply chain cyberattacks – and software supply chain attacks specifically – given that malware can be embedded in a product signed by the vendor, making it much harder to detect or prevent. In addition, DFS found that, despite the fact that SolarWinds had privileged access to their networks, some entities had not classified it as a critical vendor. This may be due in part to how organizations focus on certain factors when calculating a vendor’s “risk rating,” such as the number of records containing personal information that a vendor holds. As the SolarWinds attack demonstrated, organizations are well advised to review their approach to third-party vendor cyber risk rankings and corresponding risk management. DFS indicated that the investigation it conducted in response to the SolarWinds attack was part of an “ongoing effort to improve information sharing and transparency,” which it found was lacking in some organizations’ response to the attack.
Finally, while acknowledging that no “silver bullet” exists that would prevent all supply chain attacks, the report makes clear that DFS expects regulated entities…
