New York Warns of Supply Chain Attack Dangers in Recent SolarWinds Report

By | April 28, 2021

The next great financial crisis could come from a cyber attack.

At least, that’s according to New York State Department of Financial Services (DFS) Superintendent Linda Lacewell in a statement regarding DFS’ recent report outlining its investigation into the SolarWinds attack. The report summarizes the attack, the response by DFS-regulated companies and key measures to prevent future events of a similar nature.

“Seeing hackers get access to thousands of organizations in one stroke underscores that cyber attacks threaten not just individual companies but also the stability of the financial industry as a whole,” Lacewell said.

New York State Department of Financial Services Superintendent Linda Lacewell

Supply chain attacks are dangerous because malware is embedded inside of a legitimate product, DFS said in its report. These attacks can allow a cyber criminal to access many organizations’ networks in a single stroke.

A supply chain attack on Texas-based information technology company, SolarWinds, was initially reported in December, leading to the compromise of nine federal agencies and about a hundred private sector companies.

The White House said in a statement earlier this month that Russia’s foreign intelligence service, known as the SVR, was responsible for the hack that was carried out through the breach of SolarWinds’ Orion software. Orion is a SolarWinds product that monitors and manages the performance of an organization’s network, systems and applications.

DFS initially responded to the attack by publishing a Supply Chain Compromise Alert instructing regulated companies to notify the department under its Cybersecurity Regulation if they had used infected versions of Orion.

New Year, New Threats? Cyber Pros Say Attacks Will Continue to Increase in 2021

Cyber attacks are ranked as the fastest growing crime in the US, and globally, cyber crime damages are expected to reach six trillion dollars in 2021.

Vince Morgan, a partner at law firm Bracewell who represents corporate policyholders in many coverage areas, including cyber, offers his best advice for policyholders and insurers among the increasing cyber risk landscape during this episode of the Insuring Cyber Podcast.

“Communication is so important in so many aspects of life, and this is a great example of it,” he says. “I think you’re going to have to see management doing it. You’re going to have to see business partners doing it – whether it’s insured to insurer or insured to IT vendor. It’s communicating about these things and how we can work together to solve a common problem.”

Karim Hijazi, founder and CEO of cyber intelligence company Prevailion, explains later in the episode that all of this points to the fact that no entity, even a cybersecurity company, is immune to an attack.

“There’s a general sense that a security company should be absolutely the most equipped to handle these kinds of issues, or at least preempt them – a little bit like the dentist should have the best teeth out there – which, in some part, is true,” he says. “However, this underscores the reality that no organization is effectively immune to these types of attacks, no matter who you are…”

The department found that regulated companies generally responded quickly, it said in the report. It discovered that 94% of reporting companies removed vulnerabilities from their IT systems within three days of news about the attack.

However, DFS also found that some companies were not applying patches as regularly as needed to ensure a quick response to high-risk cyber exposure. DFS urged regulated entities in its report to fully assess and address third party risk after it found that some companies using Orion were not classifying SolarWinds as a critical vendor, even though Orion had privileged access to the company’s network.

DFS is also asking regulated entities to implement multiple layers of security, address vulnerabilities through patch deployment, testing and validation and develop incident response plans to address supply chain compromise in the future.

“The SolarWinds attack confirms that cyber risks are a threat not just to consumers and individual companies, but also to the stability and soundness of our entire financial services industry,” Lacewell said. “This is an existential threat, and we urge the industry to treat it as such.”

Karim Hijazi, founder and CEO of cyber intelligence company Prevailion, spoke with Insurance Journal on The Insuring Cyber Podcast about Prevailion’s own analysis of the SolarWinds attack victims.

“A lot of these organizations that we’ve spoken with truly believed that they were secure,” he said. “They thought they had everything buttoned up. They believed they bought all the right tools and technologies to protect them.”

However, he echoed Lacewell’s thoughts that this incident underscores the reality that no organization is effectively immune to these types of attacks, whether it’s a commercial organization, a cybersecurity entity or a government system, especially as attack venues and tactics are constantly changing.

“There’s sort of a new breed [of cyber criminals] forming here that is aware of what we effectively understand to be their tactics, and they’re changing them,” he said. “And that’s what makes this so insidious. That’s what’s really concerning.”

Related:

Topics New York

About Elizabeth Blosfield

Elizabeth Blosfield is the East region editor for Insurance Journal. She can be reached at eblosfield@wellsmedia.com. More from Elizabeth Blosfield

Was this article valuable?

Here are more articles you may enjoy.