The next great financial crisis could come from a cyber attack.
At least, that’s according to New York State Department of Financial Services (DFS) Superintendent Linda Lacewell in a statement regarding DFS’ recent report outlining its investigation into the SolarWinds attack. The report summarizes the attack, the response by DFS-regulated companies and key measures to prevent future events of a similar nature.
“Seeing hackers get access to thousands of organizations in one stroke underscores that cyber attacks threaten not just individual companies but also the stability of the financial industry as a whole,” Lacewell said.
Supply chain attacks are dangerous because malware is embedded inside of a legitimate product, DFS said in its report. These attacks can allow a cyber criminal to access many organizations’ networks in a single stroke.
A supply chain attack on Texas-based information technology company, SolarWinds, was initially reported in December, leading to the compromise of nine federal agencies and about a hundred private sector companies.
The White House said in a statement earlier this month that Russia’s foreign intelligence service, known as the SVR, was responsible for the hack that was carried out through the breach of SolarWinds’ Orion software. Orion is a SolarWinds product that monitors and manages the performance of an organization’s network, systems and applications.
DFS initially responded to the attack by publishing a Supply Chain Compromise Alert instructing regulated companies to notify the department under its Cybersecurity Regulation if they had used infected versions of Orion.
The department found that regulated companies generally responded quickly, it said in the report. It discovered that 94% of reporting companies removed vulnerabilities from their IT systems within three days of news about the attack.
However, DFS also found that some companies were not applying patches as regularly as needed to ensure a quick response to high-risk cyber exposure. DFS urged regulated entities in its report to fully assess and address third party risk after it found that some companies using Orion were not classifying SolarWinds as a critical vendor, even though Orion had privileged access to the company’s network.
DFS is also asking regulated entities to implement multiple layers of security, address vulnerabilities through patch deployment, testing and validation and develop incident response plans to address supply chain compromise in the future.
“The SolarWinds attack confirms that cyber risks are a threat not just to consumers and individual companies, but also to the stability and soundness of our entire financial services industry,” Lacewell said. “This is an existential threat, and we urge the industry to treat it as such.”
Karim Hijazi, founder and CEO of cyber intelligence company Prevailion, spoke with Insurance Journal on The Insuring Cyber Podcast about Prevailion’s own analysis of the SolarWinds attack victims.
“A lot of these organizations that we’ve spoken with truly believed that they were secure,” he said. “They thought they had everything buttoned up. They believed they bought all the right tools and technologies to protect them.”
However, he echoed Lacewell’s thoughts that this incident underscores the reality that no organization is effectively immune to these types of attacks, whether it’s a commercial organization, a cybersecurity entity or a government system, especially as attack venues and tactics are constantly changing.
“There’s sort of a new breed [of cyber criminals] forming here that is aware of what we effectively understand to be their tactics, and they’re changing them,” he said. “And that’s what makes this so insidious. That’s what’s really concerning.”
Related:
- Making Waves: How New York Became a Leader in State Cyber Regulation
- NY’s Cyber Guidance Could Boost Risk Management for Insurers, Insureds Across U.S.
- Homeland Security Orders Cyber ‘Sprints’ as Part of U.S. Plan Against Hacks
- White House to Require Software Firms to Disclose Breaches to Government Customers
Topics New York
Was this article valuable?
Here are more articles you may enjoy.
Florida Class Action Targets Litigation Funding Firm Over Data Breach 
Dog Bite Claims Soar in Frequency and Cost: Report 
Florida Bill Advances, Would End Board of Engineers, Other Professional Agencies 
NJ Wildfire Update: 50% Contained; High Spread Risk Today; Suspect in Custody 
