Lessons Learned From The SolarWinds Cyberattack, And The Future For The New York Department Of Financial Services’ Cybersecurity Regulation – Finance and Banking

In December 2020, a cybersecurity company alerted the world to a
major cyberattack against the US software development company,
SolarWinds, through the company’s Orion software product
(SolarWinds Attack). The SolarWinds Attack went undetected for
months, as it has been reported that the hackers accessed the
source code for Orion as early as March 2020. Orion is widely
used by companies to manage information technology resources, and
according to SolarWinds Form 8-K filed with the Securities and
Exchange Commission, SolarWinds had 33,000 customers that were
using Orion as of December 14, 2020.

It is alleged that the SolarWinds Attack was one part of a
widespread, sophisticated cyber espionage campaign by Russian
Foreign Intelligence Service actors which focused on stealing
sensitive information held by US government agencies and companies
that use Orion. The hack was
perpetuated through SolarWinds sending its customers routine system
software updates. SolarWinds
unknowingly sent out software updates to its customers that
included the hacked code that allowed the hackers to have access to
customer’s information technology and install malware that
helped them to spy on SolarWinds’ customers, including private
companies and government entities, thereby exposing up to 18,000 of
its customers to the cyberattack.

The New York Department of Financial Services (DFS) alerted
DFS-regulated entities of the SolarWinds Attack on December 18,
2020 through the “Supply Chain Compromise Alert.” The Supply Chain
Compromise Alert included guidance from the US Department of
Homeland Security’s Cybersecurity and Infrastructure Security
Agency, SolarWinds, and other sources, and reminded the regulated
entities of their obligations under the New York Cybersecurity
Regulation (Cybersecurity Regulation), adopted in 2017, which
requires DFS-regulated entities, including New York banks,
insurance companies and producers and other financial services
firms, to develop a comprehensive cybersecurity program, implement
specific cybersecurity controls, assess cybersecurity risks posed
by third-party service providers, and notify DFS of
“cybersecurity events” (which includes certain
unsuccessful cyberattacks) that carry a “reasonable
likelihood” of causing material harm to the operations of the
institution or otherwise require notice to any governmental or
supervisory entity.

DFS followed up its Supply Chain Compromise Alert with its
Report on the SolarWinds Cyber Espionage Attack and
Institutions’ Response
(SolarWinds Report), released in
April 2021. In the SolarWinds
Report, DFS analyzes the remediation of approximately 100 of its
regulated entities to the SolarWinds Attack, and DFS’s
recommendations for ways that organizations can strengthen their
cybersecurity practices to protect against future cyberattacks. In
general, DFS found that its regulated entities responded
“swiftly and appropriately” with 94% of impacted
companies removing the vulnerable systems caused by the SolarWinds
hackers from their networks (and or patching them) within three
days of being notified of the attack. However, DFS noted gaps in
cybersecurity policies of several regulated entities, including
irregularities in patching and patch management systems,
identifying third-party service providers as critical vendors, and
the need for more information sharing and transparency among the
regulated entities with respect to cybersecurity breaches.

Interestingly, DFS’s observations as detailed in the
SolarWinds Report, and specifically those related to the need for
enhanced cybersecurity preparedness by companies and their
third-party service providers and the need for more transparency
and information sharing among companies regarding actual or
perceived cyberthreats, align with the principles outlined in President Biden’s
Executive Order on Improving the Nation’s Cybersecurity
,
released on May 12, 2021, applicable to the federal government and
government contractors. This could signal a new wave of state
cybersecurity laws and regulations if not a federal regulation in
the foreseeable future.

This Advisory provides a brief overview of DFS’s findings
detailed in the SolarWinds Report, and the outlook for DFS’s
enforcement of the Cybersecurity Regulation, as well as potential
changes to those rules, based on DFS’s findings and
observations.

DFS-Regulated Entities’ Response to the SolarWinds Attack
and Weaknesses Identified in Patch Management Systems

As detailed in the SolarWinds Report, DFS found that its
supervised companies generally responded to the SolarWinds Attack
swiftly and appropriately, by clearing their systems of the
infected software within three days of notification by
disconnecting, patching, or applying a mitigation script. The
remediation steps that were taken by more than half of the
regulated companies to mitigate risks associated with the
SolarWinds Attack included, but were not limited to:

  • Evaluated system integrity and audit logs for indicators of
    compromise;

  • Disconnected affected systems from their networks; and

  • Applied security patches to affected systems.

About a quarter or less of DFS-regulated entities took the
following remediation steps:

  • Isolated affected systems by blocking access to the
    internet;

  • Isolated affected systems by blocking specific external DNS
    domains, based on guidance by Cybersecurity and Infrastructure
    Security Agency;

  • Decommissioned Orion and replaced it with another monitoring
    product; and

  • Applied mitigation scripts to affected systems, as recommended
    by SolarWinds.

While these remediation steps allowed DFS-regulated entities to
address the risks associated with the SolarWinds Attack once
identified, DFS found that several companies could have addressed
the risks posed by the SolarWinds Attack (if not preventing it
altogether) by implementing a mature patch management system.

According to DFS, several DFS-regulated companies’ patch
management programs were immature at the time of the cyberattack,
and the lack of proper “patching cadence” likely resulted in
a delay in the ability of the companies to ensure timely
remediation of high-risk cyber vulnerabilities. For example, it is
reported that the cyberhackers inserted the malware referred to as
“Sunburst” into SolarWinds’s software Orion in
February 2020, and SolarWinds unknowingly distributed updates of
the Orion software with the Sunburst malware to its customers
between March and June 2020. DFS found that some of the
companies found to be vulnerable to Sunburst malware in December
2020 had not applied patches released by SolarWinds in August and
October 2020 that would have eliminated Sunburst, and some
companies had not patched since 2018, with two companies having not
patched since 2017. Fortunately, there have been no reports that
the hackers exploited the vulnerabilities caused by the Sunburst
(or Supernova) malware; however, supervised entities
need to ensure proper patching cadence to prevent against material
harm from vulnerabilities that may result from future
cyberattacks.

DFS’s Recommendations for Regulated Entities
Going-Forward

DFS includes in its reports key observations and recommendations
for DFS-regulated entities to prevent against supply chain attacks
and reduce supply chain risks, based on industry standards on
cybersecurity measures. The key recommendations noted by DFS
include that supervised entities should:

  • Ensure that third party service provider and other vendor risk
    management policies and procedures should include processes for due
    diligence and contractual protections that will ensure the company
    can monitor the cybersecurity practices and overall cyber hygiene
    of critical vendors. These policies should include provisions
    requiring third-party service providers to immediately notify the
    regulated company when a cyber event occurs that impacts or could
    potentially impact an organization’s information systems or
    non-personal information that is maintained, processed or accessed
    by the vendor.

  • Adopt a “Zero Trust” approach and assume that any
    software installation and any third-party service provider could be
    compromised and used as an attack vector. In this regard, third
    party service providers’ access to a company’s network
    systems or Nonpublic Information (NPI) should be limited to only
    what is needed and systems should be monitored for anomalous or
    malicious activity. Regulated entities are also expected to
    implement multiple layers of security for extra protection for
    sensitive information to limit compromises.

  • Have a vulnerability management program that prioritizes patch
    testing, validation processes, and deployment, including which
    systems to patch and the order or priority of patching. In
    addition, a regulated entity’s patch management strategy should
    include performing tests of all patches to the internal system
    environment with defined rollback procedures if the patch creates
    or exposes additional vulnerabilities.

  • Have an effective and tested incident response plan with
    detailed procedures and playbooks. DFS also notes that
    cybersecurity fundamentals such as knowing your environment and
    understanding where assets reside in the environment, including
    their versions and configuration, should be incorporated into
    playbooks. To address supply chain compromises or attacks, the
    incident response plans should include, at a minimum:

    • Procedures to isolate affected systems;

    • Procedures to reset account credentials for users of all
      affected assets and users of assets controlled by compromised
      software;

    • Procedures to rebuild from backups created before the
      compromise;

    • Procedures to archive audit and system logs for forensic
      purposes; and

    • Procedures to update response plans based on lessons
      learned.

DFS recommends that regulated entities engage in “table
top” exercises to test and refine incident response plans, and
notes that incident response plans should be aligned with an
organization’s business continuity plan.

DFS also notes in the SolarWinds Report that there is a need for
more transparency and effective information sharing amongst
DFS-regulated entities regarding cybersecurity breaches, which
would have allowed organizations that detected the intrusion
earlier than December 13, 2020 to alert the others. DFS found that
some of its regulated entities publicly revealed that they blocked
an intrusion prior to the intrusion becoming widely known by
others. Based on this finding, DFS has indicated that it plans to
improve information sharing and transparency, which suggests that
future changes to the Cybersecurity Regulation may encourage
DFS-regulated entities to share information on cyberattacks.
Financial institutions are currently able to share information one
with another and report to the federal government activities that
may involve money laundering or terrorist activity (including those
that involve or tied to cyberattacks) under Section 314(b) of the
USA PATRIOT Act (Section 314(b)). DFS could adopt a voluntary
information sharing approach similar to that under Section 314(b)
of the USA PATRIOT Act for cybersecurity breaches that are not
covered by Section 314(b).

Outlook for Future Changes to the Cybersecurity Regulation and
Enforcement

DFS has been the most active state government functional
regulator focused on cybersecurity regulation, and the issuance of
the SolarWinds Report is one of the many examples of DFS continuing
its efforts.

After adopting the Cybersecurity Regulation in 2017, and releasing
several alerts informing its regulated companies of cyber threats
and providing reminders of obligations under the Cybersecurity
Regulation, in July 2020, DFS commenced its first enforcement
action under the Cybersecurity Regulation against the second
largest title insurance provider in the US In February of
this year, DFS released the US’s first Cyber Insurance Risk
Framework
and alerted DFS-regulated entities of the growing
cyber campaign to steal NPI.

With respect to management of supply chain risks, DFS-regulated
companies should expect future changes to the Cybersecurity
Regulation and related guidance that stresses the importance
of:

  • Effective third-party risk management and identifying critical
    vendors that have access to sensitive information and NPI;

  • Enhanced information sharing amongst regulated entities
    regarding cybersecurity breaches;

  • Adequate patch management systems, with validation processes,
    deployment, and priorities, as well as mandated patching and
    testing of patch management systems on a routine basis; and

  • Mandated testing of incident response plans that include
    cybersecurity fundamentals and “table top”
    exercises.

Additional Considerations for DFS-Regulated Banks

DFS may look to federal regulations and guidance for developing
additional requirements related to incident response plans.
DFS-regulated banks and other insured depository institutions are
also subject to the regulation and supervision of the federal
banking agencies, and in December 2020 the federal banking agencies
proposed a computer-security incident notification rule that would
require banking organizations to notify their primary regulators
upon the occurrence of certain computer-security incidents as soon
as possible and no later than 36 hours after the banking
organization believes in good faith that the incident occurred.
Under the
proposed rule, bank service providers also would be required to
notify the banking organizations for which they provide services of
computer-security incidents that the service provider believes in
good faith could disrupt, degrade or impair services provided for
four or more hours. The heightened focus of supervisory agencies on
real-time information sharing of cybersecurity incidents that may
be disruptive and harmful to supervised institutions and the
industry likely will require certain institutions to enhance their
monitoring, testing, and reporting controls and processes over
time. In addition, although it appears that the proposed rule would
have a collaborative purpose and is not intended to be used as a
means of identifying and scrutinizing supervised institutions
perceived to have insufficient cybersecurity risk management
controls, institutions must nonetheless be prepared to manage any
supervisory or examination scrutiny that may arise from the
satisfaction of their current and future obligations to share
information with their regulators and other institutions regarding
known or suspected cybersecurity incidents (if, for example, a
cybersecurity incident exposes a vulnerability or insufficient
control that results in greater supervisory or examination scrutiny
and/or enforcement action).

Conclusion

All in all, the SolarWinds Attack provided DFS with a real-time
opportunity to assess the cybersecurity preparedness of its
regulated entities, and identify areas of improvement for its
regulated entities in managing risks from third-party service
providers as well as areas of improvement for cybersecurity
regulation. The SolarWinds Report provides some insight into
DFS’s expectations of DFS-regulated entities, as well as plans
for the future of the Cybersecurity Regulation and related
guidance.

Footnotes

1 See gen., The US is readying
sanctions against Russia over the SolarWinds
cyberattack
 and SEC Form 8-K, Solarwinds
Corporation
.

2 Business Insider, December 20, 2020, Former US
cybersecurity chief Chris Krebs says officials are still tracking
‘scope’ of the SolarWinds hack.

3 SolarWinds unknowingly sent out software updates to its
customers that included the hacked code that allowed the hackers to
have access to customer’s information technology and install
malware that helped them to spy on SolarWinds’ customers,
including private companies and government entities, and thereby
exposing up to 18,000 of its customers to the
cyberattack. See, Press Release – April
27, 2021: DFS Issues Report On the SolarWinds Supply Chain Attack |
Department of Financial Services (ny.gov)
.

4 See, the Supply Chain Compromise
Alert
. DFS advised its regulated entities to respond
immediately to assess the risk to their systems and consumers, and
take steps necessary to address vulnerabilities and customer
impact. The alert included several resources for completing such
tasks.

5 In 2017, DFS adopted the Cybersecurity Regulation, 23
NYCRR Part 500, which requires all DFS-regulated financial services
entities to implement a risk-based cybersecurity program and to
report any unauthorized access (or attempts) to their information
systems. DFS was the first in the United States to adopt such a
regulation, and in 2019 DFS became the first financial regulator in
the nation to establish a division dedicated to cybersecurity. See,
Arnold & Porter Advisory, 
New York Department of Financial Services Issues Final
Cybersecurity Regulations
 (February 22,
2017).

6 See SolarWinds Report. It is estimated by
DFS that approximately nine federal agencies and approximately 100
companies were compromised.

7 DFS defined “patching cadence” in the
SolarWinds Report to refer to how often an organization reviews
systems, networks, and applications for updates that remediate
security vulnerabilities.

8 See, SolarWindsReport.

9 Id. Following the removal of the Sunburst malware, on
December 24, 2020, SolarWinds became aware of another
vulnerability, referred to as “Supernova” that was found
in the same versions of Orion that had the Sunburst malware as well
as other versions of Orion that had been distributed to customers.
SolarWinds released additional patches that addressed Supernova,
and informed its customers that the patches released on December 14
and 15 also eliminated the vulnerability in the versions of Orion
that held the Sunburst malware. SolarWinds released additional
patches to address both Sunburst and Supernova on January 25, 2021.
The Sunburst and Supernova vulnerabilities in the Orion software
allowed the hackers to gain access to the exposed institutions’
internal network and nonpublic information, however, as of the date
of the SolarWinds Report, no reports or indications that hackers
exploited the vulnerabilities resulting from the Sunburst or
Supernova in any financial services organization.

10 See, Arnold & Porter Advisory, 
New York Department of Financial Services Issues Final
Cybersecurity Regulations
 
(February 22,
2017).

11 See, Arnold & Porter blog post, 
NY Department of Financial Services Brings Its First Cybersecurity
Regulation Enforcement Action
 
(August 3, 2020). See
also, Arnold & Porter Blog post, 
NYDFS Fines Residential Mortgage Services $1.5 Million for Failures
to Comply with New York’s Cybersecurity
Regulation
 (March 16, 2021).

12 See Arnold & Porter blog post, 
NYDFS Warns of Growing Cyber Campaign to Steal NPI and Reminds
Entities of Part 500 Reporting Obligations
.

13 See,Computer-Security Incident Notification
Requirements for Banking Organizations and Their Bank Service
Providers, 86 Fed. Reg. 2,299 (Jan. 12, 2021); see also,Arnold
& Porter Advisory, 
Federal Banking Agencies Propose Cybersecurity-Incident
Notification Rule for Banks and Their Third-Party Service
Providers
 (Dec. 23, 2020).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.


Source link

Leave a Reply

%d bloggers like this: