Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring creativity and discipline to finding solutions for even the most complex challenges his clients face.In April 2021, the New York State Department of Financial Services (“NYDFS”) released a report on its assessment of the SolarWinds cyber espionage attack, its impact on NYDFS-regulated entities and recommendations for reducing supply chain risk. While the primary audience for the report is NYDFS-regulated entities, there are a variety of lessons learned and recommended best practices that are applicable to any organization looking to strengthen third-party risk management.
The report begins with a background on the attack and the department’s assessment of how regulated entities responded. But at the heart of the report are four “key cybersecurity measures” the department recommends to reduce supply chain risk. While the recommendations don’t rise to the level of new regulatory requirements, many believe that NYDFS expects its regulated entities to adopt these measures as part of their third-party risk management program.
Here is a summary of each of the four measures.
1. Companies Must Fully Assess and Monitor Third Party Risk
While NYDFS-regulated entities are already required under the department’s Cybersecurity Regulation to conduct due diligence into the cybersecurity practices of third parties, the report emphasizes that “vendor risk management policies and procedures should include processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors.” The focus on ‘monitoring’ is important as it recognizes that point-in-time assessments are not enough, and that higher risk vendors require continuous monitoring.
Furthermore, there is an expectation that contracts with critical vendors include provisions requiring the vendor to provide immediate notification – preferably to at least two persons in different roles within the organization – when a cyber event occurs that impacts or potentially impacts an organization’s Information Systems or any nonpublic information (“NPI”) that is maintained, processed, or accessed by the vendor.
2. Companies Must Adopt a “Zero Trust” Approach and Implement Multiple Layers of Security
Incorporating guidance from the National Security Agency, the report states that NYDFS-regulated entities should use a “zero trust mindset” when assessing supply chain cybersecurity risks. To do this most effectively, organizations should assume that (1) any software installation and (2) any Third-Party Service Provider could be compromised and used as an attack vector.
NYDFS recommends that “access should be limited to only what is needed” and systems should be monitored “for anomalous or malicious activity.” Organizations should have layers of security and extra protection for sensitive information so that if one layer is compromised, other controls can detect or prevent an intrusion.
3. Companies Must Address Vulnerabilities in a Timely Manner Through Patch Deployment, Testing, and Validation
The report emphasized that regulated entities’ vulnerability management programs should include an effective patch management strategy. This requires having a vulnerability management program that prioritizes patch testing, validation processes, and deployment – including which systems to patch and in what order they should be patched. Furthermore, the strategy should include performing tests of all patches to the internal system environment with defined rollback procedures if the patch creates or exposes additional vulnerabilities.
4. Companies Must Incorporate Supply Chain Risks in Incident Response Plans
Lastly, NYDFS recommends that incident response plans be detailed with procedures and playbooks – and be tested on a regular basis – to be considered effective. The department also identified the following procedures that, while not addressed directly in the Cybersecurity Regulation, should be included:
- Procedures to isolate affected systems;
- Procedures to reset account credentials for users of all affected assets and users of assets controlled by compromised software;
- Procedures to rebuild from backups created before the compromise;
- Procedures to archive audit and system logs for forensic purposes; and
- Procedures to update response plans based on lessons learned.
NYDFS also recommended table top exercises to increase awareness and evaluate preparedness as well as ensuring that an organization’s incident response plan is aligned with its overall business continuity plan.
Final Thoughts
Regulated entities should examine this guidance closely to not only understand NYDFS’s expectations, but also identify improvements that may be necessary to their own third-party risk management policies and procedures.
More broadly, though, all organizations can learn from these findings (as well as the National Institute of Standards and Technology’s (NIST) draft Cyber Supply Chain Risk Management Practices for Systems and Organizations) and should consider them as part of their own third-party risk management program.
