NYDFS Issues Supply Chain Management Guidance

The New York State Department of Financial Services recently issued recommendations to financial institutions in the aftermath of the SolarWinds cyberattack. In that attack, hackers inserted malware into SolarWinds software which was then distributed to SolarWinds’ customers (many of which were financial institutions). After discovery, SolarWinds released a series of hot fixes to address vulnerabilities in their software associated with the attack. Although NYDFS found that most companies responded quickly to patch the vulnerabilities, it did identify additional steps to reduce supply chain risk:

  • Properly diligence third party service providers’ potential cybersecurity risks, and include in vendor contracts -particularly critical vendors- provisions that ensure cybersecurity practices and cyber hygiene can be monitored, and that require immediate notice of any cyber event that could impact the company.
  • Assume any software from service providers might be compromised. Thus authorize only as-needed access and monitor for malicious activity.
  • Have a vulnerability management program with patch rollback procedures to ensure timely patches.
  • Update incident response plans to address supply chain compromises.

As we have reported recently, NYDFS is actively enforcing the cybersecurity rules, and these recommendations can be read in context of those rules.

Putting it Into Practice: These NYDFS cybersecurity recommendations highlight for financial services companies the expectations the department has of them with regard to supply-chain risk. Companies would be well-served to review their vendor management practices against these latest recommendations.