ALABNY, N.Y. (WWTI) — The New York State Department of Financial Services released a report on Tuesday regarding the investigation of the New York’s financial services industry’s response to the supply chain attack of the information technology company SolarWinds.

According to the DFS, during the “SolarWinds Attack” detailed in the report, hackers corrupted routine software updates that were downloaded onto thousands of organizations’ information systems.

“This incident confirms that the next great financial crisis could come from a cyber attack,” said Department of Financial Services Superintendent Linda A. Lacewell.  “Seeing hackers get access to thousands of organizations in one stroke underscores that cyber attacks threaten not just individual companies but also the stability of the financial industry as a whole.” 

The report released on April 27 by the DFS summarizes the SolarWinds Attack, the response by the DFS-regulated companies and measure to prevent or mitigate future supply chain attacks.

The Department confirmed that DFS-regulated companies generally responded quickly; providing the following example:

94% of the reporting companies removed the vulnerabilities from their IT systems within three days of the SolarWinds Attack’s announcement.

New York State Department of Financial Services report on SolarWinds Attack

However, the DFS also found that some companies were not applying patches as regularly as needed. The Department identified the following measures to implement as “critical practices:”

  • Fully assess and address third party risk
  • Adopt a “zero trust” approach and implement multiple layers of security
  • Timely address vulnerabilities through patch deployment, testing and validation
  • Address supply chain compromise in incident response plans

A copy of the full report can be found on the DFS website.

The New York State Department of Financial Services “first-in-the-nation” Cybersecurity Regulation officially took effect March 2017.