New York’s financial regulator warned that the next financial crisis could come from a cyberattack like the recent SolarWinds Inc. incident that hits many targets at once.
“The SolarWinds attack confirms that cyber risks are a threat not just to consumers and individual companies, but also to the stability and soundness of our entire financial services industry,” the New York State Department of Financial Services said in a report released Tuesday.
Most companies impacted by the attack, which came to light in December, quickly disconnected vulnerable systems from their networks or patched the systems, according to a review of almost 100 companies regulated by the department. But several companies lacked the proper “patching cadence” needed to address vulnerabilities, the review showed.
DFS found that some regulated companies using the Orion platform at the center of the attack weren’t classifying SolarWinds as a critical vendor in their risk management efforts, even though Orion had privileged access to the company’s network. The department is “exploring ways to further address this critical component of cybersecurity,” the report said.
The New York regulator was the first in the U.S. to set cyber rules for protecting consumer information held by banks and other financial institutions. DFS also recently urged insurers that offer cyber coverage to better manage security risks, including those stemming from systemic issues like the SolarWinds attack.
The attack, blamed on Russian hackers, affected at least nine U.S. government agencies and about 100 private-sector companies after they installed malicious code in software updates.
In the wake of the hack, New York’s financial regulator advised adopting what’s known as a “zero trust” approach to security and addressing the potential for a supply chain compromise in incident response plans.