Search:

Recent Posts

Popular Topics

Contributors

Archives

Legal developments in data, privacy, cybersecurity, and other emerging technology issues

NYDFS Provides Best Practices for Third-Party Risk Management

In late 2020, a sophisticated adversary used the SolarWinds Orion Platform to plant covert backdoors in the networks of thousands of companies and government agencies.  The attack confirms the importance of vigorous third-party risk management.  Last month, the New York State Department of Financial Services (“NYDFS”) issued a report on the SolarWinds attack and provided the following steps that companies can take to reduce supply chain risk:  

  • Fully Assess and Address Third-Party Risk:  Vendor risk management policies and procedures should include mechanisms for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of important vendors.  Furthermore, contracts with principal vendors should include provisions requiring timely and robust notifications when a cyber incident occurs that may impact an organization’s network or any non-public information that is maintained, processed, or accessed by the vendor.
  • Adopt a “Zero Trust” Approach and Implement Multiple Layers of Security:  Organizations should anticipate and prepare for breaches in the supply chain by incorporating supply chain risk analysis into risk assessments and risk management programs. To do so effectively, organizations should adopt a “zero trust” mindset and assume that any installed software and any vendor could be compromised and used as an attack vector. Access should be limited to only what is needed, and systems should be monitored for anomalous or malicious activity.  Organizations should have layers of security and extra protection for sensitive information so that other controls can detect or prevent an intrusion if one layer is compromised.
  • Timely Address Vulnerabilities Through Patch Deployment, Testing, and Validation: Organizations should have a vulnerability management program that prioritizes the organization’s patch testing, validation processes, and deployment – including which systems to patch and in what order they should be patched. Furthermore, an organization’s patch management strategy should include performing tests of all patches to the internal system environment with defined rollback procedures if the patch creates or exposes additional vulnerabilities.
  • Address Supply Chain Compromise in Incident Response Plans:  It is important for organizations to have an effective and tested incident response plan with detailed procedures and playbooks. Incident response plans should include the following, at a minimum, to address supply chain compromises or attacks:
    • Procedures to isolate affected systems;
    • Procedures to reset account credentials for users of all affected assets and users of assets controlled by compromised software;
    • Procedures to rebuild from backups created before the compromise;
    • Procedures to archive audit and system logs for forensic purposes; and
    • Procedures to update response plans based on lessons learned.

Engaging in “table top” exercises to test an incident response plan helps increase awareness, evaluate preparedness, clarify roles, and validate an organization’s incident response plan and training. Finally, cybersecurity fundamentals, such as knowing your environment, can often mitigate damage and assist with remediation. Companies should understand what assets reside in the environment – including their versions and configurations – and enable timely notifications when changes occur. The incident response playbook should include plans to respond to unauthorized changes.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.