The Illinois Department of Insurance (the “Department”) has recently issued guidelines to all regulated entities on vulnerabilities in Microsoft Exchange Server installations. Issued in light of other warnings and directives from state and federal agencies, the guide describes relevant details of the vulnerabilities and what could mean the successful exploitation of these vulnerabilities, i.e., “persistent access and control of the vulnerabilities. system of a business network ”. Recognizing that servers may be compromised even after the March and April corrections have been applied, the Department urges regulated entities to:
- Immediately assess the risk to their systems and their consumers and take steps to address them;
- Identify internal use of vulnerable Microsoft Exchange products and any use of such products by critical third parties;
- Immediately paste or disconnect vulnerable servers and use the tools provided by Microsoft to identify and resolve them; i
- Keep track of developments and respond quickly to new information.
While failure to follow the Department’s guidelines may not result in enforcement action at this time, it could support claims in a civil or criminal action given the overwhelming amount of public notice.
It is also significant that guidance is one more example of a government agency seeking to monitor and advise on cybersecurity events. This further demonstrates greater government interest and portends potential legislation in Illinois and at the federal level. Companies that already have risk assessment tools and cybersecurity policies will be in an excellent position to meet and meet any future requirements. In addition, it should be noted that the average cost of a data breach in 2020 – according to the Ponemon Institute – was $ 3.86 million, which in the short term can significantly affect an organization’s operations. Given the potential risks of such a serious and large event, we strongly advise companies to follow the Department’s guidelines.