New York and Illinois regulators recommend third-party cybersecurity review to detect specific vulnerabilities
May 28, 2021
Alston & Bird
To print this article, simply register or log in to Mondaq.com.
This month, the Illinois Department of Insurance issued guidelines to insurers recommending assessments in response to a Microsoft Exchange vulnerability, detailed in the guide. In the May 5 Bulletin, the Department encourages regulated entities to “assess the risk to their systems and consumers and take the necessary steps to address vulnerabilities and the impact of customers.” The Bulletin states that such evaluation should identify “any use of these products by critical third parties.”
The Illinois Bulletin follows similar guidelines from the New York Department of Financial Services (NYDFS) on Microsoft Exchange and SolarWinds vulnerabilities:
- In an “Industry Charter” released in March, the NYDFS discussed Microsoft Exchange vulnerabilities and encouraged regulated financial companies to identify “any use of these products by critical third parties” as part of mitigation.
- In December, the NYDFS also issued guidelines to encourage regulated financial companies to assess their exposure to SolarWinds vulnerabilities, including the assessment of “any use of these products by third parties who have access to your network or your data “. (See our previous blog on NYDFS’s response to SolarWinds.)
This guide is an interesting example of regulators that provide specific guidance in response to specific cybersecurity vulnerabilities as these vulnerabilities emerge. Given the industry’s recent focus on supply chain attacks, both New York and Illinois proactively suggest that regulated financial institutions assess third-party exposure and response to these specific vulnerabilities. If maintained, this focused approach may constitute an extension of other process-oriented cybersecurity requirements in multiple third-party protocols and existing statutes and regulations, including the New York Financial Cybersecurity Regulation and Model NAIC Act 668, adopted in a dozen states.
The content of this article is intended to provide general guidance on the subject. You need to seek specialized advice on your specific circumstances.
POPULAR ARTICLES ON: United States Technology
FinTech Comparative Guide
J. Sagar Associates
FinTech Comparative Guide for India Jurisdiction, see our Comparative Guides section to compare between different countries