• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

New York and Illinois Regulators Recommend Third Party Cybersecurity Review For Specific Vulnerabilities

May 21, 2021 By James Harvey and Privacy, Cyber & Data Strategy Team

This month, the Illinois Department of Insurance issued guidance to insurers recommending assessments in response to a Microsoft Exchange vulnerability, detailed in the guidance.  In the Bulletin dated May 5, the Department encourages regulated entities to “assess the risk to their systems and consumers and take steps necessary to address vulnerabilities and customer impact.” The Bulletin states that such assessment should identify “any use of these products by critical third parties.”

The Illinois Bulletin follows similar guidance from the New York Department of Financial Services (NYDFS) regarding Microsoft Exchange and SolarWinds’ vulnerabilities:

  • In an “Industry Letter” issued in March, the NYDFS discussed Microsoft Exchange vulnerabilities and encouraged regulated financial companies to identify “any use of these products by critical third parties” as part of mitigation.
  • In December, the NYDFS also issued guidance encouraging regulated financial companies to assess their exposure to SolarWinds vulnerabilities, including assessing “any usage of these products by third parties that have access to your network or your data.” (See our previous blog on the NYDFS response to SolarWinds.)

This guidance is an interesting example of regulators providing specific guidance in response to particular cybersecurity vulnerabilities as those vulnerabilities emerge.  Given the recent industry focus on supply chain attacks, both New York and Illinois proactively suggest that regulated financial institutions assess third parties’ exposure and response to these specific vulnerabilities. If sustained, this focused approach may constitute an expansion of other process-oriented cybersecurity requirements in multiple third party protocols and existing statutes and regulations, including New York’s financial Cybersecurity Regulation and the NAIC Model Law 668, adopted in a dozen states.

Filed Under: Cyber Risk, Cybercrime, Cybersecurity, Data Breach, Data Protection, Data Security, Digital Crimes, Enforcement, Financial Privacy, Insurance Data Security, NYDFS, Regulation, Security Breach, Supply Chain

About James Harvey

Jim Harvey advises clients on a wide range of data, privacy, cybersecurity, and technology services initiatives. Jim founded and co-chairs ourPrivacy, Cyber & Data Strategy team. His practice crosses all data, privacy, and security lines and ranges from all aspects of breach and incident response to board-level advice to proactive data transfer and data governance counseling.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.