This month, the Illinois Department of Insurance issued guidance to insurers recommending assessments in response to a Microsoft Exchange vulnerability, detailed in the guidance. In the Bulletin dated May 5, the Department encourages regulated entities to “assess the risk to their systems and consumers and take steps necessary to address vulnerabilities and customer impact.” The Bulletin states that such assessment should identify “any use of these products by critical third parties.”
The Illinois Bulletin follows similar guidance from the New York Department of Financial Services (NYDFS) regarding Microsoft Exchange and SolarWinds’ vulnerabilities:
- In an “Industry Letter” issued in March, the NYDFS discussed Microsoft Exchange vulnerabilities and encouraged regulated financial companies to identify “any use of these products by critical third parties” as part of mitigation.
- In December, the NYDFS also issued guidance encouraging regulated financial companies to assess their exposure to SolarWinds vulnerabilities, including assessing “any usage of these products by third parties that have access to your network or your data.” (See our previous blog on the NYDFS response to SolarWinds.)
This guidance is an interesting example of regulators providing specific guidance in response to particular cybersecurity vulnerabilities as those vulnerabilities emerge. Given the recent industry focus on supply chain attacks, both New York and Illinois proactively suggest that regulated financial institutions assess third parties’ exposure and response to these specific vulnerabilities. If sustained, this focused approach may constitute an expansion of other process-oriented cybersecurity requirements in multiple third party protocols and existing statutes and regulations, including New York’s financial Cybersecurity Regulation and the NAIC Model Law 668, adopted in a dozen states.