NY | It was publicly reported on December 13, 2020 that the Information Technology (IT) products and services company SolarWinds was hacked, and the Orion IT monitoring and management product was corrupted with sophisticated malware. This malware was then spread through software updates to their customers around the globe, including financial services institutions. Several regulated entities were infected with this malware.
You should notify the Department if your institution was directly impacted by the affected SolarWinds Orion products or if your institution has been notified of an impact by any affiliate who has access to your network or your nonpublic information. The Department’s cybersecurity regulation requires notice of any Cybersecurity Event that has “a reasonable likelihood of materially harming any material part of the normal operation(s).” 23 NYCRR 500.17(a)(2). Given the sophistication and persistence of the malware and the adversary, the Department is asking any affected institution to file a notice immediately.
For more information, including instructions on how to file a supply chain compromise notice, click here.