On April 27, 2021, the New York State Department of Financial Services (NYDFS) published its Report on the SolarWinds Cyber Espionage Attack and Institutions' Response. The report details its investigation of NYDFS-regulated entities' mitigation efforts following the widely publicized SolarWinds, Inc. supply chain cyberattack announced in December 2020.

In its report, the NYDFS warned that the SolarWinds cyberattack should be a "wake-up call" and highlighted critical cybersecurity measures regulated entities should take to minimize the risks of future attacks, including:

The highly sophisticated attack, which the White House recently attributed to Russian state actors in announcing sanctions, exploited SolarWinds Orion, enterprise network management software that many organizations use to monitor and support their IT infrastructures. The hackers compromised the SolarWinds development and build environment, adding malware to software updates that some 18,000 customer organizations received, leaving them vulnerable to hard-to-detect targeted network attacks and infiltration.

After interviews with 88 regulated entities that used affected versions of SolarWinds Orion, the NYDFS found that 94% had addressed specified vulnerabilities within three days after SolarWinds' original announcement of the attack. However, the NYDFS also determined that some regulated entities could better address ongoing high-risk cyber vulnerabilities with a more timely patch management process.

Regulated entities and others should consider that NYDFS's recommendations may likely contribute to its and other regulators' views on what constitute reasonable security measures going forward.