Cyber-attacks prompt third-party supply scrutiny in New York and New Zealand

An investigation into the 2020 SolarWinds attack has prompted the New York State Department of Financial Services to call for increased third-party supply scrutiny, while the Reserve Bank of New Zealand has published new guidance after suffering its own cybersecurity breach in January.

The New York Department of Financial Services (NYDFS) said its investigation into a 2020 cyber-attack on software company SolarWinds showed that third-party risk and supply chains were the two areas most susceptible to cybersecurity breaches, in an announcement on 27 April.

“This incident confirms that the next great financial crisis could come from a cyber attack,” said the NYDFS superintendent of financial services Linda Lacewell. “Seeing hackers get access to thousands of organizations in one stroke underscores that cyber-attacks threaten not just individual companies but also the stability of the financial industry as a whole.”

SolarWinds was at the centre of a major hacking incident in December, when multiple US government agencies were breached including the US Treasury Department and Department of Homeland Security through the company’s Orion software using a backdoor in a SolarWinds library.

The then US attorney general, William Barr, said he believed Russia to have perpetrated the attack. The company’s CEO, Kevin Thompson, said a company intern had used an insecure password, “solarwinds123” on their update server. 

The DFS report said that 94% of NYDFS-regulated companies had removed their SolarWinds vulnerability within three days of the original attack.

In a staff paper released the same day as the NYDFS report, the Institute of International Finance, a Washington, DC-based association representing the global financial services industry, said the US financial sector is experiencing a rate of cyber attacks second only to the healthcare sector. It pointed to information sharing and incident reporting as key tools for enhancing cyber security.

The IIF paper also suggests that SolarWinds and other high-profile data breaches are likely to prompt greater attention from regulators and the executive branch under US president Joe Biden’s administration, including increased scrutiny and oversight of supply chains, vendors and third-party relationships.

Bad-bot traffic, according to a report by US cybersecurity software company Imperva this April, makes up almost a fifth of the activity on financial services websites. The financial sector was named as one of the most targeted by sophisticated bad bot traffic in 2020.

The RBNZ called its own experience a “timely reminder on the risks associated with managing and sharing information” as it launched its updated guide to cyber resilience on 28 April.

The report came along with a summary of submissions made during a consultation on the country’s cybersecurity at the end of last year.

The RBNZ said the purpose of the cybersecurity guide was to “illustrate current best practice and encourage continual improvement beyond these practices into all areas where entities can further strengthen their cyber resilience”.

The guide highlights third party service providers, which it says can provide “an ideal environment for cyber criminals looking to infiltrate an organisation to thrive”, and recommends heavy screening of third party services.

It also recommends assigning senior board members to cybersecurity-related roles, developing cyber resilience strategies, and sharing breach data with other entities.

“The recent illegal data breach of a third party file sharing application used by the Reserve Bank is a timely reminder of the risks associated with managing and sharing information”, said Geoff Bascand, the RBNZ’s deputy governor and general manager of financial stability.

KPMG is reviewing the RBNZ’s systems as a response to the January attack, with a report to be published in early May.

The RBNZ committed to oversee cyber resilience in a financial stability report dated November 2019, after having previously considered the subject outside its remit.

The report assessed potential losses from cyber incidents as NZ$2 billion (US$1.43 billion) – 35% of the local banking sector’s net profit.

An investigation into cyber resilience by New Zealand’s Financial Markets Authority (FMA) found that 56% of participants rated the global cyber-risk as ‘high / very high’, but only 36% applied the same risk rating to New Zealand. Even fewer applied the high-risk rating to their own firm.

But the investigation stated: “We do not believe that New Zealand firms face a materially lower risk of cyber-attack than firms in other countries.”

The RBNZ’s consultation summary noted the immaturity of New Zealand’s cybersecurity infrastructure compared to its more active Australian counterpart.

But Wayne Byres, chair of the Australian Prudential Regulation Authority (APRA)  said it was “only a matter of time” before a cyber breach occurred in Australia as “cyber threats continue to grow”, during a speech before a banking summit organised by the Australian Financial Review on 30 March.

Byres said APRA would highlight cyber resilience as part of its operational resilience package, with a particular focus on third party providers

Documents

  • RBNZ Financial Stability Report 2019

    Download document RBNZ Financial Stability Report 2019
  • FMA Cyber Resilience Investigation

    Download document FMA Cyber Resilience Investigation
  • Imperva Bad Bot Report

    Download document Imperva Bad Bot Report
  • RBNZ Cyber Resilience guide

    Download document RBNZ Cyber Resilience guide
  • RBNZ Summary of Submissions for Cyber Resilience Consultation

    Download document RBNZ Summary of Submissions for Cyber Resilience Consultation
  • NYDFS Investigation Report on SolarWinds Attack

    Download document NYDFS Investigation Report on SolarWinds Attack
  • IIF Staff Paper on US Cyber Attacks

    Download document IIF Staff Paper on US Cyber Attacks

Get unlimited access to all Global Banking Regulation Review content