Hi Brian,
Yes, there was an official email blast at around 1:00PM ET (12:48PM in our case)
It was send from
noreply@dfs.ny.gov to our CEO (i.e., the one that submits the certification of compliance on behalf of the board of directors on Feb 15th each year).
Please refer to these 2 links:
1.
https://its.ny.gov/ciso/advisories
2.
https://its.ny.gov/security-advisory/multiple-vulnerabilities-203The mail header of the official letter started as follows.
========
Subject: Supply Chain Compromise Alert
To: Chief Executive Officers, Chief Information Officers, and Chief Information Security Officers of all Regulated Entities
From: Cybersecurity Division, Department of Financial Services (DFS)
Subject: Supply Chain Compromise Alert
Date: December 18, 2020
...
Original Message:
Sent: 01-06-2021 02:17 PM
From: Brian Woitte
Subject: Proposed "Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers"
NY DFS demanded any covered entity who directly used or had a third party that used "Solarwinds Orion" network management software, to immediately create a cyber security notification incident
I haven't heard of this, do you have a source?
Original Message:
Sent: 01-04-2021 08:28 AM
From: Larry Timmins
Subject: Proposed "Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers"
RE: / https://www.jdsupra.com/legalnews/federal-financial-regulators-propose-77305
Hi Joe,
Thanks for sharing the link here.
At state level, prior to Dec 18th, NY DFS required 72 hours notification. However, on December 18th at 1pm ET, NY DFS demanded any covered entity who directly used or had a third party that used "Solarwinds Orion" network management software, to immediately create a cyber security notification incident which was unprecedented although widely supported by the organizations I spoke with as the state being very proactive in maintaining the viability of communications based on NY DFS 23 NYCRR 500 and fitting it to events.
NY GOV CISO CYBER SECURITY ADVISORIES: https://its.ny.gov/ciso/advisories
Multiple Vulnerabilities in SolarWinds N-Central Could Allow for Remote Code Execution https://its.ny.gov/security-advisory/multiple-vulnerabilities-203
All the best,
Larry
Original Message:
Sent: 01-04-2021 07:29 AM
From: Joe Ciccone
Subject: Proposed "Computer-Security Incident Notification Requirements for Banking Organizations and Their Service Providers"
Regulatory alert! The OCC, Federal Reserve and related federal regulatory bodies have issued a notice of proposed rulemaking. If implemented the proposed regulations would:
1) define which type of cybersecurity incidents would need to be reported to federal regulators and
2) require reporting for any such incidents within 36 hours after determining that such an incident has occurred.
Service Providers are required to alert their banking institution customers of any incident which may disrupt services for at least 4 hours.
A couple things to note:
- Method and content of the notification is not defined. Such notification is expected to simply be an "early warning" to regulators
- The incident need not involve a security breach of customer data to be triggered.
For more information, look here:
https://www.jdsupra.com/legalnews/federal-financial-regulators-propose-77305/?origin=CEG&utm_source=CEG&utm_medium=email&utm_campaign=CustomEmailDigest&utm_term=jds-article&utm_content=article-link