The New York State Department of Financial Services (DFS) has warned all entities it regulates about newly discovered security vulnerabilities in the Microsoft Exchange Server software. The department advised all entities to take immediate actions to address the problem. The DFS regulates banking, financial services, and insurance organizations doing business in New York.
If your agency is running this software, you may be at risk of having suffered a data breach already or of having one in the future. Agencies that use a cloud-based hosting service for email should not be affected.
In a letter dated March 9, the department relayed Microsoft's report that it had found four vulnerabilities in the 2013 and later versions of Microsoft Exchange Server. "The vulnerable servers appear to host Web versions of Microsoft’s email program Outlook on their own machines instead of cloud providers," the DFS wrote. "It also appears that the vulnerabilities were being exploited for some time before March 2, and that widespread exploitation of the vulnerabilities is ongoing." Microsoft has released security updates to address the vulnerabilities.
The Cybersecurity & Infrastructure Security Agency, an agency within the U.S. Department of Homeland Security, has recommended that entities using the web version of Microsoft Outlook immediately patch the vulnerabilities and preserve forensic information of any cybersecurity events that may have occurred.
If your agency uses the web version of Micrsoft Outlook, we strongly encourage you to work with your information technology staffs or consultants to install the patches as soon as possible. You should also investigate whether your systems have suffered a data breach.
As a reminder, the New York Financial Services regulation Cybersecurity Requirements For Financial Services Companies requires all entities to notify the DFS within 72 hours of determining that a cybersecurity event has occurred that state law requires you to notify law enforcement about or that has a reasonable likelihood of materially harming any material part of your normal operations. If you have suffered such an event, you can submit the notice using the same portal that you use for submitting the annual certification of compliance.
The DFS letter recommends that you review the following resources:
More information about compliance with the New York regulation is available on our website at www.biginy.org/cyber. You can also find valuable information on the website of the Agents Council for Technology. If you believe you have been affected by these vulnerabilities, our endorsed cybersecurity consulting firm, LCG, may be able to assist you.