December 17, 2021

To:      All Regulated Entities

From:  New York Department of Financial Services

Re:      Log4j Vulnerability

On December 10, 2021, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”), the National Security Agency, and others announced a critical remote code execution vulnerability in many versions of Apache’s Log4j software.  Log4j is a java-based logging utility incorporated in frameworks, websites, and applications, and is widely used by major cloud services and well-known software vendors and manufacturers.  According to senior cybersecurity professionals, this vulnerability is among the most serious seen to date.  

Threat actors are actively exploiting Log4j vulnerabilities.  Successful exploitation of the vulnerability can be used to deploy ransomware, steal data, and disrupt operations.

All regulated entities should promptly assess risk to their organization, customers, consumers, and third party service providers based upon the evolving information and take action to mitigate risk.  CISA is maintaining and regularly updating a webpage dedicated to Log4j vulnerability guidance.  Regulated entities should consult the CISA guidance and implement it wherever appropriate.

Regulated entities are reminded to report cybersecurity events that meet the criteria of 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest via the secure DFS Portal, which can be accessed from DFS’s Cybersecurity Resource Center.