On April 27, 2021, the New York Department of Financial Services (“DFS”) released a “Report on the SolarWinds Cyber Espionage Attack and Institution’ Response” (the “Report”). As set forth in the Report, the SolarWinds attack was part of a widespread, sophisticated cyber espionage campaign by actors reported to be affiliated with Russia’s intelligence services that compromised sensitive information of at least nine federal agencies and approximately 100 companies. The Report describes the SolarWinds attack and the weaknesses it exposed, and considers the remediation efforts of DFS-regulated institutions impacted by it. The Report concludes that although none of the networks of DFS-regulated companies were actively exploited, the SolarWinds attack highlights the financial services industry’s vulnerability to “supply chain” attacks. The Report recommends several steps to reduce supply chain risk, including fully assessing and addressing third-party risk, adopting a “zero trust” approach and multiple layers of security, addressing vulnerabilities in a timely manner through patch deployment, testing, and validation, and addressing supply chain compromise in incident response plans.