CISA Director Jen Easterly on Log4j: “These vulnerabilities are the most severe that I’ve seen in my career.”1
On December 11, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and NSA, announced a critical remote code execution vulnerability had been identified in the Apache Log4j software library. This vulnerability allowed a successful threat actor to take control of a network system and cause a variety of damage, including the ability to launch ransomware, steal and destroy victim information, deploy malware, and disrupt internal and infrastructure operational control.
This critical vulnerability specifically focused on Apache’s Log4j software, versions 2.0-beta through version 220.127.116.11, commonly known as “Log4Shell.” According to CISA, Log4j is used in a variety of consumer and enterprise services, websites and applications to log a company’s security and performance information. This vulnerability is affecting millions of computer systems since the Log4j software is generally used to record all manner of activities that go “under the hood” of affected computer networks and standalone machines.
In response to the Log4j threat, insurance regulators from four states have recently issued guidance to regulated entities. They are:
- Illinois Department of Insurance: Issued Bulletin CB 2021-15 Log4j Vulnerability on December 20, 2021 to all regulated entities to “take immediate steps to identify and mitigate any risks posed by the Log4J vulnerabilities.” Regulated entities are “reminded to report cybersecurity events that fall under the Illinois Personal Information Protection Act” to consumers and/or the Illinois Attorney General. 2
- New York DFS: Issued Industry Guidance on December 17, 2021, to all regulated entities stating they “should promptly assess risk to their organization, customers, consumers, and third party service providers … and take action to mitigate risk.” The bulletin also reminds regulated entitles to report cybersecurity events under 23 NYCRR 500.17(a) as promptly as possible and within 72 hours.3
- Vermont Department of Financial Regulation: Issued an Industry Alert on December 22, 2021, to all regulated entities that they “should promptly assess risk to their organization, customers, consumers, and third party service providers … and take action to mitigate risk.” The Industry Alert also reminds regulated entities to report cybersecurity events as required by 9 V.S.A. 2435 and DFR Bulletin #4.4
- Virginia State Corporation Commissioner’s Bureau of Insurance: Issued Bulletin Log4j Vulnerability on December 20, 2021, to all Licensees that they “should promptly assess risk to their organization, customers, consumers, and third-party service providers … and take action to mitigate risk.” The Bulletin also reminds licensees to report cybersecurity events as required by the Virginia Insurance Data Security Act. 5
Due to the potential damage the Log4j vulnerability presents and the uncertainty of the depth of the true scope of this attack, it is likely more insurance commissioners will issue guidance. To mitigate risk of harm, we recommend all regulated entities, at a minimum:
- Ensure all Adobe software patches have been implemented.
- Identify systems vulnerable to a Log4j attack.
- Determine if any systems have already been attacked.
Lastly, we suggest that regulated entities review and adopt the recommendations provided at CISA’s Apache Log4j Vulnerability Guidance site. If you are interested in further information or assistance, please contact authors Jo Cicchetti and Jason G. Weiss.
- CISA, FBI, NSA and International Partners Issue Advisory to Mitigate Apache Log4j Vulnerabilities, issued December 22, 2021; available at: https://www.cisa.gov/news/2021/12/22/cisa-fbi-nsa-and-international-partners-issue-advisory-mitigate-apache-log4j
- CB-2021-15 Log4j Vulnerability, issued December 20, 2021; available at: https://www2.illinois.gov/sites/Insurance/Companies/CompanyBulletins/CB2021-15.pdf.
- Log4j Vulnerability, NY DFS, issued December 17, 202, available at: https://www.dfs.ny.gov/industry_guidance/industry_letters/il20211217_cyber_log4j_vulnerability.
- CYBERSECURITY (APACHE LOG4J) VULNERABILITY GUIDANCE, issued December 22, 2021; available at: https://dfr.vermont.gov/industry-alert/apache-log4j-vulnerability-guidance.
- Log4j Vulnerability, issued December 20, 2021; available at: https://scc.virginia.gov/getattachment/7a82646e-7f26-40cb-8138-cc5d096057fa/Log4j_BOI_Bulletin.pdf.