In the recent SolarWinds hack, the routine task of downloading a software update turned into a cybersecurity nightmare for over 18,000 organizations including the Treasury Department, AT&T and up to 85% of Fortune 500 companies. See Jason Murdock, Who Has Been Affected by the Huge SolarWinds Cyberattack So Far?, Newsweek, Dec. 18, 2020. State sponsored hackers broke into SolarWinds and installed malware in its Orion software update, which gave the hackers back door access to the networks of thousands of customers who installed the update. One constructive outcome of that incident is that it has prompted many businesses to reexamine their vendor risk assessment practices.

New York has a statute that requires that organizations select third-party service providers “capable of maintaining appropriate cybersecurity safeguards.” N.Y. Gen. Bus. Law §899 bb, Sec. 2(b)(A)(5). The New York Stop Hacks and Improve Electronic Data Security” (SHIELD) Act (N.Y. Gen Bus. Law §899 aa and bb), which became fully effective in 2020, requires that organizations also document those safeguards in written contracts with those service providers.