The federal government is warning that a newly discovered computer software vulnerability poses a major threat to the security of computer networks. All Big “I" members should address this threat immediately with either their internal information technology staff or with qualified technology consultants.

On Dec. 10, federal government agencies, including the National Security Agency and the Department of Homeland Security announced the discovery of a vulnerability in the Log4j software library, written in the Java programming language and created by the Apache Software Foundation.

The government agencies announced that they were "responding to active, widespread exploitation" of the vulnerability. They warned that "An unauthenticated remote actor could exploit this vulnerability to take control of an affected system. "

In short, if your software has this vulnerability, a criminal could seize control of your network and cripple your ability to do business.

Since Dec. 10, Apache has published three software patches to address the problem. Software developers who use Log4j are likely applying the patches and making updates to their software available to users, such as independent agencies. If you are notified that a software update is available, you should install the update immediately.

The Apache Software Foundation is not a company, it is a volunteer community of hundreds of thousands of people who build "open-source" software products that are free for organizations to use and are constantly being modified by the community. Think of it as content in the public domain that anyone with an interest can modify—Wikipedia is an example of this. Open-source software created by volunteers is very common in the technology industry. For example, the Linux operating system has always been developed and maintained this way.

The Log4j software library records network security and performance information. Many software vendors incorporate the library into their products such as websites, applications and application services. It is quite likely that some of the software your staffs use every day is built around Log4j. 

On Friday, the New York State Department of Financial Services (DFS) advised that "All regulated entities should promptly assess risk to their organization, customers, consumers, and third-party service providers based upon the evolving information and take action to mitigate risk." 

Translation: Find out how big a threat this is to your operation, customers and vendors, and do something about it. If your agency is large enough to have dedicated IT staff, this should be their focus today. Most member agencies are not large enough to afford or need an IT department. In that case, you should contact a computer network consultant as soon as possible to get advice on how to proceed. Any qualified consultant will be very familiar with this problem.

While this alert came from the New York regulators, this is not a New York-specific issue and applies to all states. All members in Connecticut should take similar actions, even those who are exempt from the Connecticut Insurance Data Security Law. 

This is not a matter of a government mandate; this is a threat that could stop you from doing business.

The government agencies have technical information on this threat available on a dedicated website. Much of this information may not be clear to you but it will be to your IT experts. We encourage you to direct them to that site, take appropriate action as soon as possible, and monitor the site for further updates to the situation. 

Lastly, if you are a New York agency or brokerage and you determine that someone has used this vulnerability to break into your network, the Cybersecurity Requirements For Financial Services Companies regulation requires you to report that to DFS within 72 hours of your determining that it has "a reasonable likelihood of materially harming any material part" of your normal operations. You can do so on the portal on the DFS website.

If you are a Connecticut agency or brokerage who has made the same determination, and you are subject to the state Insurance Data Security Law, you must notify the state Department of Insurance within three business days if you believe consumer information has been exposed, or if you believe it will affect more than 250 state residents and must be reported to the federal or state governments. The DOI has created a form that must be completed and emailed back to them if this happens.

Under current law, Connecticut agencies with fewer than 20 employees (including independent contractors) "having access to the nonpublic information used by such licensee or in such licensee's possession, custody or control " are exempt from the law. That number drops to 10 on Oct. 1, 2022. 

Tim Dodge is assistant vice president of research and information at Big I New York.