Over the past year, cyber incidents have dominated the headlines and, in turn, are causing sleepless nights for boards, C-level executives, and their legal counsel. In the wake of hospitals, food producers, oil pipelines, and companies across all sectors being disrupted by ransomware attacks, the Biden administration has declared that contending with cyber incidents is "essential to national and economic security[.]" Executive Order on Improving the Nation's Cybersecurity, E.O. 14028 (May 21, 2021). Regulatory and other government agencies have received the message and are shifting into high gear with new initiatives and actions to drive improvements in cybersecurity practices, which were for many years left to the private sector to manage.

Against these looming harms and rising expectations, software supply chain risks have broken into the mainstream, largely due to a series of highly publicized incidents over the past year. (The most notable of these incidents involved network monitoring software produced by SolarWinds and an open-source logging utility incorporated into an array of applicable and services known as "Log4j.") As a result, cyber regulators have taken notice and advised companies to act on this risk, which is often managed by IT professionals without meaningful input or involvement from legal counsel or senior management.

In this article, we examine software supply chain risks, analyze legal and compliance requirements arising from New York's cyber laws, and offer recommendations to move forward on this area of critical risk that is often neglected or, worse, ignored.