Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

April 2021 Vendor Management News

45 min read
Featured Image

Start off Spring by staying on top of vendor management news and resources. Find out what you missed and catch up on important information in this blog post.

Recently Added Articles as of April 29

Data breaches continue to be in the headlines, with many articles highlighting the need for early reporting. Organizations continue to be fined for violating regulations, and the CPRA gets an updated definition for consent. Also, for those in the finance industry who want a roundup of regulatory news, we’ve got you covered! Read on for this week’s highlights in cybersecurity and third-party risk management.

Mandatory data breach reporting in Senate Intelligence Committee bill: The aftermath of the SolarWinds breach has prompted the federal government to consider limited, mandatory reporting for the private sector in the effort to prevent future foreign cyberattacks. Committee Chairman Mark Warner stated that Russian and Chinese cyberattacks have occurred because of a failure to have a more vigorous notification in place. An increase in cyber activities during the pandemic has triggered more breach notification legislation from lawmakers and other officials. The proposed Committee bill would send information on data breaches to the Cybersecurity and Infrastructure Security Agency, but in a semi-anonymous way so it could be addressed on a larger scale.

Reverse mortgage lender mislead older borrowers: Deceptive advertising has always existed, but these types of ads sink to a new low when they’re aimed at older consumers. Nationwide Equities Corporation has been accused of violating three different acts with their misleading advertisements. Their ads led homeowners to believe they couldn’t lose their homes with a reverse mortgage and exaggerated the amount of money they could receive from their services. Hidden costs, risks and fake pre-approvals are all considered deceptive and illegal under various consumer laws. As a result, Nationwide Equities will be penalized financially and be required to implement a compliance plan.

Cybersecurity violations cost National Securities $3 million: Insurance company National Securities has settled with the New York State Department of Financial Services (NYDFS) regarding two data breaches in 2019 and 2020. A significant amount of customer data was exposed via phishing scams and National Securities failed to implement multi-factor authentication after this event, which is required under NYDFS regulation. A consent order was also issued in relation to two other cybersecurity events that were not properly reported. This should serve as a good reminder of the importance of compliance!

Alliance Steel fined for OFAC Iran Sanctions Program violations: Doing business with family can occasionally work out, except when that business is located in a sanctioned nation. Oklahoma based Alliance Steel learned this lesson and has agreed to pay $435,003 for violating the OFAC Iran Sanctions Program. The Chief Engineer and VP of Engineering at Alliance Steel outsourced the company’s engineering services to an Iranian company owned by his brother. Alliance Steel was apparently not familiar with the OFAC regulations until a new CEO was hired in October 2018 who voluntarily disclosed the illegal transactions and cooperated with the OFAC investigation. Alliance then developed and implemented an export compliance policy, which included OFAC training, something that would’ve prevented the violations altogether. Lesson learned!

Einstein Healthcare hit with a class-action lawsuit after a 2020 hack: It appears as though HIPAA’s 60-day breach notification guidelines are simply not good enough for the many patients that were affected by the 2020 data breach on Einstein healthcare. The incident occurred in August 2020, with Einstein beginning the notifications in October. However, with over 350,000 patients compromised, some weren't notified until January and February 2021. The lawsuit claims that the notification was “untimely and woefully deficient” and demands that Einstein disclose the full nature of the breach. Healthcare breach lawsuits have varying results, with some courts requiring the victims to prove actual harm which can lead to dismissals.

FBI investigates a breach on a D.C. police server: The Washington D.C. police department has confirmed “unauthorized access” on its server and called in the FBI to investigate the breach. The full impact is still unknown, but the hackers are a ransomware gang who have already posted screenshots of exposed folders and file names. One leaked file includes information about 11 alleged gang members, which goes to show that hackers are willing to expose anyone, even fellow criminals!

Best practices for IT vendor agreements: These days, it’s common for companies to utilize third-party vendors to deliver IT services to their customers. Despite this dependency, suppliers and customers often struggle with the terms and conditions of these products and services. On the supplier side, they don’t want to risk being trapped between the main IT agreement with their customers and the user’s terms and conditions. And, customers can be reluctant to accept terms and conditions that stray from the main IT agreement. Fortunately, there are a few tips to navigate this tricky problem. The first thing that must be established is whether to use separate terms and conditions. This would be appropriate in a situation where the customer specifically requests the supplier to use a certain standard product and/or service. The supplier could then justify the use of separate conditions. It should also be established what kind of set up is to be used between the customer and supplier. There are generally three different types: direct contract with the third-party vendor, no direct contract with the third-party vendor or using the main supplier as a reseller. One important observation is that the supplier can be involved in the contracting phase, even if it’s not a part of the contractual set up for the third-party product or service. This can be executed in three different ways: brokerage (the supplier acts as an intermediary between the customer and third-party vendor), value-added services or managed services. Responsibility, back-to-back coverage and termination consequences are also key points to consider with different contractual set-ups. As with most strategies, there is no one-size-fits-all solution, so it’s recommended to thoroughly consider the contractual framework of your third-party products and services and bring in your legal team when appropriate.

Deloitte’s 2021 Global CPO Survey highlights: Deloitte’s latest survey, titled Agility: The Antidote to Complexity, highlights the top priorities, plans and perspectives of about 400 chief procurement officers around the world. The key findings show that organizations must focus on agility to address the complexity of procurement performance. Another important lesson is that supply chain risk can be cured by supply chain resilience, a top risk issue to be managed post-pandemic. Respondents noted that the top supply risk mitigation strategy was enhanced supplier information sharing. The survey covers a wide range of data and is worth the read for any CPO or procurement provider.

Department of Labor’s guidance on cybersecurity and retirement: Retirement is a long-term goal for most employees, so it’s encouraging to see some guidance to protect against benefit plan data breaches. The Employee Benefits Security Administration recently released its best practices guidelines surrounding cybersecurity and retirement plans. These include actions that sponsors, fiduciaries, record-keepers and participants can take. The guidelines are broken down into three parts focusing on third-party service providers, cybersecurity best practices and online tips for participants. Many third-party risk professionals will already be familiar with these tips, but it’s still worth a read for those who want to ensure that their retirement years are safe and protected.

Hackers hit the school cafeteria: PCS Revenue Control Systems is facing a class-action lawsuit, stemming from a data breach in December 2019. Student information including names, dates of birth and social security numbers were collected by PCS’s predecessor vendor, Advanced Business Technologies, which provided food, nutrition and technology services for K-12 schools. The lawsuit claims that the breach was discovered in December 2019 but affected students weren’t notified until March 2021. PCS offered one year of free credit monitoring to the students affected.

Data leaks usually the fault of insiders: Cybercriminals and intricate hacking incidents often get all the attention, but a new report shows that the majority of cyber events are caused by end users who fail to follow their company’s security policies. Code42’s 2021 Data Exposure Report found that employees are 85% more likely to leak sensitive data, especially with the increase in remote working. It’s highly recommended that organizations prioritize their efforts to understand and mitigate the risks associated with accidental data leaks.

Potential supply chain hack found by researchers: CSIS Security Group claims that they have evidence of a breach that affected Australian company ClickStudios. Supposedly, an attacker uploaded a corrupted update to its password manager Passwordstate. A blog posted by CSIS details the evidence on the attack. ClickStudios has not yet confirmed the breach, which would follow other damaging supply chain hacks including SolarWinds and Microsoft Exchange. This is another instance related to third-party vulnerabilities.

Geico hackers use driver’s license numbers for unemployment: A recent data breach affected an unknown number of Geico customers in which hackers apparently gained access to driver’s license numbers which were then used for fraudulent unemployment claims. The breach was immediately secured and customers were compensated with a free one-year subscription to the ID theft protection service IdentityForce. Driver’s license numbers are highly sought after by cyber criminals who can use them in a variety of ways such as phishing attacks or in any form that requires ID verification. Unemployment fraud has especially been on the rise over the past year, because of the pandemic. With many jobs lost and an increase in online transactions, hackers have found ways to exploit this situation.

New California consent rules in limited cases: The California Privacy Rights Act doesn’t go into effect until January 1, 2023, which leaves plenty of time for further clarification on vague terms. Consent is the term in question which has been more clearly defined, but only when the personal information is used for certain purposes. This heightened standard of consent not only defines it as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes” but also states what isn't considered consent, such as “dark patterns” which are used to manipulate or mislead consumers into providing consent. These principles closely replicate the definition found in the GDPR. In fact, the phrase “freely given, specific, informed and unambiguous indication” is used in both the GDPR and CPRA.

Regulatory news in the financial world: A roundup of regulatory news includes updates in both the UK and US. The UK’s Money Laundering and Terrorist Financing (Amendment) (High-Risk Countries) Regulations 2021 (SI 2021/392) have been published and changes the definition of a “high-risk third country.” An explanatory memorandum was also included to provide more information on the policy background. Also noted in this roundup is the Prudential Regulation Authority’s PS7/21, which details revisions to its outsourcing and third-party risk management policy. All firms are expected to comply with these new regulations by March 31, 2022.

Recently Added Articles as of April 22

There’s a lot of news to digest this week surrounding privacy law updates, new disclosure legislation and a few helpful guides on supply chain risk and privacy policies. Read on to learn what’s trending this week in the third-party risk management world.

SonicWall addresses zero-day email vulnerabilities: SonicWall has discovered vulnerabilities in its email security solution and has since released patches to its customers. These were actively being exploited in at least one known case with the goal to obtain administrative access to execute code in order to install a backdoor and expose files. The vulnerabilities are listed as CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023, which impact SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.

Attackers targeted code-checking vendor for two months: Code checking firm Codecov was the recent victim of a supply-chain attack. The company provides tools and services to verify how well software tests are covering code under development. Attackers collected sensitive information from the company’s clients for a little over two months before a customer reported a discrepancy in a check sum and notified Codecov. Chief technology officer for Vdoo Asaf Karas states that this breach is yet another reminder of the importance to verify and scan any third-party software that is introduced to enterprise networks or applications.

Ransomware group REvil targets Apple supplier: Quanta Computer Inc., a Taiwan-based manufacturer of Macbooks was recently targeted by a ransomware attack who claimed to have stolen blueprints. Quanta acknowledged an attack but didn’t provide details about the data that was reportedly stolen. REvil has posted 15 images of what appears to be the internal hardware of a Macbook and have demanded $50 million to prevent additional leaks. Quanta has stated that it’s upgrading its cybersecurity infrastructure as a result.

New order will mandate breach notifications from government contractors: Cyberattacks and data breaches continue to rise and the Biden Administration is expected to enforce disclosure laws for government contractors, largely motivated by the SolarWinds breach. All 50 states currently have data breach disclosure laws but there are no requirements for government contractors. The only department that has mandatory breach notifications is the Department of Defense. Failure to disclose a data breach can result in serious consequences so it’s important to have notification procedures in place.

$3 million settlement for New York Department of Financial Services: National Securities Corp. (NCS) will pay $3 million for allegedly violating the Department’s strict cybersecurity regulations. Four separate events were recorded between 2018 and 2020, one of which discovered that NSC didn’t have multi-factor authentication (MFA). MFA wasn’t implemented until almost a year after the first incident. Two of the cybersecurity events were not reported within 72 hours, which is another requirement set by the Department. The Consent Order is worth a read if you’re subject to the NYFDS Cybersecurity Regulations.

Status updates for state privacy bills: This article provides up-to-date information on the various state privacy bills. Special notice is given to the continued progression of Florida’s two bills and the failure of Washington’s Privacy act to pass by the April 11 deadline. Details are also given on several new bills that have been introduced.

Privacy policies for dummies: You shouldn’t need an advanced degree to read through a privacy policy, yet they continue to be long and confusing. An analysis by the New York Times found that most of the 150 policies that were reviewed took longer than 10 minutes to read and required the reading comprehension above college-level. This guide breaks down three key principles when reading through a privacy policy, using the Children’s Online Privacy Protection Act (COPPA) as a guideline. First, you should know what you’re looking for. The COPPA requires that policies state why type of information is collected from children and how it’s used. The second step requires knowing where to look for the information, which is often towards the beginning in an introductory paragraph. The children’s section of a privacy policy should address whether the online service is intended for children under 13. The last step is to ask questions which may be easier than you think, as COPPA requires child-directed services to provide an email or phone number in addition to a mailing address.

Malware is becoming more sophisticated and prevalent in 2021: Several new variants of malware are emerging in 2021. They continue to challenge cybersecurity experts, as they continue to evolve despite smarter security solutions. Remote working has particularly exposed networks to attackers who use malware to target them. There are a few especially dangerous malware that are trending in 2021. Ransomware via fake email updates is at the top of the list along with news updates containing harmful links. A simple solution to help protect your organization is prioritizing employee awareness surrounding password management and recognizing suspicious behavior.

Accellion data breach doesn’t faze University of Colorado enough to pay: Cybercriminals in the Accellion data breach won’t be receiving any payment from one of their victims, as the University of Colorado refused to pay a $17 million ransom. The attack compromised over 310,000 university records including grades, visa status and medical records and originated from a vulnerability in the File Transfer Appliance from Accellion, a third-party vendor of the university. They were advised by the FBI not to pay the ransom, as that doesn’t guarantee the recovery of the files and may encourage future attacks. The university has stated that it will provide credit and identity monitoring along with fraud consultation and identity theft restoration to anyone who was affected by the breach.

A rundown of weekly data breaches: Stay up to date on the latest cyberattacks and data breaches with this helpful guide which identifies the type of exploit, the severity of the risk to both individuals and business, and a brief description of the data that was involved. The Personal Touch Holding Corp hack is listed as an extreme risk, while the LinkedIn breach is severe.

Supply-chain risk must expand beyond vendor management: This year has already seen two significant supply-chain attacks, targeting SolarWinds and Microsoft Exchange. Many organizations are putting the spotlight on their processes to assess vendors, but it should be noted that this is only part of the solution. Despite the importance of vendor management, there are still limitations to what it can do. This article suggests taking a strict, but perhaps necessary approach of a “zero-trust mindset” which means that you should assume you will be compromised. It’s better to prepare your defenses for an incident rather than assume you’re safe because of your well-written vendor management program. A key takeaway is to use every crisis as an opportunity to review your current risk management efforts.

The basics of the GDPR: The General Data Protection Regulation (GDPR) is the European Union’s solution to data privacy. This unifying law went into effect on May 25, 2018 and requires EU organizations to protect personal data and uphold privacy rights. It also extends to multinational companies who have customers or employees in the EU. The law protects the processing of personal data, but not that of legal entities. There are seven principles outlined in the GDPR: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, security and accountability. Any of the EU state’s data protection authorities can enforce the GDPR and issue penalties which max out at €20 million or 4% of global revenue, whichever is higher. Some of the key themes of this law include determining the territorial scope, cross-border data transfers, breach notification compliance, consent requirements and identifying personal data.

Biden’s cybersecurity and data privacy priorities: 2020 was a year of big changes not only because of the pandemic but also the new Biden administration. Last year brought about new privacy laws and plenty of cyberattacks which brought new attention to vulnerabilities in both private and public sectors. The Biden Administration is preparing to make changes that will likely affect every person and company in the US. This hour-long webinar covers several important cybersecurity areas including regulatory updates, enforcement actions and new guidance for commercial organizations.

Imported food at the center of the FSVP and VQIP: It’s easy to forget that regulations not only apply to the finance industry, but also to food production, especially when it comes from outside the U.S. The 2015 Foreign Supplier Verification Program (FSVP) is in place to ensure that food consumed within the U.S. has met the same safety standards, regardless of where it was produced. The Voluntary Qualified Importer Program (VQIP) allows a company to expedite the review of its food products by way of a special certification. A company is eligible for this certification if their facilities are reviewed by an accredited third party who can confirm that it’s in compliance with FDA standards. It just goes to show that the benefit of a third party will often outweigh any risks involved.

NSA helps to provide Microsoft Exchange patches: Microsoft recently released over 100 CVEs, including four Exchange vulnerabilities reported by the NSA. Forty-four products and services were affected including Azure, Office, Visual Studio Code and Windows, with the NSA strongly urging users to apply these patches to prevent exploitation and continuing outside access. Link to the updates can be found here.

Environmental compliance demands set to increase: The EPA and DOJ’s Environmental Crimes Section (ECS) are expected to have more resources under the Biden Administration which will in turn lead to an increase in environmental investigations and prosecutions. Organizations who are subject to environmental regulations should be prepared for closer scrutiny by the EPA. An organization’s compliance program, and auditing and monitoring procedures can often be used as intent for environmental crime.

State and federal updates to data privacy laws: After the passing of the CCPA in 2018, many states have followed in California’s footsteps with varying results. It seems as though every week brings news of a proposed state law to regulate data privacy, as well as increased focus on legislation at the federal level. The federal Information Transparency and Personal Data Control Act aims to protect the collection and processing of personal information. This act would require businesses to use an opt-out consent tool for consumers to protect their information while also requiring their explicit consent to collect it. However, consumers would not have a private right of action. The Attorney General would be responsible for notifying controllers of violations and would give a 30 day deadline to address the violation before any enforcement action. At the state level, California and Virginia are the only two who have passed and enacted privacy laws. Oklahoma’s law has been passed by the house, with Washington, Florida and New York still pending.

CPRA to regulate “dark patterns”: The rather sinister term “dark patterns” is now getting more attention due to the regulatory guidelines under the California Privacy Rights Act. The term dark patterns dates back to 2010 when user interface expert Harry Brignull described certain types of misleading actions. For example, a dark pattern could be put in place within an application to prevent a user from unsubscribing to an email list or to encourage a user to provide personal information. It’s essentially a method of manipulating user actions, although the intent isn’t always harmful. The CPRA has some unclear guidance surrounding dark patterns so it’s a good idea for regulated organizations to take a few precautions. They should generally be aware of the issue and closely monitor their data collection methods to ensure that the process is clear and transparent. Working with experts in user interface design will help identify any issues.

530 million Facebook users won't be notified of 2019 breach: More than half a billion Facebook users were affected by the 2019 breach, but they’ll never know for sure if they’re information was exposed. Facebook confirmed that “malicious actors” had obtained data like phone numbers and birth dates prior to September 2019, but they claim to lack full visibility on which users were affected, and therefore, won’t be notifying anyone. Security experts warn that this type of data can still be used by cybercriminals, which further puts Facebook under the spotlight of how it handles user privacy.

Amazon’s role in financial services: All industries should be keeping an eye on Amazon’s activities. They not only pave the way for many initiatives and innovations, but also are dominating many markets and our lives as general consumers. Not to mention, they’re all over the financial services space without actually applying to be a bank, so they’re essentially bypassing regulators. However, it’s suggested that Amazon is in fact building a bank for itself to specifically suit their customers, rather than a traditional model that serves everyone. Along with other major tech companies, they’re meeting with regulators who then happen to be creating charters to allow for room in these spaces. Here are just a couple of other areas that Amazon is “rumored” to be tapping into: digital currency, mortgages, home insurance, cross border payments and health insurance. The findings of this CB Insights report make it clear that Amazon’s financial service products are ultimately being used to build their vast ecosystem.

Due diligence requirements for environmental, social and corporate governance: European organizations will now have more requirements surrounding due diligence as it relates to human rights and environmental concerns. The DJ Just Study has shown that they have generally made limited use of due diligence in these areas but the new draft will require a deeper assessment of their business and investment activities. The EU Parliament has recommended a strong emphasis on risk assessments and the Draft Directive has more clearly defined corporate due diligence and accountability. Companies would have to perform cautious risk assessments surrounding potential liabilities related to their non-compliance.

Recently Added Articles as of April 15

This week’s news gives you some basic guidelines on cyberattacks and the foundation of third-party risk management. A few articles focus on supply chain management and there’s an interesting study on the lack of knowledge surrounding cybersecurity. Read on for the latest in risk management news.

Cyberattacks on third parties are the new trend: You’re probably familiar with the phrase “no news is good news,” but that’s simply not a reality in the cybersecurity world. When there appears to be less data breaches or hacks, this can breed a false sense of security which can then lead to the risk of complacency within organizations surrounding their cybersecurity efforts. The SolarWinds breach brought increased attention to third-party cybersecurity and supply chains are increasingly becoming complex global networks rather than linear transactions. Supply chain attacks are often the result of a few different reasons, such as the ones discussed in this article. The increased use of cloud-based SaaS applications have made it easier for cybercriminals to target the external environment of an organization. Remote access is often unmonitored, with many third-party vendors receiving unnecessary privileges. Unsecured PII is also used in targeted attacks. This article by Fortune India advocates what should be included in the “third wave” of third-party risk management and is definitely worth the read.

Biden nominates former NSA leaders to cybersecurity positions: Chris Inglis has been nominated to the new role of National Cyber Director, while Jen Easterly is up for the position of Director of the Cybersecurity and Infrastructure Security Agency (CISA). These positions will add more cybersecurity expertise to the administration along with the newly created role of deputy national security adviser for cyber and emerging technology. There is some mild concern over their expertise, as they're coming from the public sector while critical infrastructure and supply chains are owned by the private sector. However, their collected knowledge and previous accomplishments are expected to boost cybersecurity efforts within the federal government. Private organizations should continue to stay well-informed of CISA guidance and updates.

Phishing scam targets taxpayers: The 2021 tax deadline has been extended to May 17, giving scammers an extra month to try and fool taxpayers. A recently discovered phishing scam uses TypeForm to create convincing log in forms to access W-2 forms which are then emailed in an attempt obtain personal information through error messages. Repeated log in attempts will give the hackers multiple username and password combinations. While this scam targets individuals, hackers can do plenty of widespread damage with the right information. Organizations should always be proactive in teaching its employees the basics of cybersecurity.

NAME:WRECK DNS vulnerabilities may affect millions of IoT devices: Nine newly discovered DNS vulnerabilities (collectively called NAME:WRECK) may put as many as 100 million IoT devices at risk. The bugs affected the popular TCP/IP stacks, FreeBSD, IPnet, Nucleus NET and NetX and were caused by reuse in firmware. Government, healthcare, retail and manufacturing industries could all be impacted by these vulnerabilities. There’s a list of suggestions for those who may be affected. Users should take inventory of the devices that are running the vulnerable stacks and enforce segmentation controls. They should also monitor for patches and configure their affected devices to run on internal DNS servers. And finally, it’s also important to continually monitor all network traffic for malicious packets.

The foundation of third-party risk management: You may be surprised to learn that many organizations still lack strong visibility on their third-party vendors. The pandemic shifted many organizations into a remote environment where poor third-party risk management caused a huge increase in digital risks. The Institute of Collaborative working estimates that up to 80% of an organization’s operating costs are designated to its third parties, so it’s a wonder why these vendors aren’t more closely monitored! And, data breaches aren’t the only things to worry about, as Morgan Stanley is well aware. The OCC fined them a whopping $60 million for previous compliance issues. In addition to non-compliance fines and penalties, there are many other factors that play into third-party risk management including data privacy, operational, reputational and financial risks. Always remember that your organization is legally responsible for the risk posed by your third-party vendors. Knowing this should be the perfect incentive to invest in a strong third-party risk management program!

House hearing on banking innovation should shed light on OCC’s fintech charter: The April 15 House hearing on “Banking Innovation or Regulatory Evasion? Exploring Trends in Financial Institution Charters” is expected to clarify a few gray areas surrounding the OCC’s “true lender” final rule. The Congressional Review Act has recently introduced a resolution to overturn this rule which is meant to specify when a national bank or federal savings association should be considered a “true lender” in certain third-party relationships. Another likely topic of discussion is the OCC’s acceptance of applications from non-depository fintechs for special purpose national bank charters.

Data breach hits risk and compliance startup: It seems that not even risk and compliance companies are fully protected from data breaches. Startup risk and compliance company LogicGate recently confirmed a February 23 data breach which was caused by an unauthorized third party who had obtained credentials to its AWS-hosted cloud storage servers. The servers store customer data files for its Risk Cloud platform, which is meant to help companies identify and manage their risk and compliance by finding security vulnerabilities.

Quiz proves basic cybersecurity to be difficult for 61% of employees: Do you think you could pass a basic cybersecurity quiz? Well, there’s no shame in failing since a recent study found that 61% of employees failed a basic quiz despite receiving cybersecurity training from their employers. The study, which was conducted by TalentMS on behalf of Kenna Security, highlights some surprising statistics. Only 17% of those who worked in information services passed the quiz, while 93% had stated that they recently received cybersecurity training. Of the respondents who answered every question incorrectly, 74% of them reported feeling safe from threats. And, despite being the generation that was born into a technology-based world, employees in the 18-24 age range performed the worst with only 16% passing. Security expert James McQuiggan recommends that organizations conduct regular training as well as simulated phishing assessments to ensure their employees are well educated.

Third-party risk management expectations are defined by the UK Prudential Regulation Authority: The UK Prudential Regulation Authority (PRA) has recently released a policy statement and a supervisory statement which are meant to clarify regulatory expectations on third-party risk management. These guidelines apply to banks, PRA-designated investment firms, insurers and branches of overseas banks and insurers. They also apply to non-outsourcing material and high-risk service arrangements, but at a legal entity level rather than a group level. These expectations should be read alongside the proposed operational resilience framework. The PRA has given a deadline of March 31, 2022 to meet these expectations. The revisions to the final policy were in the areas of definitions and scope, proportionality, governance and recordkeeping, pre-outsourcing, outsourcing agreements, data security, access, audit and information rights, sub-outsourcing business continuity and exit planning. One interesting point to note is that the PRA has clarified there’s no defined combination of cloud resiliency options in its relation to business continuity.

Ubiquiti whistleblower claims company tried to cover up data breach: Ubiquiti is doing some damage control after a whistleblower claims that it downplayed the extent of last year’s data breach in order to protect stock value. The security incident was originally blamed on a third-party cloud provider, but the whistleblower claims that Ubiquiti was in fact the intended target of the attack and not just a subsequent victim. The Ubiquiti legal teams were allegedly silenced in their efforts to fully disclose the incident to customers but they deny that their customer’s information was accessed or targeted. Ubiquiti has denied these allegations; however, a third-party investigator confirmed that they were unaware of the full extent of the data breach because of poor security practices.

Suez canal blockage continues to disrupt supply chain: The Ever Given, one of the largest container ships, may finally be free from the Suez canal, but there continue to be ripple effects within the supply chain industry. The canal is open but as many as 300 ships have been delayed because of the blockage. International insurer TT Club is warning supply chain operators of the consequences that this event may cause, not just related to delayed deliveries. Yards may reach capacity with a build up of cargo and the threat of theft at ports and freight depots may increase. TT Club has recommended that supply chain providers should emphasize resilience to ensure that any third-party storage supplier is adequately prepared to meet these new demands.

A man from Texas attempts to destroy an Amazon data center: A bizarre story recently came out of Texas where a man was arrested for attempting to “kill off about 70% of the internet” by blowing up an Amazon data center. The suspected bomber is accused of obtaining what he believed were explosive devices from an undercover FBI agent. The incident began when a concerned citizen reported troubling statements found on the far-right militia group site MyMilitia.com. Despite the strangeness of the situation, this should serve as a reminder for organizations to implement a robust business continuity and disaster recovery plan, because you never know when someone else may attempt to “kill” the internet.

4 steps to protect against supply chain attacks: The SolarWinds hack was a classic, yet unprecedented, supply chain attack which highlighted how these incidents can compromise an organization’s customers, suppliers, vendors and other third parties. Fortunately, there are ways in which an organization can protect itself from third-party data breaches. The first step is to thoroughly identify people, systems and things that are associated with your organization. This creates an inventory of all third-party entities and the data they’re allowed to access. You should also create controls that mitigate risk of unauthorized access, whether it’s multi-factor authentication or automated identity lifecycle management. The next step is to utilize identity broker technology to strengthen authentication requirements. These brokers are used to analyze and verify attributes to determine if the tokens are forged. The requests can then be passed or rejected, depending on the results. The third step is to access governance for third-party identities. Access governance can measure the program’s efficiency for creating and managing identities. Using this process can help identify a supply chain attack if there’s a discovery of incorrectly accessed assignments. The final step your organization can take is the proper management of all third-party access. By centrally managing this access, your organization can get a bird’s eye view of the risk associated with each user. It’s also helpful to automate your access management to respond to real-time events.

Debt collection company and previous owner penalized by CFPB: Yorba Capital Management and its former owner, Daniel Portilla, Jr., have been banned from the debt collection industry for violating regulations. They had been accused of harassing thousands of consumers and threatening them with exaggerated legal action in their debt collection practices. The CFPB makes it clear that debt collectors must be truthful when communicating with consumers. This is also a good reminder for organizations to do their due diligence with their third-party vendors to ensure that they’re in compliance with industry regulations. It’s easy to overlook compliance issues which can also cause problems within your organization.

Recently Added Articles as of April 8

April continues with news of Facebook’s data breach which has affected half a billion users. And, there are some new business continuity principles for both the banking industry and those in supply chain management. You can also find some helpful guidance on deciding when and if to audit your vendors.

CISA advisory urges security patches and updates for SAP customers: The Cybersecurity and Infrastructure Security Agency has issued an advisory after a recent report has analyzed threat activity aimed at SAP environments. Enterprise resource planning, supply chain management, product life cycle management and customer relationship management may have unpatched vulnerabilities that hackers are exploiting. Attackers have shown significant knowledge of SAP applications, in some cases creating exploits less than 72 hours after a patch was released. As many as 92% of the companies on the Forbes Global 2000 list use SAP enterprise apps, so this threat is widespread. CEO and co-founder of Onapsis Mariano Nunez explains that information security teams don't always see the full scope of risks in these systems because the responsibilities to apply these patches are given to the SAP administration team.

Carbon Black bug allows bypass authentication: VMware discovered a critical vulnerability on its Carbon Black Cloud Workload appliance that could be used to bypass authentication and take control of vulnerable systems. The flaw is labeled as CVE-2021-21982 and is rated 9.1 out of 10 in the CVSS scoring system which can allow a cybercriminal to view and alter administrative configuration settings. VMware has released a fix for this flaw and has also addressed two other bugs in its vRealize Operations Manager solution. It has also published workarounds which help mitigate the vulnerability risks when patches can't be installed.

Hacking contest hits Microsoft hard: As if the recent Exchange hack wasn't enough, contestants at Pwn2Own 2021 won nearly half a million dollars after exploiting previously unknown vulnerabilities in other Microsoft programs Windows 10 OS, Teams and of course the Exchange mail server. One of the biggest prizes, $200,000, was awarded to a security researcher who combined two separate security bugs to obtain code execution of Microsoft Teams. With the constant stream of stories about data breaches, it’s somewhat reassuring to know that there are also good hackers out there who proactively work to identify these vulnerabilities before they turn into larger disasters. Huge cash prizes certainly work as a great incentive!

Business continuity and supply chain risk: Even though high-volume direct suppliers are prioritized in risk assessments, others are often limited in scope and effectiveness which can cause costly interruptions to an organization. Experts at McKinsey & Co. have calculated that larger companies generally lose two quarters of profit every 10 years from supply chain disruptions. The responsibility of assessing supplier risk is often distributed among different departments with no consistent process of requesting information, reviewing data and prioritizing. This, of course, leads to critical things being overlooked. One example of poor supplier risk assessment occurred when a fire shut down a Japanese semiconductor manufacturing plant. The production lines were estimated to be down for at least six months and the result was a skyrocket in chip prices from $5 to $110 in just a few days. Many organizations had to scramble to find another supplier because this risk wasn't properly assessed. It turned out that the Japanese plant lacked a sprinkler system, which could have been prevented if one of their customers had known about this and insisted that this risk be mitigated before signing a contract. There are a few best practices that should be applied during the supplier risk assessment process. An organization should assign a single person or team to run the risk assessment program and integrate all the data into a single platform or application. This allows the organization to see the big picture and prioritize which risks to address first, based on key performance indicators (KPIs). Another suggestion is to look for ways to collaborate with suppliers. An example of this would be a company funding their suppliers to prepare for hurricanes or other natural disasters. There are many benefits to working with a risk management solution provider, rather than doing it in-house. A solution provider will likely have the majority of your suppliers in their network, so you can increase the quantity of assessments you do and ultimately save yourself valuable time.

State privacy laws vs. federal regulation: It will soon be difficult to stay informed of all the state privacy laws that are being enacted. It makes sense to advocate for federal data privacy legislation, or does it? A big point of contention is whether it should include a private right of action. California and Virginia have state privacy laws and are already different in this regard. Another issue is whether federal law should preempt state laws, meaning that consumers may get to choose if they sue under federal or state law. But, for right now, state privacy laws are the only ones in the works and will no doubt add complexity to the compliance regulations of many organizations.

Slow data breach reporting leads to fines on Booking.com: Slow and steady doesn’t always win the race. When it comes to reporting a data breach, organizations can be penalized by a slow response. Booking.com has been fined almost half a million Euros because they waited longer than 72 hours to report their 2019 data breach to the Dutchy Data Protection Authority. The attack targeted hotels in the United Arab Emirates in which scammers apparently called hotel staff and tricked them into giving them login information. The lesson to be learned here is that an organization shouldn’t be worried about looking guilty or incompetent when they suffer a data breach as it'll only lead to worse consequences when they take too long to report it.

Resolved Facebook breach affected half a billion users and may still be a problem: Facebook may have tried to reassure its users that their leaked data in 2019 has been secured, but experts are still concerned. Much of the leaked data is significant because identifiers like names, birthdates and email addresses don’t often change. This data is still valuable to data brokers who can sell online for as little as $0.99. Facebook may even face consequences relating to Europe’s GDPR which states that they should have alerted users under privacy reporting requirements. This breach also serves as a reminder that companies must respond to European regulators, and not just United States regulators. Companies of all sizes can be vulnerable to attacks and the stolen data can be used in ways ranging from annoyances like spam calls to more severe like identity theft.

Rapid migration to the cloud leaves security behind: The recently released Unit 42 Cloud Threat Report shows the aftermath of the rapid cloud migration that many organizations experienced during the pandemic. It states that 30% of organizations don't have proper security controls with their sensitive data in the cloud. Retail, manufacturing and government saw the highest increases in security incidents and also faced the most pressure to adapt to the pandemic.

Private right of action included in amended Washington Privacy Act: Big tech lobbyists have now flip flopped on the Washington Privacy Act, which was recently amended to add a limited right for consumers to sue for privacy violations. Digital privacy advocates had long been opposed to this act because it was apparently full of loopholes. California and Virginia are the only other two states who have passed digital privacy laws and it remains to be seen which way Washington will go. CA’s law is more consumer-friendly while VA favors the industry. Many other states have similar laws and acts that are pending approval so it’s important for organizations to stay informed, especially if any of their third-party vendors are in one of these states. Regulations and laws can regularly change, but it’s the responsibility of your organization to remain in compliance.

Malware hackers prey on LinkedIn job seekers: While the economy is slowly recovering from the pandemic, many people are still out of work and cyber criminals are taking advantage. LinkedIn users are increasingly vulnerable to phishing attacks which invite them to open malicious files or links that are supposedly related to potential jobs. The attackers are using a backdoor tool called “more eggs” which runs in memory and compromises the victim’s computer. Those looking for work in the healthcare and technology are especially vulnerable to these attacks. These types of attacks highlight the need for multiple layers of security, as just one isn't enough to detect and block them.

Accellion data breach hits several universities: Stanford University, The University of Maryland Baltimore, The University of Miami, The University of California Merced, The University of Colorado and Yeshiva University are some of the most recent victims of the Accellion hack. The University of California's system released a statement that advised its faculty, students and staff to not respond to ransom emails they may receive which states that their personal data has been stolen. The data files were shared on a ransomware website called Clop, which publishes extracts of stolen information and demands money in return for not publishing the rest. It’s possible that more universities may have been affected, as Clop is still publishing more data.

Basel Committee for Banking Supervision releases business continuity principles: The recently released Principles for Operational Resilience outlines ways to strengthen the banking industry’s ability to adapt and recover from harmful events, like global pandemics, through proper business continuity practices. These seven principles for operational resilience are listed as governance, operational risk management, business continuity planning and testing, mapping interconnections and interdependencies, third-party dependency management, incident management and information and communication technology (ICT) which includes cybersecurity. The Basel Committee also released a revision to its Principles for the Sound Management of Operational Risk which was originally published in 2003. This provides a framework for the effective management and supervision of operational risk. It should be noted that the Basel Committee includes legal risk within operational risk, but excludes strategic and reputational areas.

The right time to audit your vendors: Do you exercise your right to audit? Many vendor agreements include this clause, but it’s rarely used as a compliance tool. This article explains why this audit right can be helpful for business leaders, especially during the COVID-19 pandemic. Just the act of requesting an audit on your third party serves as proof that your organization is committed to compliance, and you may be rewarded with leniency if any future issues are discovered by regulators. However, it’s important to determine which third party should be audited so your organization isn’t wasting valuable time and resources. You should begin by assessing your third-party risks, including legal, reputational and operational. You can then move on to ranking your third parties according to their risk rating. High-risk vendors should be evaluated against certain criteria before deciding to audit. This includes certain clauses like the advance notice required or any limitations on what can be audited. It’s also important to consider the possible results of the audit and the next steps such as reporting to the board. Your organization must ultimately determine whether it has enough resources and expertise to conduct the audit themselves, or if you need to spend an additional cost to outsource it.

Defining cybersecurity law practices: Cybersecurity is at the front of everyone’s minds these days even the general counsel at private organizations. There is an increasing awareness and need for attorneys who specialize in cybersecurity, but there is still some haziness about how to clearly define this area of law. Furthermore, many organizations don't include law firms in scope for management, but perhaps it’s time for a change as cybersecurity and law have merged. This in-depth article goes over several different areas of cybersecurity law, which is still in the early stages. For example, it states that a cybersecurity attorney must be part of the operational team and as involved as the IT expert in implementing new security measures. The cybersecurity attorney should also have a good understanding of privacy law, while also knowing the jargon of both law and tech. One important subject area that should be in the attorney’s portfolio is vendor risk management. The SolarWinds data breach proved just how essential supply chain risk management is and a cybersecurity attorney should be able to anticipate the government’s views of whether or not certain organizations are secure.

Recently Added Articles as of April 1

In the third-party risk world, it seems a new month means a new set of data breaches. The healthcare industry continues to be one of the top targets for cyberattacks in both cloud-based services and interconnected devices. There’s also some big regulation news coming out of the UK and here in the U.S., too. Read on to learn more about some best practices in transitioning to the cloud and maintaining trust with your customers.

SEC and FINRA priorities for 2021: The two recent reports from the SEC and FINRA have some similar themes surrounding retail investors, technology providers and their third-party vendors and cybersecurity compliance. Both reports are quite lengthy, with the FINRA report coming in at 44 pages and the SEC’s Exam Priorities being 36 pages, so this article is a helpful summary on some of the common themes between the two. When it comes specifically to third-party risk management, both documents highlight the concerns around technology providers, including cloud vendors and automated platforms. The SEC is specifically concerned with the effects of the pandemic on endpoint security, data loss, remote access and vendor management.

Retaining customer trust before or after a breach: Security breaches can and do happen to anyone no matter the industry or size of company. However, it doesn’t always have to be a humiliating event that completely destroys all public trust. Transparency is at the core of retaining trust between a company and its customers. An organization should prioritize quickly notifying its customers of a breach and detailing how it will affect them. Vendors should also have a thorough incident response plan to stay on top of any breaches that may occur. A customer’s sense of security will remain in place when they know how a vendor will handle a breach. Finally, following a list of best practices is a basic standard that businesses should have in place and security should be implemented into all areas of the organization.

Google’s FLoC seen as an alternative to third-party cookies: The privacy concerns around third-party cookies have led to a new Google development called Federated Learning of Cohorts (FLoC). If a browser blocked third-party cookies, advertisers and sites could work around this hurdle and in some cases would cause even more privacy issues. FLoC is intended to be an alternative which allows for relevant ads aimed at groups of people (or cohorts) instead of individuals. The browser itself selects cohorts and doesn’t share browsing history with Google. Certain topics like alcohol, gambling, religion and politics are avoided by FLoC and sites can opt-out altogether. It’s currently being tested on a small percentage of Chrome users in 10 countries, including the U.S.

Consider these factors when migrating to the cloud: It’s no longer a question of if an organization should move to the cloud, but rather how should it be done? The cloud services market is expected to exceed $660 billion by 2024 - a very little surprise considering the advantages of more efficiency, flexibility and security. Companies would be wise to consider how they can fast track their migration to the cloud, even if that involves a bigger investment up front. Another important factor is to consider which applications are already in the cloud and whether everything else will make that transition. Perhaps, the biggest consideration is related to third-party supplier risk assessments. The SolarWinds hack served as a reminder that third-party risk assessments are vital when it comes to the cloud. Sensitive data should be identified and protected in the cloud, ideally by knowledgeable cloud practitioners. This may require retraining existing employees. DevSecOps is another crucial component of migrating to the cloud. This allows for both secure and quality implementation of cloud applications.

Cybersecurity trends found in FS-ISAC report: The latest report from financial cyber intelligence community FS-ISAC found that cybercriminals are using each other’s tools and tactics which is leading to an increase in cross border attacks. Recent incidents during the pandemic have highlighted the need for a trustworthy channel to deliver real-time cyber information between financial institutions and third parties. The report identifies the top threats including the merging of nation-states and criminals, third-party risk and an increase in cross border attacks.

PRA releases updated supervisory statement and extends deadline: UK banks and investment firms now have a little more time to do their homework, thanks to the pandemic and other regulatory changes. The Prudential Regulation Authority (PRA) is extending the deadline for banks and investment firms to review and update their outsourcing agreements to meet European Banking Authority (EBA) regulations. The original deadline of December 31, 2021 has been pushed to March 31, 2022 and the EBA will not require firms to notify it if they haven't met the deadline. The PRA’s new supervisory statement is to be used as the primary guideline for UK firms when interpreting and complying with requirements on outsourcing third-party risk management. One interesting clarification is that the PRA doesn't expect firms to directly monitor fourth parties in all circumstances. The PRA differs from the EBA guidelines surrounding sub-outsourcers. The EBA guidelines require any critical or important sub-outsourcer to be under its audit rights and obligations. The PRA statement is less strict and only requires this flowdown if the sub-outsourcing itself is material. Two other statement changes fall under the area of cybersecurity. First, the PRA will no longer require regulator access to the encryption keys themselves, only the encrypted data. The second change requires institutions to ensure that third parties are to agree to share the results of security testing.

Whistleblower calls out Ubiquiti’s lackluster response to data breach: The data breach that affected Ubiquiti, Inc. in December 2020 was apparently much worse than they initially let on. A whistleblower who helped respond to the breach has anonymously reported that the company downplayed the severity of the attack by saying that a third-party cloud vendor was the one at risk instead of Ubiquiti itself. In reality, the intruders set a ransom of 50 bitcoin after gaining backdoor access. Ubiquiti was able to find a second backdoor without engaging with the intruders and notified customers to reset their passwords. The whistleblower noted that a reset of passwords wasn’t enough and Ubiquiti should’ve invalidated all of its customer’s credentials instead because the hackers had remote access to customer IoT systems.

DHS emails read by SolarWinds hackers: The SolarWinds breach continues to make waves, this time in the Department of Homeland Security. A new report states that the Homeland Security Secretary’s emails were included in the attack, but it’s unclear whether or not they included classified material. The Federal Aviation Administration was also affected by the breach and a source noted that they’re one of the administrations that struggles with outdated and legacy software. President Biden is continuing to address this data breach, most recently with the latest stimulus package with includes $650 million in cybersecurity funding.

Bank of England announces PRA statement: The UK regulators have clearly been very busy during lockdown. On Monday, this week, they released 14 papers on operational resiliency, 2 of which are specifically focused on outsourcing and third-party risk management. The intrinsic link between operational resiliency and third-party risk management is becoming ever tighter. The standout point of reference first of all is the change of deadline when firms are expected to be compliant, which has been pushed 3 months back to March 2022. Otherwise, there are no real surprises. Beyond the deadline change, there is further guidance around definitions, intra-group relations, segmentation classification, auditing, approach, data security and the introduction of an online portal where firms will be able to submit information on their outsourcing and third-party dependencies. The policy statement and supervisory statement are derived off the back of EBA Guidelines on Outsourcing, first issued in 2019, and as part of a consultation with firms. This is the UK regulators summation of what elements will be mandated and how the wide range of existing requirements in this area should be managed throughout the lifecycle of an arrangement.

PHP compromised through backdoor hackers: Hackers compromised PHP.net through a backdoor that would have made websites vulnerable to takeover. Two updates were posted to the PHP Git server over the weekend which used the word “zerodium” to give code-injection capabilities to visitors. PHP developer Nikita Popov stated that they will no longer use the git.php.net server and make GitHub the official source for PHP repositories. Contributors will now have to be part of the PHP organization and use two-factor authentication to make commits.

Netmask bug could lead to attacks: A newly discovered vulnerability in the netmask npm package would cause an incorrect read of octal encoding which can result in the misinterpretation of IP addresses. This reading would consider private IP addresses as external and vice versa. The package was patched within days of discovery and fixed the way in which netmask interprets integers and inputs. All packages that use netmask need to be updated.

Second data breach on healthcare provider: Personal Touch Holding Corp. (PTHC) announced that it has suffered its second data breach in 15 months. A ransomware attack on its private cloud has affected more thank 750,000 patients and current and former employees. A previous breach in January 2020 identified an attack on Crossroads Technologies which hosted the company’s cloud-based electronic health records. The compromised data includes personally identifiable information like names, social security numbers and credit card numbers. Cybersecurity experts agree that part of the reason for the increase of ransomware attacks in the healthcare industry is because their vendor risk management isn’t very developed. Because healthcare organizations rely on so many vendors, it’s more important than every to have an effective third-party risk management program in place.

Politics and reputational risk: There’s the old adage that you shouldn’t talk about certain things like religion or politics… and yet companies are increasingly becoming more vocal about their political opinions. But, is this a good idea? It’s no secret that we live in a highly polarized society, and as a result, an organization’s reputational risk can now be affected by something as subtle as an oblivious tweet or a poorly thought out ad. Fortunately, there are some recommendations for companies to safely navigate this area. These come from a roundtable discussion moderated by The Conference Board and a survey of 84 large public and private companies. The first step is to prepare for backlash by implementing a clear set of standards and guidelines. A company should be ready to defend any position it takes, whether it’s a CEO’s statement or political contributions. Organizations should also keep their political activity simple by contributing money only through political action committees and thoroughly vetting all other third parties who receive donations. Employees and investors should also be educated and involved in the company’s activities and conversations with legislators. And lastly, the board oversight may need to be adjusted to define their role in lobbying or other activities.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo