April 2023 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of April 27

Another round of informative industry news. This week's news brings us information on ransomware surging, more privacy laws passing or in the works, Apple being targeted, and a major regulator's recent data breach that you'll definitely want to know more about! Take a look below.

Ransomware attacks have surged, doubling victims in 2023: Black Kite, a leader in third-party cyber risk intelligence, released a much anticipated report this week: Ransomware Threat Landscape 2023™: Ransomware Resurgence. This report provides detailed information on over 2,700 ransomware victims from April 2022 to March 2023. Key findings include that ransomware attacks resurged in early 2023, groups tend to target companies with annual revenues of $50 to $60 million and encryption-less ransomware is on the rise.

Understanding exposure management: Vulnerability management can be challenging, especially given the everchanging technological landscape. To make it even more complex, not all vulnerabilities are the same risk level. Technology is progressing which helps, but still, there are challenges that organizations are experiencing such as an increase in vulnerabilities, missing business context, inaccurate prioritization, and more. A modern exposure management program can help address these challenges. Building a modern exposure management program would include understanding exposure insights, assessing attack paths, and prioritization remediation efforts. 

Tennessee privacy law passes: How does the old saying go? Another day, another privacy law? At least that’s how it feels as of late. Tennessee joins the growing list of state privacy laws to pass. The Tennessee Information Protection Act (TIPA) will become effective January 1, 2025.

Apple devices are targeted once again: A North-Korean threat actor, BlueNoroff (a subgroup of Lazarus), is targeting Apple devices with a new malware strain called RustBucket. RustBucket is targeting MacOS and communicates with command and control (C2) servers to download and execute various payloads. BlueNoroff is known for its sophisticated cyber-enabled heists targeting the SWIFT system, as well as cryptocurrency exchanges.

Fourth and nth-party vendor risk in open-sourced supply chains: Outsourcing to vendors is common, but do you know who your own vendors are outsourcing to? Many mature organizations have systems in place to manage direct vendor relationships but don’t always have systems in place to manage and monitor fourth and nth party relationships. Open-source projects don’t always undergo thorough security reviews, so identifying the vulnerabilities is crucial, but may not be easy. Although your service level agreements (SLAs) only cover your direct vendors, organizations need to find ways to address potential open-source security issues that may come from fourth and nth-party vendors.

New Canadian federal banking regulations taking place in May 2024: Federal banking regulators have revised their guidance for financial institutions to manage risks that arise from outsourcing. The Office of Superintendent of Financial Institutions (OSFI) published the final guidance for risk management in connection with third-party relationships and it will become effective in May 2024. Learn more about the guidance here.

Massive American Bar Association breach: Over 1.5 million members of the American Bar Association (ABA) may have been compromised from a breach that occurred last month. An unauthorized third party acquired usernames and hashed and salted passwords that people may have used to access online accounts on the old ABA website prior to 2018 or the ABA career center since 2018. If you or anyone in your organization has an account with the American Bar Association, it’s important to reset passwords and ensure your data is safe. 

Information security risk management from a third party's viewpoint: When working in the world of cybersecurity and utilizing third-party vendors, you and your organization must have solid third-party risk management oversight to monitor data privacy and overall processes. Improving your InfoSec risk management can provide you with critical insight into how data is handled, security safeguards that are in place, potential weaknesses, and more. According to Gartner, 84% of risk management teams have overlooked a third-party risk issue. To improve your program, you can start with focusing on the most important risks, conducting risk assessments, performing on-site audits, and having clear contractual requirements around regulations that are kept updated.

AI powered malware analysis: On Monday, VirusTotal announced the new artificial intelligence-based code analysis feature named Code Insight. This new feature is powered by the Google Cloud Security AI Workbench and was first introduced at the RSA Conference 2023. Code Insight will be able to analyze potentially harmful files to explain their malicious behavior and will improve the ability to identify which files may pose actual threats. 

Washington state finalized their “My Health My Data Act”: Washington state has finalized their “My Health My Data Act” which further regulates how health data of residents should be processed and protected by private-sector entities. This bill was introduced partially because of the new restrictive abortion laws in other states and the concern that reproductive health information could be improperly shared with authorities. The bill provides further protections for consumer health data not covered under HIPAA. Learn more about the “My Health My Data Act” here.

Cleaning up your supply chain’s hygiene: Thirty-nine percent (39%) of businesses in the UK were the targets of cyberattacks in 2022. However, one attack stands out from the all the others... SolarWinds. The 2020 SolarWinds hack was the largest and most sophisticated attack ever. It compromised not only SolarWinds data, but 30,000 of its clients' data as well. This attack kicked off organizations really cracking down on their cybersecurity within the supply chain. Other notable attacks after SolarWinds include Kaseya, Microsoft Exchange, Air France, and more. Attackers tend to look for the weakest link to infiltrate an organization and prepare their attacks. Don't be the last to know! It’s crucial your organization monitors the cybersecurity of suppliers and their supply chains.   

Regulator experiences a massive data breach: The Consumer Financial Protection Bureau (CFPB) experienced a massive 250,000 person data breach that happened within the organization by a now former employee. This week, the news broke that an employee had forwarded around 256,000 consumers to their personal email. They also transferred confidential supervisory information on 45 institutions. This data breach raises concerns on how the CFPB keeps their consumers' personally identifiable information (PII) safe.

Patch released for Google Chrome’s second zero-day attack: On Tuesday, Google Chrome rolled out emergency fixes to address another active exploited high-severity zero-day flaw in its web browser. The flaw is tracked as CVE-2023-2136. This marks the second zero-day vulnerability to be exploited this year. 

New privacy laws are taking a closer look at service-provider contracts: All 50 states now have data breach notification statues in place, but a smaller number are adopting privacy laws. States that have implemented privacy laws, or have laws going into effect this year, include Colorado, Connecticut, Utah, and Virginia to name a few. All these laws have similar provisions regarding the scope of their coverage, including exemptions for specific types of entities (e.g., HIPAA and the Gramm-Leach-Bliley Act).  An area where these Laws are noteworthy is regarding the requirements surrounding Controller-Processor contracts. Examples of these mandatory provisions include identifying the type of data being processed, the duration of processing, compelling the Processer to ensure that everyone involved in the processing be subject to a duty of confidentiality, and others. Learn more about the privacy laws taking effect by checking out this article. 

Recently Added Articles as of April 20

Check out this week's news to learn the average cyber intrusion detection time and why it's too long, the importance of mature third-party risk management in healthcare, and a recent study finding that two-thirds of organizations lack supply chain visibility. We also cover Indiana's privacy law, recent data breaches, and more. 

Two-thirds of businesses lack supply chain visibility: Recent research has shown that 69% of organizations lack necessary visibility over their supply chain to protect their reputation. Other findings show 70% of organizations are improving their investment in third-party risk management. Over 74% rated their TPRM as poor or mediocre. Also in the report, four advantages of TPRM are highlighted, including improved operational resilience, avoidance of reputational damage, avoidance of fines, and faster time to supply chain recovery following an event. 

Importance of mature third-party risk management in healthcare: The healthcare sector is putting more attention towards mature third-party risk management. Experts at the 3rd Annual HealthITSecurity Virtual Summit articulated that healthcare organizations are continuing to expand their vendor inventory, but their third-party risk management strategies are falling short. Questionnaires aren't tailored to the specific environment, leading to insufficient results, and due diligence falling through the cracks. To ensure a strong relationship with your vendors, you must set expectations from the start of the relationship. Other best practices include preparing for a business-disrupting event and adopting a risk-tiering approach.

Popular rideshare app experiences another breach: Uber is once again in the spotlight for experiencing a data breach and exposing sensitive data. This time, the breach occurred at a New Jersey-based law firm that was storing data about Uber's drivers. The data included their Social Security numbers, taxpayer identification, and other personally identifiable information (PII). The specifics aren't clear as to why the law firm had access to this data. With this breach occurring, it's a reminder how imperative it is for your organization to do proper due diligence on vendors during the selection process, and pay close attention to their security measures. It always matters!

Third-party risk mitigation is becoming more challenging: Mitigating third-party risk is becoming increasingly challenging due to the interconnected business environment. While there are regulations in place to manage third-party risks, it’s important to establish a robust third-party risk management framework to manage the third-party risk management lifecycle. Organizations are continuing to rely on third-party vendors to deliver critical services and products, but this can bring challenges. Some of the challenges include vendor concentration risk, third-party governance, regulatory scrutiny on data protection, and more. To overcome these challenges, utilizing the third-party risk management lifecycle can help your processes run smoothly.

Cyber intrusion detection time is at 16 days on average: Organizations and cybersecurity professionals are getting much better at detecting cyber-related incidents, but the time to detect is still at 16 days. While this is an improvement, experts say 16 days is too long, as significant damage can happen in that timeframe. Interested in learning more? Findings are shared in the 14th annual M-Trends Report.

Ransomware attack hits payments giant: NCR recently shared that a breach targeted the company’s Hawaii data center. NCR’s team has worked quickly to execute their disaster recovery plan while providing updates on the outage and service restoration.

Understanding cybersecurity in the energy sector: Cybersecurity continues to be a rising concern in the energy, oil, and gas sector. This is due to many challenges when it comes to managing cybersecurity in the energy sector, and as result, the cyber impacts could include loss of view, control, and/or safety. Why is cybersecurity so important in this sector? Consider this… if an energy utility is breached, it could lead to prolonged outages and a loss of customer trust.

CISA notifies of an Android bug: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) shares a high-severity Android bug that appears to be exploited by a Chinese app to spy on users. The bug is known as CVE-2023-20963. U.S. Federal Civilian Executive Branch Agencies (FCEB) are required to patch and secure devices by May 4.

Indiana joins the privacy law race: Indiana is now the seventh state that has passed consumer data privacy legislation. Indiana’s bill follows the Virginia Consumer Data Protection Act (VCDPA), but with some limited variations. This means Indiana’s bill, like Virginia's, is more business-friendly than Colorado and Connecticut laws, but more consumer-friendly than Utah and Iowa’s. Learn more about Indiana’s privacy law in the article.

The impending recession and your vendors: With the impending recession, many organizations have been tightening their budgets. The first thing that organizations are scaling back on seems to be digital transformation projects. With more cash on hand, organizations can withstand the financial pressures that comes with a recession, but deciding what to scale back on and who may take months and include replacing a vendor or two. Organizations may have to work with leaner teams or have fewer resources, so the utilization of AI and automation are becoming popular to help, too.

Repeat data privacy offenders are on the hook: The Consumer Financial Protection Bureau's (CFPB) director is cracking down on repeat violators of consumer finance and privacy laws. These penalties can involve naming executives in enforcement actions, placing limitations on future business practices, and more. 

Environmental, governance, and social issues and global real estate: Europe is aiming to be climate neutral by 2050.  Many directives have been released in the EU that allow individual countries leeway in implementing climate targets. On March 14, the European Parliament’s meeting on the ITRE (industry, research, and energy) Report produced revisions of the Energy Performance of Buildings Directive. This is a milestone in the decarbonization of buildings in EU countries. This article outlines countries within Europe and the United States' efforts in the current climate crisis. 

Microsoft patches 97 flaws: Microsoft made security updates to correct 97 flaws impacting its software. Of the 97, 7 are rated as critical bugs. The security flaw is known as CVE-2023-28252.

Key risks on data center vendors: Cloud technology is ever popular as of late, and data centers provide critical services to many organizations. It’s essential for data center vendors to have a plan to mitigate risks they face. These key risks include security, data privacy, operational, compliance, and environmental. Environmental is a notable risk since data centers consume large amounts of electricity. It's important that you implement ongoing data center risk analysis and assessments to ensure proper risk compliance is in place. 

Recently Added Articles as of April 13

There's a lot of global news to review this week, including articles regarding Israeli organizations experiencing cyberattacks, military intel leak, Indonesian banking industry regulations, and more! And for those state side, information about the construction industry experiencing an uptick in cyberattacks, medical device cybersecurity, and more! Check it out below.

“By Design” Microsoft flaw: A flaw “by design” in Microsoft Azure could be exploited by hackers, which would potentially give them access to storage accounts, the environment, and to write remote code. The exploitation path is called Shared Key authorization. What should your organization do to mitigate this risk for now? It’s recommended you disable Azure Shared Key authorization. Instead, use Azure Active Directory authentication.

Military intel leak is under investigation: The Pentagon is working diligently to locate the source of a military intelligence leak. The Department of Justice has also opened an investigation. The leak could affect Ukraine’s planned offensive against Russian troops, as the documents contain detailed intelligence that the Russian military could use to their advantage.

Israeli organizations experience cyberattacks: Last week, the Israel Post experienced a cyberattack, which resulted in halting mail services. Only days later, water controllers were hacked. Israeli organizations are seeing an increase in malicious activity, which they predicted may happen during the month of Ramadan as it seems it has unfortunately been a trend year-over-year. No matter where you’re located or the industry, we’re all susceptible to data breaches. To help protect your organization, it’s strongly recommended you ensure your vendors have strong cybersecurity plans in place. 

Cyberattacks are increasing in the construction industry: Cyberattacks are common in banks, large box retail stores, and many other industries. You can now add construction to the list. These malicious actors have taken a liking to construction companies due to the large sums of money being transferred in and out of bank accounts via wire transfers. The malicious actors have been known to spoof email addresses to trick employees into providing them with administrative access to the company email systems. They redirect emails and wait for information regarding wire transfers and hijack the payments by emailing the sender new wiring information with a legitimate email address. To prevent these types of attacks, you must ensure your employees are trained on phishing tactics, keep your policies updated, and ensure your vendors are doing the same. 

Telehealth company experiences third-party vendor data breach: Brightline, Inc. recently experienced a third-party vendor breach through their utilization of their vendor, Fortra. Fortra's GoAnywhere MFT software-as-a-service (SaaS) was breached.  Brightline has notified those needed about the breach. Fortra learned about the breach in late January and has launched an investigation to determine what led to the breach and whether any consumer data has been compromised. This investigation also uncovered an previously unknown vulnerability that allowed an unauthorized party to gain access to some of Fortra customers’ accounts and downloaded files. 

Understanding artificial intelligence and how it impacts cybersecurity: Artificial intelligence capabilities have already impressed many of us with its predictions, personalization, and automation. Can it help with cybersecurity, too? The question at hand is a complex one. According to experts, there are certainly areas where AI can assist with cybersecurity (e.g., bug hunting and verifying code). However, there are still limitations. Check out this informative article to learn what those limitations are.

FDA issues new guidance on medical device cybersecurity: New guidance has been issued by the U.S. Food and Drug Administration (FDA) stressing the importance of cybersecurity efforts in the product development of medical devices. The guidance specifies information that should be included in premarket submissions for any medical devices that contain software or firmware. With the medical device industry ever evolving, cybersecurity risks will become more complex and challenging. 

Data left exposed for six months: BigLaw has acknowledged a cyberattack which left its mergers and acquisitions practice data unsecured on a cloud server for more than six months… yikes! BigLaw’s security team has taken the steps to reconfigure the site and ensure its data is secure. BigLaw will notify all affected parties once they know enough information. 

Apple releases security updates: Last Friday, Apple released updates to address zero-day flaws. These updates address the following vulnerabilities: CVE-2023-28205 and CVE-2023-28206. Install updates in version iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1 to keep your data as secure as possible. 

Colorado privacy law nearing implementation: Colorado's privacy law will go into effect on July 1, 2023. The finalized rules include universal opt-out mechanisms, privacy notices, loyalty programs, valid consent, user interface design and dark patterns, and more. 

Managed service provider cybersecurity best practices: Managed service providers (MSP) have wide ranges of clients and need to know how to prioritize cybersecurity concerns and support every client’s needs. Best practices include establishing and following a formal security framework, assessing vulnerabilities, managing third-party risks, and more. 

Google mandates a new policy for Android apps: Google’s new data deletion policy enforces a rule where Android apps must provide users with an option to delete both the accounts and any data associated with those accounts. If developers have questions about the policy, they can submit those to Google by December 7.

Cybersecurity best practices for Indonesian banking industry: New guidance from Indonesian regulator OJK is another example of industry best practices being implemented across the globe. The guidance details how to perform an inherent risk assessment, a maturity level assessment, and a cybersecurity risk assessment. These cybersecurity best practices also share what should be involved in testing, such as vulnerability analysis and scenario-based testing. The OJK requires banks to report cyber incidents within 24 hours of being aware that they've been impacted.

How due diligence can protect an acquisition's value: Private equity firms are known for purchasing underperforming and undercapitalized businesses and turning them into high-value assets. Prior to transactions being made, there’s due diligence to complete, and it can be complicated. ESG issues have the potential to impact acquisition value and more and more dealmakers are looking into ESG risk. The level of due diligence dealmakers invest depends on the nature of the merger and acquisition transaction. 

New cybersecurity-related proposals from the SEC: The SEC has released three new proposals related to cybersecurity: Expansion of Regulation SCI, Expansion of Regulation S-P, and Proposed new Rule 10 under Securities Exchange Act for broker-dealers and other Market Entities. These proposals highlight the SEC’s focus on cybersecurity compliance. The comment period has been reopened for those who wish to provide commentary. It will close on May 14, 2023.

Recently Added Articles as of April 6

Protect your organization with these ransomware prevention methods: There are ways your organization can protect itself from ransomware. These include malware protection and web filtering, zero trust network access, and protection from the cloud. Malware solutions, for both the network and endpoints, provide a multi-layered approach which gives a lesser chance of something getting through an organization’s network. Also, web filtering protects employees from visiting potentially malicious sites. The zero trust network access is more aligned with least privileged access for employees connecting to an organization’s network. Additionally, organizations are encouraged to invest in cloud-based, converged network security solutions for a centralized way to manage security tools and for scalability.

CFPB brings clarity to abusive practices: The Consumer Financial Protection Bureau released a policy statement outlining elements of abusive acts or practices. They have offered a framework that can help organizations identify practices that may fall under “abusive." This statement will help highlight behaviors that may fall under the CFPB’s microscope. It'll also help organizations better anticipate regulatory or compliance issues.

JavaScript malware found in IRS-authorized e-file software service provider’s system: eFile.com, a service used by many to file tax returns, found malicious malware that existed on the site for weeks. The biggest concern is the timing, as many taxpayers are filing returns to meet the April 18 deadline. The full details of this incident, including how successful the attack was, are still being investigated.

Third-party vendors pose a significant amount of data privacy risk: Most organizations believe the greatest data privacy risk is their employees. While that may be true, third parties pose a significant amount of risk as well. Organizations are continuing to outsource to third-party vendors as it’s often more cost effective than bringing some products or services in house. Sixty-three percent (63%) of data breaches are tied directly to third-party vendors, and the average cost of responding to those breaches is a staggering $10 million. Cue vendor risk management! Implementing a vendor risk management program can help your organization significantly. Ensure you have a written agreement between third parties and your organization stating how data is stored, what certifications the vendor holds, what insurance they hold, and more.

New cybersecurity strategy states cloud security is a major threat: President Biden’s new cybersecurity strategy identifies cloud security as a threat. Government officials are discussing potential changes and reforms. This podcast helps you understand further what the cloud is and the cybersecurity risk present.

Tracking technologies may cause issues for HIPAA-regulated companies: Some hospital and healthcare websites use online tracking technologies to collect and analyze information about how a user interacts with an organization’s mobile application or website. The most common known is cookies. Cookies store small text files that are used to identify a user when they visit different pages on a website and so on. There are several other common tracking technologies that to be aware of, too. Regulated entities need to ensure that if they use tracking technologies, they disclose to the vendor that the data collected is protected health information (PHI), which is protected by HIPAA. If you're in the healthcare industry, it’s recommended to audit all of your site pages that use tracking technologies to ensure you stay HIPAA compliant. 

Ransomware insurance premiums lowered in 2022: Although ransomware-related claims were lowered in 2022, the threat level is still high. Hackers' tactics are going to continue to evolve, so you can’t count on last year's findings to be the turning point in ransomware-related claims. Staying on top of your cybersecurity is more important than ever. Take a step back and determine best ways to protect your organization from the unknown.

Healthcare data breach impacts nine organizations: Adelanto HealthCare Ventures (AHCV) suffered a major breach. AHCV became aware of suspicious activity on November 5, 2021, and at that point believed that no protected health information (PHI) was impacted. However, with further investigation they determined that PHI may have been involved. A Texas hospital, St. Luke’s Health, notified around 16,000 individuals of the AHCV breach in November of 2022. Eight other organizations received similar breach notices in recent days. Some of these organizations noted that their business associate didn’t receive sufficient information to conduct a breach analysis until the end of December of 2022. The majority of the top 10 largest healthcare data breaches in 2022 were stemmed from third-party vendors, indicating the need for better third-party risk management practices in the healthcare industry.

Large data storage firm experiences a data breach: Western Digital announced on March 26 that an unauthorized actor gained access to a number of their systems. Customers complained over social media that they couldn’t access their product, My Cloud Service. Western Digital has worked with outside forensic and security experts to implement incident response efforts, but have warned customers that operations may continue to be impacted.

Overview of a recent supply chain attack: 3CX, a communication software organization, confirmed multiple versions of it app for macOS and Windows were affected by a supply chain attack. They’ve enlisted Google-owned Mandiant to help them work through the attack. This issue is being tracked by CVE-2023-29059. Users of 3CX Hosted and StartUP don't need to update their servers, as 3CX will be updating them overnight automatically. The earliest known malicious activity was detected around March 22.

CFPB announces new rule for small business lending in America: Required by Congress, the new rule the CFPB has finalized will increase the transparency in small business lending. The new rule promotes economic development and hopefully will combat unlawful discrimination. This rule will work side-by-side with the Community Reinvestment Act, which requires certain financial institutions to meet the needs of the communities they serve. Read the fact sheet to learn how this may impact your organization here.

Don’t misstep when reviewing your vendors: Assessing the risk that a vendor may pose to your organization takes time, especially when it comes to reviewing their security. Your organization should ensure your vendors' security measures are sound before partnering with them. When conducting assessments on prospective vendors, it's important to ask the right questions, review their security certifications, and more. Don't sleep on it. Thorough due diligence is a core component of your third-party risk management activities!

Retailer cyberattack risk is on the rise: In 2022, Retailers experienced 241 confirmed data breaches. The primary goal of these attacks was stealing consumer data. As concerns grow, it's recommended retailers up their cybersecurity game this year. The Internet of Things (IoT) connectivity has become more common in retail from self-checkouts, mobile payments, enhanced app functionality, and more. Most retailers use IoT, but do they have the proper security procedures in place? Unfortunately, it's been discovered that most don't. Retailers, like many other industries, will continue to be vulnerable to cyberattacks as the world’s supply chain and technology continues to evolve.