April 2024 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of April 25

Several third-party data breaches made headlines this week. Regulators in the EU prepare for upcoming sustainability requirements and the Federal Deposit Insurance Corporation (FDIC) highlighted third-party oversight failures. Check out this week’s news below. 

Study shows data probably leaked via generative AI usage: Are your employees leaking sensitive information to generative artificial intelligence (AI) services? One in five UK organizations have possibly had data leaked by employees using AI like ChatGPT, according to a new study. When data is put into generative AI tools, there’s a possibility that the information could be exposed. One-fifth of UK top executives believe AI is the biggest cybersecurity threat right now. Organizations may need to prioritize updating their cyber policy and strategy to address the internal use of AI. 

HHS issues new directive for Privacy Rule: The U.S. Department of Health and Human Services (HHS) extended its privacy requirements for hospitals, clinics, and other providers to follow. The new directive bans healthcare organizations from disclosing protected health information (PHI) to law enforcement agencies or anyone who may request the information as part of an investigation. This is to specifically protect women seeking reproductive healthcare out of state. 

Cyberattacks have hidden costs: New research predicts the global cost of cybercrime will reach $10.5 trillion next year. However, there’s also a hidden cost to cyberattacks beyond the dollar amount. There can be a significant loss of revenue, especially with extended downtime. Customers can lose trust in your organization after a cyberattack and relationships with suppliers can become strained. Regulatory scrutiny is likely to increase after a cyber incident and a rise in insurance premiums. Robust cybersecurity measures like investing in technology and educating employees can help mitigate these risks.

A third-party data breach possibly impacts medical records: PHI was potentially compromised in a third-party data breach at Catholic Medical Center. The breach impacted almost 2,800 patients. A vendor that provides account receivable management services was a victim of the breach through a phishing attempt. 

Government department information compromised after third-party attack: A cyberattack on software provider Tyler Technology impacted data with the Washington D.C. Department of Insurance, Securities, and Banking. A ransomware gang is threatening to expose some of the data to get the agency to pay a ransom. The vendor said some of its cloud hosting data was compromised last month.

FDIC highlights third-party oversight failures in its supervisory report: The Federal Deposit Insurance Corporation (FDIC) released its Spring 2024 Consumer Compliance Supervisory Highlights, which call special attention to frequent violations and where organizations should focus compliance efforts. Several violations found were in bank oversight of third parties. This includes deposit insurance misrepresentations by third parties and false advertising claims for credit building products. The FDIC reminded banks to receive evidence for claims for credit building. Banks should also ensure fair lending oversight of third parties and review the pricing and underwriting systems used by third parties. 

Cybercriminals are leaning on AI to improve cyberattacks: Microsoft warned that cybercriminals sponsored by North Korea have begun using AI to improve their operations. Hacking groups are using AI large language model (LLM) tools to strengthen phishing attempts. Organizations should remain vigilant to phishing attempts as they grow more sophisticated. 

Complying with upcoming sustainability requirements in the EU: The European Union (EU) is set to soon approve the Corporate Sustainability Due Diligence Directive (CSDDD). Large organizations that operate in the EU will have to perform human rights and environmental due diligence on operations and business partners. Even though the implementation date won’t be until 2027, organizations will have to move quickly to ensure compliance. Organizations will need to have visibility across their entire supply chain, particularly with critical and higher-risk suppliers. They’ll need to assess environmental and human rights risks, so it’s crucial to map out the supply chain and identify suppliers. Complying with CSDDD isn’t a one-time act, but ongoing, as organizations will need to monitor the risks. 

U.S. considers operational resilience in the financial sector: As the possibility of disruptions have increased, U.S. banking regulators have started to focus on operational resilience. Third parties and digital technologies have also increased the attack surface, according to regulators. Agencies like the Office of the Comptroller of the Currency (OCC) expected financial institutions to remain operationally resilient. Recent regulations in the EU, UK, and Japan have gained the regulator’s attention. New operational resilience requirements could include identifying critical activities and service providers. As banking regulators mull changes, organizations should evaluate current compliance. 

Third-party data breach compromises sanctions and financial crimes database: A third-party data breach compromised data in World-Check, a screening database for know your customer checks. A hacking group claimed the attack and have threatened to publish the 5.3 million records it stole online. The London Stock Exchange Group, which manages the World-Check data, said it’s working with the third party that was breached. The database contains names of those considered “politically exposed people” and Social Security numbers, passport numbers, and bank account information. 

Third-party incident leads to 911 outages: 911 outages in four states (Nebraska, Nevada, South Dakota, and Texas) occurred after a third-party provider physically cut fiber when installing a light pole. The Federal Communications Commission has said it’s investigating the incident. Services were restored in under 3 hours. 

Child labor violation shows importance of identifying supply chain risk: The U.S. Department of Labor fined Tuff Torq after minors were hired to operate dangerous equipment. The organizations agreed to pay a $300,000 fine, establish an anonymous tip line, and refrain from entering into new contracts with staffing agencies or other contractors with child labor violations. Citations for child labor violations have risen in recent years. It’s important for organizations to evaluate and identify potential risks and violations in their supply chains. On-site audits and inspections are also important to implement. If a violation has occurred, organizations should address the mistakes to prevent future incidents. 

Recently Added Articles as of April 18

In this week’s headlines, third-party tracking technology has landed some organizations in hot water. Also, financial institutions are warned of reliance on third-party IT providers and two third-party cyberattacks could have mass implications for organizations. Read all this week’s news below. 

Digital Operational Resilience Act has global compliance implications: The European Union’s (EU) Digital Operational Resilience Act (DORA) isn’t only going to impact EU countries and organizations. The regulation has global implications, including in countries like the United Kingdom (UK). DORA sets a comprehensive framework for operational resilience for financial institutions, including managing critical third-party risks. The UK has its own equivalent to DORA in the works, while other countries like the U.S. consider operational resilience too. Financial institutions that operate in the EU will need to comply with DORA and technology providers considered critical under DORA will also face regulation. If a financial institution has subcontractors, or fourth parties, that operate in the EU, they may be impacted by DORA. Organizations should evaluate compliance and whether they’ll need to comply with the EU’s new act. 

FTC fines healthcare organization for disclosing personal data to third-party advertisers: The Federal Trade Commission (FTC) has banned a healthcare organization from disclosing personal health data to third-party advertisers. This is after allegations the organization, Monument, shared data with third-party advertisers without proper consent. Monument suffered a data breach last year due to its use of third-party analytics tools. The FTC also imposed a $2.5 million fine for violating the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA). Monument will have to identify the personal health data it shared with third parties and direct those parties to delete it. 

FTC fines a second healthcare organization for improper disclosure to third parties: Another healthcare organization was fined by the FTC after allegations it disclosed personal health information (PHI) to third parties for advertising. Cerebral was filed more than $7 million after not clearly disclosing the information it would share with third parties. The FTC also alleged that the organization wasn’t clear enough in its privacy policies. Cerebral has been barred from sharing PHI to third parties for advertising and must implement a privacy and data security program. 

Best practices to mitigate cybersecurity risks: Cyberattacks have showed no sign of slowing down in 2024, and many of them have been through a third-party vendor. Mitigating supply chain cyber risks is an important priority to help minimize the risk of cyberattacks. Cyberattacks are becoming more sophisticated, especially as cybercriminals look to new technologies like artificial intelligence (AI) to supercharge attacks. Lawmakers are paying close attention to incidents too with new legislation on ransomware introduced and a recent hearing in the U.S. House on ransomware. To be prepared, organizations should follow best practices, such as regular software updates, employee training, and multi-factor authentication (MFA). 

Third-party phishing attack compromises Cisco customers: Cybercriminals stole some Cisco Duo customers’ multi-factor authentication messages after a third-party breach. A vendor that handles Cisco’s SMS and VOIP MFA messages was the victim of a phishing attack, which cybercriminals used to steal credentials. The vendor has worked with Cisco to resolve the issue and implemented additional security measures after the incident. 

Mitigating third-party AI risks in the supply chain: Third-party artificial intelligence models can enhance organizations’ products and services, but also has supply chain security risks. Third-party AI components may open the risk of integrating malicious models that steal sensitive data or corrupt systems. If the third-party AI system doesn’t hold to the same security standards as your organization, there could be an increased risk of cyberattacks. Organizations should identify where third-party AI exists in their system and conduct security assessments on third-party AI models to ensure they’re safe. Experts recommend reviewing licensing agreements and evaluating the third parties’ reputation. 

International Monetary Fund warns of cyber and concentration risks for financial institutions: Financial institutions are being warned about the rising cost of cyberattacks. The International Monetary Fund (IMF) said the number of cyber incidents has more than doubled since the start of the pandemic, and over the last 20 years financial institutions have lost $12 billion in cyberattacks. The IMF report warned of increasing reliance on third-party IT services, which could cause mass outages if a service provider used by multiple banks is hacked. Financial institutions were advised to identify systematic risks from third-party providers.

Recommended improvements to make to third-party risk management programs: Financial institutions are likely very familiar with third-party risk management (TPRM) by now, but inefficiencies in the program could still pose risks. As financial institutions look to improve their programs, there are several best practices to follow. A risk-based approach is crucial to ensure the most efforts go toward the highest risks. Leveraging TPRM software can be a smart strategy to improve efficiency and allocate employees toward more critical functions. Adaptive compliance clauses in third-party contracts can go a long way to ensure compliance changes are quickly reflected without manual contract revisions. Continuous education and training for TPRM staff on emerging risks, regulatory changes, and best practices helps your program stay up to date.  

States adopting insurance AI regulations: Seven states have signed on to AI insurance guidelines from the National Association of Insurance Commissioners (NAIC). The guidelines state that insurers should develop, implement, and maintain a written program for AI usage. This includes third-party AI systems and data. Other states, like California and New York, have chosen to separately regulate AI usage by insurance companies.

Third-party software vendor is hacked, which impacts organizations: Thousands of organizations could be impacted after a software company that provides third-party services was hacked. Sisense, a business analytics software company, is investigating the breach, the U.S. Cybersecurity and Infrastructure Agency (CISA) has already warned organizations to reset credentials to Sisense services. Experts say the software supply chain is often an attractive target for cybercriminals because of the downstream impact it can have on organizations. It’s not clear yet how many organizations were impacted by the breach. 

Microsoft releases April patches: Microsoft security updates remediated 149 flaws. Three were rated critical, 142 were rated important, three were considered moderate, and one was rated low. Two vulnerabilities are under active exploitation. Organizations should continue to implement updates when they’re available. 

CISA proposes a cyber incident rule: CISA proposed a new rule that would require covered entities, including government contractors and suppliers, to report substantial cyber incidents and ransom payments. These incidents would have to reported within 72 hours of a “reasonable belief” of a cyber incident. The proposed rule is in a public comment period until June 3.

Recently Added Articles as of April 11 

A proposed federal privacy law was introduced in the U.S., DORA compliance is on the horizon for 2025, and third-party operational resilience continues to gain attention. Check out all of this week’s news below. 

B2B third-party risks need managed: B2B relationships are important for almost any organization as they help realize cost savings and expand the organization’s offerings. These relationships also come with risks to manage and mitigate. Regulators in the financial industry have paid particularly close attention to these types of relationships, stepping up enforcement actions. Experts say it’s important to identify the third-party risks and how much data is shared with them. Ultimately, by having oversight over these B2B partners, organizations can protect their operations and reputation. 

Consulting firm is the victim of a data breach and DOJ information is compromised: A third-party consulting firm was recently breached, compromising Medicare numbers and other health information received from the U.S. Department of Justice (DOJ). The information includes names, birthdays, and Medicare health insurance claim numbers. The consulting firm received the information from the DOJ as part of a civil litigation, which the firm was providing services to the DOJ on. The breach occurred in 2023, but the firm didn’t receive confirmation on who was impacted until this year. 

Organizations should be aware of two SharePoint flaws: Two Microsoft SharePoint flaws could allow cybercriminals to bypass audit logs when downloading files. Since many organizations store sensitive data in SharePoint, they audit events, like data downloads. However, the flaws could let attackers bypass the audit to download sensitive data. Microsoft has added the flaws to a patch log, but since the issue is only rated as moderate, it won’t be fixed immediately. Organizations should identify their risks and monitor high volumes of activity. 

Picking the right vendor to partner with: Choosing a third-party vendor in healthcare is more than just the finding the right product, but the right partner to help healthcare organizations deliver services. Vendors should improve processes and experiences, so it’s important to ensure the vendor’s goals aligns with your organization. These partners are actively engaged and offer solutions to fit the organization’s needs. When performing risk assessments on these vendors and partners, it’s important to foster open communication and work together. 

Preparing for operational resilience with third parties: Operational resilience has become a key topic among regulators, with new regulations in the EU and UK. Critical third parties play an important role in organizations, but also pose risks to operational resilience. A Software Bill of Materials (SBOM) can also be a helpful component with critical third-party software, as it offers transparency, identifies vulnerabilities, and facilitates compliance. Organizations should follow best practices like continuous monitoring and incident response planning to quickly identify any potential operational disruption and be able to respond quickly. 

U.S. legislators introduce federal data privacy law: The U.S. may finally be on the path to a comprehensive federal data privacy law, with the bipartisan American Privacy Rights Act, which was introduced this week. The draft legislation includes cybersecurity standards to protect personal data and gives enforcement over to the Federal Trade Commission (FTC), states, and consumers. The bill would require organizations to obtain consent before sensitive data is transferred to a third party. It will also minimize the data organizations can collect, keep, and use, give individuals the right to sue organizations, and ban organizations from using personal information to discriminate. Although the bill has a long way to go, experts said this may be the best chance so far for a federal law. 

Education institution's information is compromised in third-party breach: An education institution was recently impacted in a third-party data breach, after a managed services provider was breached. Compromised information includes names and Social Security numbers. 

Steps to evaluate compliance with third-party DORA requirements: Although the Digital Operational Resilience Act (DORA) doesn’t take affect in the EU until 2025, financial institutions should start looking at compliance and operational resilience now. Many institutions already have some sort of framework in place for risk management, but will still need to review to ensure it complies with the five pillars of DORA: risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information and intelligence sharing. With the focus on critical third-party providers, institutions will need to review third-party contracts and may need to renegotiate in order to comply. Institutions should review processes to identify critical third parties and maintain information on these critical services. 

Health department warns of help desk social engineering threats: The U.S. Department of Health and Human Services (HHS) recently warned that IT help desks in healthcare are being increasingly targeted in social engineering schemes. An alert issued by HHS said cybercriminals are calling healthcare organizations pretending to be employees in the financial department. The attackers provide stolen verification details to then convince help desk employees to enroll a new device in multi-factor authentication (MFA). From there, the attackers can access employee information,  including banking information, to divert payments to themselves. HHS advised healthcare organizations to require callbacks to verify employees, consider in-person requests for sensitive matters, and update training for help desk staff on social engineering. 

SEC presses pause on climate-related disclosure rules: The Securities and Exchange Commission (SEC) issued a stay on its final climate-related disclosures. Even with the toned-down final version the SEC approved, nine petitions were filed in several circuit courts of appeal. The lawsuits were consolidated into one and will be held before the U.S. Court of Appeals for the Eighth Circuit. Pending the judicial review, the SEC stayed the final rules. 

FTC regulatory action has focus on healthcare data: The Federal Trade Commission (FTC) released its Privacy and Data Security Update, which called attention to recent activity from the FTC, including with health data and third parties. In healthcare, the FTC has recently cracked down on organizations sharing data with third parties for advertising and has emphasized the importance of third parties deleting improperly disclosed data. As healthcare organizations look to avoid FTC scrutiny, it’s important to have third-party contracts in place that outline data security practices. There should also be processes in place to review the information that goes to third parties through pixels and cookies. 

HTTP/2 vulnerability may impact web servers: A new HTTP/2 flaw has left web servers potentially vulnerable to denial-of-service (DoS) attacks. Attackers can essentially overwhelm the server with a never-ending stream of headers, leading to network crashes or performance degradation. Users should upgrade software to the latest version to help stay secure and potentially disable HTTP/2 temporarily until there’s a fix. 

Recently Added Articles as of April 4

In the news this week, experts provided third-party risk management best practices to keep data secure, tips for managing the software supply chain, and how to establish third-party risk management processes. Check it out below.

Vendor financial troubles leads to surprise surcharge: A voter registration management software vendor increased its charges to Texas counties, catching many by surprise. The vendor said some payment delays and mishandling has led to financial issues, although the vendor said it would be financially strong next year. For the time being, Texas customers face a one-time 35% surcharge. Texas counties are worried about the vendor’s financial troubles. Vendor financial issues can take organizations by surprise, so it’s important to continuously monitor financial health before issues arise. 

Establishing third-party risk management processes: With increasing geopolitical risks and regulatory expectations, third-party risk management has become increasingly important. A third-party risk management program should closely align to an organization’s overall risk management and appetite. This helps integrate the programs so that they can work together to manage all risks. Roles and responsibilities should also be established and documented. As the processes to manage third-party risk are established, integrating software technology can be extremely helpful to automate risk management tasks. 

How third-party risk management keeps data protected: It’s important to protect data, even when it’s in the hands of a third-party vendor. Experts said as operations are increasingly outsourced to vendors, third-party risk management should begin to become a top priority. This helps ensure third parties comply with privacy laws and that customer data is safe. Maintaining documentation and establishing third-party policies and procedures are also key components to managing third-party risks. 

Managing the software supply chain: Cybercriminals can disrupt an entire supply chain by accessing just one software component, and these attacks are on the rise. Managing the software supply chain can benefit organizations by protecting data, offering visibility into the entire supplier network, ensuring compliance, and protecting reputations. Risk assessments can help organizations identify supplier risks and begin to implement controls to manage the risks. When software supply chain security is a top priority for organizations, risks are better managed. 

Third parties are identified as a top risk: Third parties are a top operational risk, according to a new survey. With increases in third-party cyberattacks leading to third-party service downtime, financial organizations have felt the impacts of concentration risk. Organizations have been forced to rely on a single vendor for multiple services, which can greatly increase risks. As a result, critical third parties are receiving closer inspection to ensure their operational resiliency. And as regulations continue to evolve, this scrutiny will only increase. 

Keeping third-party medical devices secure: Third-party medical devices can often be an easy way for cybercriminals to gain access to hospitals and healthcare systems, so it’s important for healthcare organizations to protect themselves. It can be challenging to keep medical devices up to date and remain compliant with regulations. Healthcare experts say third parties should be held accountable for ensuring medical devices remain secure throughout their lifetime. Third parties should make cybersecurity a top priority for their devices. 

White House releases artificial intelligence policy: The White House Office of Management and Budget (OMB) released the first government-wide policy addressing artificial intelligence (AI) risks. Federal agencies will be required to apply safeguards to assess, test, and monitor AI. If an agency can’t apply the safeguards, the agency must stop using the system. For procurement of AI, agencies must have contracts that protect the rights and safety of the public. Federal agencies will also have to be transparent in the use of AI and have governance in place. 

ChatGPT experiences data breach: A ChatGPT data breach exposed user information. The breach was caused by a bug in an open-source library and the chatbot was temporarily taken offline to patch the vulnerability. Payment information of 1.2% of users was exposed, as was the data of user chat history. Affected users have been notified. 

Attackers target vendors for zero-day vulnerabilities: Zero-day vulnerabilities are actively exploited by cyberattackers, according to a new report. Many vendors are working to secure software, which is having an impact on the types and numbers of vulnerabilities. However, attackers are increasingly targeting unique vendor products. It’s important to ensure vendors are actively identifying and patching zero-day vulnerabilities.