Stay up-to-date on the latest vendor management news. Not only will you learn something, you may discover something to help your third-party risk management program. Below we've listed some notable articles to check out.
Recently Added Articles as of August 26
This week’s top stories include regulatory news concerning the CCPA and a FINRA notice on outsourcing to third parties. Cybersecurity is also a popular topic, as it relates to operational technology and a concern over Samsung’s kill switch feature. A couple of new breaches have hit a Nokia subsidiary, and yet another healthcare organization. We also have an interesting article on the cybersecurity concerns of space tourism. Read on to learn more!
Facility managers show concern over operational cybersecurity: According to a new Honeywell report, operational cybersecurity is a top priority among most surveyed facility managers. Improving operational technology (OT) is also considered to provide the greatest benefit to stakeholders. Despite the need to address this concern, only 44% of respondents have an OT cybersecurity system in place. Experts point out that cybersecurity conversations often focus on IT, but OT cybersecurity is just as important and should be monitored and maintained with the same rigor as an IT system. Facility managers understand the importance of OT cybersecurity, but are lacking in sufficient investments to protect their assets.
Managing your third party’s cyber threats: Not only is it critical to manage internal cybersecurity threats, but also those of your third-party vendors. There are three strategies that organizations can implement to ensure that they’re effectively managing their third party’s cyber risk. First, consider automating your systems. An AI-supported risk platform can help give you a holistic look at your risk environment, while also organizing your vendors by risk and providing real-time monitoring. Second, quantify your risks with tangible numbers. This can speed up the onboarding process and ensures you have an accurate view of your risk data so you can apply the appropriate insight. And, finally, consider how you can improve your agility to simplify the due diligence process. An agile platform allows you to quickly make adjustments in a crisis.
Data breach reported by a Nokia subsidiary: A recent ransomware attack has affected a Nokia subsidiary, SAC Wireless, as reported in their data breach notification. The incident can be traced back to a notice in May, in which the FBI warned of the Conti ransomware gang who attempted to breach more than 12 healthcare and first responder organizations. The files impacted in the breach contained personal information such as names, social security numbers, government ID numbers and health insurance information. SAC noted that several measures were taken after the incident was identified, including the changing of firewall rules, disconnecting VPN connections and providing additional employee training. They will also provide free, 24-month Experian identity protection services to customers that were affected.
Microsoft misconfiguration exposes millions of records: American Airlines, New York’s MTA and Ford Motor Co. are just a few of the corporate and government entities that misconfigured their Microsoft settings, and therefore, exposed millions of personal records such as employee information and COVID-19 vaccination data. Cybersecurity firm UpGuard discovered the leak and notified Microsoft, who has since resolved the issue and removed the ability to access the information. Many of the organizations affected by the issue have stated there isn’t any indication that their data was misused. The misconfiguration stems from a privacy setting in Microsoft Power Apps, which was set to off by default. Microsoft has changed the default setting so that the basic templates and design tools will automatically enable this privacy setting.
Samsung’s TV Block raises concerns: Samsung recently revealed a remote feature that is built into all of their TV products to prevent unauthorized use of their devices if they’re stolen. TV Block works to determine if a unit was stolen and will remotely disable it. This works by checking the device’s serial number and comparing it to a list of stolen devices on Samsung’s servers. While this innovative technology has good intentions, it raises the question of what might happen if this is put in the wrong hands.
Vendor risk management how-to overview for IT: When organizations utilize technology providers, special consideration must be given to cybersecurity risks. There are several steps an IT team must perform to ensure a successful vendor risk management program. Among these are identifying all vendors that provide services and defining an acceptable level of risk. It’s also important to identify the most critical risks to your organization and continually monitor these risks over time. Tracking contract terms and conducting regular risk assessments are also good practices to have in place to protect against cybersecurity risk.
Taking cybersecurity to outer space: It may be hard to believe, but space tourism is looking to be a very real possibility in the near future. However, what are the risks that come from this reward? It only makes sense to look at space travel from a cybersecurity perspective when advanced technology is needed to make this type of travel possible. The space and technology industry are closely intertwined, but each may face different challenges according to scale, distance and criticality of functioning systems. The addition of private organizations getting involved with space projects has also widened the playing field for hackers. To protect space tourism and other space projects from cybersecurity risks, there needs to be greater accountability within all areas of critical infrastructure and a collaboration between public and private sectors to perform real-word scenarios and testing. Regulatory agencies will also need to come into play, creating a robust set of cybersecurity standards.
Federal ruling for CCPA defines company as “business”: A federal judge’s interpretation of the CCPA concluded that California data broker, Blackbaud Inc., is a for profit company, and therefore, Blackbaud can be defined as a business under the law. Two important findings that factored into this decision were that Blackbaud was registered under a California law that used the same “business” definition as the CCPA, and it had used consumer data to test and improve the company’s services. This ruling is significant because it shows that the CCPA is being broadly interpreted, siding towards consumer protection and it sets a threshold for California Confidentiality of Medical Information Act (CMIA) claims.
UNM Health breach impacts over 600,000: A recent announcement from the University of New Mexico (UNM) Health revealed that they suffered a data breach that may have exposed sensitive data of over 600,000 patients. An unauthorized third party gained access to their network in May which was discovered a month later in June. Names, medical records and patient ID numbers may have been obtained, but the electronic health records (EHR) system wasn’t affected. UNM Health began notifying impacted patients in early August and has encouraged them to review their insurance statements. They also noted that it wasn’t clear whether ransomware was involved.
Geopolitical risk is more impactful than cyber and ESG: It may be a bold claim, but geopolitical risk is apparently number one when it comes to global corporate risk. Geopolitical cyber events are increasing, as tensions surrounding political and civil issues remain high around the world. Things like immigration can limit talent and key skillsets, while trade conflicts and tariffs can impact supply chains. So, what can organizations do now to combat these risks? First, take steps to strengthen your third-party risk management program. Proper due diligence can go a long way to ensure you’re not associating with harmful vendors. Second, take a holistic look at risk by appointing a chief risk officer to the executive level. Finally, establish targeted actions from your risk data. Technology can be used to create a contextual view of the risk environment, which is needed to make better decisions.
5 best practices for board risk reports: Risk reports are a valuable tool for board decision making, so it’s essential to use an effective strategy when developing them. The reports should be general and high level to prompt a discussion on how to proceed. However, don’t plagiarize other top risk reports that may not be relevant to your organization. Identify the actions that are already in place and bring focus to the priorities needed moving forward. Finally, don’t be afraid to use visuals and break up the text to keep the reports easily digestible.
Partnership between healthcare and third-party cyber risk: The healthcare industry is different from many other industries as third parties are supplying most of the components within its infrastructure. As a result, this produces a greater surface area that can be vulnerable to cyberattacks. A recent study found than the average healthcare organization had about 2,000 vendors, many of which weren’t assessed for risk because it was unclear where critical information resided. Irrelevant assessments and antiquated tools were other reasons for this disconnect. The main takeaway is that risk analysts need to change their approach to third-party risk management within the healthcare industry. It’s imperative to understand and measure the entire risk environment, while also helping vendors address their vulnerabilities. Third-party risk management should also be treated as a cross-functional process, rather than a departmental task list.
Fraud actors thriving during COVID-19: While many law-abiding citizens are simply trying to survive the pandemic, many fraud actors are thriving and improving their skills. The pandemic caused a massive shift in how organizations operate, which then gave criminals a new bundle of fraud opportunities. There have been massive reports of fraud within pandemic-related programs, like the Paycheck Protection Program, Economic Injury Disaster Loan and unemployment insurance programs, with criminals stealing benefits meant for legitimate applicants. Identity theft has also been on the rise during the pandemic, with many victims reporting stolen stimulus benefits. To prepare for this new generation of fraud actors, it’s recommended to update fraud awareness training, enhance fraud risk assessment and update anti-fraud technology. Also, it’s worth to go back to the risk management fundamentals of governance, risk assessment, controls, investigation and ongoing monitoring.
FINRA notice gives firms a reminder on outsourcing: In case you need a reminder, FINRA’s Regulatory Notice 21-29 is a must read for firms that want to brush up on their supervisory obligations for third-party vendors. Some of the highlights include the need to determine if their vendors meet registration requirements and review their cybersecurity programs and controls to ensure they’re consistent with SEC Regulation S-P Rule 30. Firms are also encouraged to review their business continuity plans as they relate to their vendors. The notice also provides questions regarding due diligence and vendor contracts to help evaluate the efficacy of their vendor management programs.
Growing risks and challenges of healthcare cybersecurity: A prominent emergency room physician outlines some of the growing healthcare cyber threats in this informative article. Keeping data is especially difficult in the healthcare industry because of the constant movement of healthcare workers. Doctors and nurses are moving to different shared workstations and are dealing with many system privileges. Cyberattacks also have a higher cost in healthcare because it can potentially affect a patient’s health or life. There’s also an important need to keep the balance between data availability and data protection. Effective technology can play a role in protecting healthcare systems, such as implementing the use of multi-factor authentication. However, one issue remains troubling. There’s no easy answer for how to deal with ransomware because paying a ransom for critical data will continue to encourage more of this activity.
FFIEC releases statement on information security: The OCC and Federal Financial Institutions Examination Council (FFIEC) recently issued guidance on authentication and financial institution services and systems access. This comes as a response to the continued cybersecurity threat in the finance industry. Some of the highlights include a description of the current threat landscape and the importance of using risk assessments to determine the appropriate access and authentication practices. The guidance also provides some control examples that can be used to address email system and internet browser risks.
Recently Added Articles as of August 19
Regulators have been keeping busy with the release of a new OCC booklet and a new “tech sprint” challenge by the FDIC. Globally, EU regulators are addressing ESG issues with due diligence requirements. And, we have a breakdown of data breach and cybersecurity law updates. There’s also news of a T-Mobile data breach and an attack on Israeli supply chains. Also, read on to learn more if you need a helpful guide to discuss third-party risk with your vendors.
OCC releases a new Model Risk Management booklet: The OCC’s Comptroller's Handbook is getting an update with the release of the “Model Risk Management” booklet which is used in connection with the examination and supervision of banks, including community banks. The booklet is a part of the Safety and Soundness series and contains a few important highlights including the concepts and principles of model risk management and practices that should be assessed during an examination. To download the full booklet, click here.
Supply chain attacks hit Israeli organizations: Iranian hackers were behind the recent supply chain attack directed at Israeli IT and communication companies. The incident involved threat actors impersonating HR personnel with fake job offers and leading them to a phishing website which would open a backdoor and download a remote access trojan. The focus on IT and communication organizations suggest that this is intended to disrupt Israel’s supply chain. Israeli researchers noted that this campaign is similar to one carried out by North Korea, with impersonation being the main method of attack.
Soft-skills in cybersecurity may increase diversity: Some cybersecurity professionals are supporting the idea of hiring soft-skilled workers to fill the labor shortage within the industry, a move that would also increase diversity. A recent report by the Enterprise Strategy Group (ESG) showed that 95% of respondents agreed that the shortage of cybersecurity skills hasn’t improved over the past few years. Paying candidates for results, rather than effort, may help address this issue. It’s also worth noting that traditional paths through education and certification may not be required if candidates have the essential soft skills needed. One of these skills is the ability to bridge the gap between technical and executive teams. An emphasis on cultural fit is another idea that may hinder diversity within the industry. Flexible work arrangements can attract suitable candidates from all different backgrounds.
T-Mobile confirmed a breach, but didn't confirm data theft: Wireless provider, T-Mobile, is investigating claims that the data of over 100 million users has been stolen as retaliation for the apparent kidnapping and torture of John Erin Binns. The claims were made on underground forum, Motherboard, where the hacker claims to possess social security numbers, phone numbers and driver license information. The hacker is asking for 6 bitcoin in exchange for 30 million social security numbers and drivers licenses, while the rest will be privately sold. T-Mobile acknowledged the unauthorized access, but has yet to confirm whether customer data was involved. It’s believed that one of T-Mobile’s suppliers is responsible for the breach, which should serve as another reminder of the importance of third-party risk management.
Dependence on third parties increases vulnerabilities: As organizations continue to rely on third-party partners, they should also be aware of their vulnerability to cyberattacks. A recent survey found that respondents generally agreed that better data security systems are needed to prevent third-party remote attacks, and there isn’t a lot of confidence in the U.S. government’s ability to protect the public from them. There also was a lack of confidence in the security of the oil, gas and utilities industries, with some believing that the financial services and retail industries are slightly better at protecting against cybersecurity attacks. These vulnerabilities are generally coming from an organization’s lack of automated and effective methods to track and manage third-party relationships, so it’s critical to properly identify each third party and understand who has access to sensitive data.
Tech sprint will measure resilience to disruptions: Financial institutions insured by the Federal Deposit Insurance Corporation (FDIC) will have an opportunity to identify solutions that can be used to measure and test resilience through a major disruption. This “tech sprint” challenge will ideally help the FDIC improve resilience within the financial industry, as they deal with a growing number of threats to their systems, operations and people. Registration for the program will open soon and interested parties can read more details here.
Antivirus giants merge into one: NortonLifeLock and Avast have recently announced a merger, detailed in this press release. While Norton identifies as a leader in cyber safety, Avast has a focus on digital security and privacy. This merger is expected to bring many benefits to the current cybersecurity environment; 500 million users will see an acceleration of the transformation of consumer cyber safety and a stronger geographic diversification and expansion into the SOHO/VSB segments. The new merger also expects to see new innovation and growth from a new reinvestment capacity. While Avast’s current offerings are free, it’s unknown if this will continue.
EU’s new legislation addresses ESG due diligence: The environmental, social and corporate governance (ESG) legislation introduced by the EU Parliament in March 2021 is expected to be adopted by 2022 and will impose new due diligence requirements on organizations established or operating in the European Union. These new requirements were proposed because voluntary due diligence has apparently not been effective enough to combat issues like child labor, pollution or corruption. The legislation does have some limitations, and will only apply to large companies, publicly listed small and medium enterprises (SMEs), other SMEs at high risk of ESG issues and organizations that provide financial services and products. Third-party “stakeholders” will be given extensive rights of consultation and accountability and may also anonymously raise concerns with competent national authorities. The legislation can be found here.
Breakdown of supply chain attacks: Local governments are seeing the growing threat of cyberattacks, but are still overlooking those that affect supply chains. The Kaseya breach in July 2021 highlighted the widespread effects that can come from these attacks, so local governments need to gain a better understanding of how they operate and how to protect against them. A supply chain attack originates through a third-party service, like network monitoring tools or accounting software. The attacker can then gain access to a system and encrypt data for ransom or infiltrate the software company’s infrastructure to modify it and include backdoors after it’s installed. Supply chain attacks are often worse than traditional data breaches because they are more difficult to detect and allow the attacker a higher level of access. Prevention is essential when protecting against these types of attacks, so local governments can take several measures such as limiting the number of privileged accounts and ensuring that third-party partners are required to give breach notifications.
Update on state data breach and cybersecurity laws: As a result of the many data breaches we seem to hear about every day, many states are responding with tighter cybersecurity laws. Connecticut recently enacted P.A. 21-119, (H.B. 6607) which provides limited protection to entities that comply with an “industry recognized” cybersecurity program. Under Connecticut law, these entities cannot be liable for punitive damages. The state also expanded the definition of personal data under H.B. 5310, which now includes various identifiers like social security numbers, passport numbers and medical information when used in combination with a first name or first initial and last name. Texas’s H.B. 3746 will now require that notifications include number of affected individuals that received a disclosure and Mississippi’s H.B. 277 adds tribal identification card numbers to their definition of personal information. Nineteen states have also adopted a version of the Insurance Data Security Model Law (MDL-668).
Ransomware attack costs Scripps $113 million: Scripps Health reported that a recent ransomware attack has cost them nearly $113 million, which includes $91.6 million in lost revenue that stemmed from lower patient volumes and delay of optional surgeries. The nonprofit detailed their immediate actions after discovering the incident, such as shutting down their systems, performing emergency downtime procedures and notifying authorities. Scripps is also facing several proposed class action lawsuits in the aftermath of the attack. Insurance and law experts are highlighting the need for organizations to be better prepared for ransomware attacks. Cyber insurance policies can help to lessen the financial impact and often cover third parties.
A better third-party risk discussion: The infamous SolarWinds data breach initiated many awkward, but necessary, conversations between organizations and IT supply chains. It’s now expected that vendors should be transparent about any vulnerabilities to earn and maintain their clients’ trust. Organizations can be better prepared for these conversations by focusing on the right topics. First, bring focus on the people and processes involved in securing your data. Procedures should be clearly defined and detailed, so your third parties understand how to engage. Second, utilize questionnaires to gain a better understanding of the third party’s capabilities and risks. Third, consider utilizing third-party risk assessment service providers who can analyze the vendor and mitigate any risks to avoid future incidents. Your third-party vendors can benefit from this unified solution to secure your network.
What to know before choosing cyber insurance: As most are already aware, ransomware attacks are increasing and show no sign of slowing down. Many organizations will turn to cybersecurity insurance as an added layer of protection, although it may incentivize more attacks because U.S. law hasn't yet banned ransomware payments altogether. Internal and external cybersecurity experts should possess specific knowledge and experience to remediate ransomware incidents. Similarly, cyber insurance providers should be thoroughly vetted to make sure they understand your organization’s risk profile. It also helps to know if the insurance provider is knowledgeable about your specific industry. Prevention is the best method when dealing with ransomware, so it’s important to take proactive steps such as training employees on how to identify and report weak security controls and automating policies to quickly address an incident.
Environmental marketing claims will see regulatory changes: As organizations have been shifting towards a greater focus on environmental concerns, there has also been an increase in risks associated with false or deceptive marketing claims. The U.S. Federal Trade Commission (FTC) recently indicated that it will review and revise its Guides for the Use of Environmental Marketing Claims (Green Guides) in 2022, an action that aligns with other global trends, including the EU’s pending initiative that will mandate proof of environmental claims. The FTC hasn’t specified any areas of focus, but may revisit terms such as sustainable, organic and natural which weren’t covered in the 2012 revision of the Green Guides. Other terms such as recyclable, reusable, renewables and net zero may also be reviewed. Enforcement or liability from such claims may come forth from the National Advertising Division, federal agencies like the FTC or U.S. Department of Agriculture or even state and private party lawsuits. Business leaders should be aware of the different types of claims they may face around areas like sustainability, climate change and carbon, recyclability and composability, non-toxic, organic and product origin.
Internal IT no longer sufficient for cybersecurity in higher education: Small to mid-size colleges and universities should begin to realize that the increasing threat of ransomware attacks are beyond the scope of what their internal IT teams can handle. The sophisticated threats of today’s cybersecurity environment require more funding and specialized skills than what’s typically available in these internal teams. Recent studies have shown that ransomware events targeting colleges and universities have doubled from 2019 to 2020, and the cost of these attacks has increased 171%. It’s recommended that these higher education institutions should practice consistent monitoring, auditing and reporting which will allow them to quickly identify gaps in their protection. Cybersecurity insurance is another factor to consider, especially for smaller organizations. Overall, investing in specialized cybersecurity support within an organization’s enterprise risk management (ERM) should carry equal importance with enrollment management and academic excellence.
History’s 5 significant data breaches: A recent study by Tessian and Stanford University revealed that 88% of the data breaches in 2020 were caused by human error and not deliberate acts by cybercriminals. This article details some of the biggest, or most embarrassing, data breaches throughout history. Taking the number one spot on this list is the identify theft of LifeLock CEO Todd Davis which eventually led to a $12 million fine by the Federal Trade Commission for deceptive advertising. FriendFinder Networks suffered a significant data breach in 2016, in which over 400 million records were compromised, and Yahoo makes the list for holding the record for the biggest data breach ever (3 billion accounts in 2013). Boeing had one of the longest-running breaches, when 250,000 pages of sensitive documents were stolen between 1976 and 2006. And, nearly every Swedish citizen was affected by a government data leak caused by the Swedish Transport System.
Recently Added Articles as of August 12
New guidelines from the FFIEC top the headlines this week, which detail best practices for authentication and user access. Cybersecurity attacks are also in the news, most notably with the Poly Network heist. The healthcare industry continues to see data breaches and Apple’s new Expanded Protections for Children is facing some serious backlash. Read on to discover the latest in cybersecurity, regulations and risk management.
Authentication and access guidance released by the FFIEC: New guidance has been released by the Federal Financial Institutions Examination Council (FFIEC) with best practices for customers, employees and third parties who access digital banking services. A few of the highlights include the current cybersecurity threat environment related to remote access and the importance of multi-factor authentication in mitigating risks. It also emphasizes the importance of a financial institution’s risk assessment when determining the appropriate access and authentication practices. The report provides authentication control examples and a list of government and industry resources to use when reviewing authentication and access management. Read the full guidance here.
$600 million in cryptocurrencies is stolen from a Chinese platform: China-based Poly Network seems to be the victim of one of the largest thefts targeting the digital asset industry. The cross-chain decentralized finance (DeFi) platform disclosed that unidentified actors exploited a vulnerability within their system and stole Binance Chain, Ethereum and Polygon assets. They urged miners of the affected blockchain to blocklist tokens coming from a few selected addresses. The Poly team even issued a letter to the hackers, with a plea to open communication with them and return the assets. Recent updates reveal that the hackers created a token called “The hacker is ready to surrender” and has so far returned a portion of the funds.
Banks may face material risk from systemic cyberattacks: A new report finds that U.S. banks can face additional costs from a systemic cyberattack including data restoration, investigation and response, regulatory fines and reputational damage. Cyber insurance can help mitigate some of these additional costs, but it should be noted that a single incident at a critical third or fourth-party vendor can significantly interrupt an organization’s operations and lead to major losses. The report focused on “single points of failure” (SPoF), which are a type of technology that a bank has identified as interconnected and dependent. When a particular SPoF is attacked, like a operating system or cloud service provider, there may be lasting impacts on connected banks.
New Jersey diagnostic lab faces email cyberattack: Employee email accounts at A2Z Diagnostics, LLC were recently accessed by unauthorized third parties, according to a data breach notice. The breach occurred between February and April 2021, in which protected health information (PHI) was exposed via employee emails. A2Z found no evidence that the data was misused, but began sending notification letters to affected individuals on July 28. Individuals are encouraged to monitor their insurance statements for suspicious transactions related to care that hasn’t been received. As a result of the breach, A2Z has enhanced its multi-factor authentication software among other measures.
Pandemic highlights the need for health record standards: It’s time for “reasonable” cybersecurity requirements in the healthcare industry, according to an op-ed in the Journal of AHIMA. The prevalence and complexity of healthcare-related electronic information continued to rise during the pandemic, as did the passing of state privacy laws. Healthcare providers should therefore be aware of the actions they need to take when creating, storing, transmitting and handling personal electronic information in order to avoid liability. The op-ed uses the New York SHIELD Act as a guideline, which requires that a person/business implements a data security program. Both technical and physical requirements are mentioned including assessing the risks in storing and transmitting data and protections against unauthorized access.
Increase in healthcare data breaches during pandemic: Yet another report has revealed the pandemic’s effect on healthcare cybersecurity. Constella Intelligence recently released a press release in which they detailed their findings regarding a 51% increase in healthcare data breaches and leaks in 2020. A whopping 8,000 breaches containing over 12 billion records were recorded last year. In addition to the increased cost of personally identifiable information (PII) on the dark web, there were other vulnerabilities discovered directly related to COVID-19, including fraudulent vaccines and vaccine certificates. The main takeaway from the report shows how criminals are becoming skilled in exploiting fragile global situations.
Health insurer’s third-party vendor faces a data breach: A third-party data breach has exposed the protected health information (PHI) of Renaissance Life & Health Insurance Company of America’s policyholders. Renaissance disclosed the breach in a press release which stated that their third-party vendor, Secure Administrative Solutions LLC (SAS), reported the incident on June 1, in which they discovered unauthorized accesses in March and April. The stolen information included policy numbers, dates of birth and addresses and was ultimately destroyed by the unidentified actor. SAS has since investigated the incident with cybersecurity specialists and has implemented additional controls such as rebuilding the infected servers, changing all system and user passwords and providing additional training on the new security practices.
Encryption backdoor feared over Apple photo scan: The debate between privacy and safety is longstanding, often making headlines when big tech makes an announcement. Apple’s recent safety measure titled Expanded Protections for Children was created with the intention of fighting child sexual abuse material (CSAM). The plan outlines the details in which a user’s photos will be scanned and encrypted to compare them against existing CSAM. While this is obviously a well-intentioned idea, critics are understandably worried about what may happen if this tool were to be used in the wrong hands, essentially providing an encryption backdoor for the U.S. or other global authorities. An open letter against this new technology gained over 4,000 signatures from various security and legal experts. If and when this technology is implemented, Apple will likely help pave the way for additional surveillance and digital authoritarianism.
Amazon vulnerability discovered by Israeli cybersecurity firm: A security flaw was recently discovered and closed in Amazon’s Kindle devices. The vulnerability would have allowed hackers to breach a device by sending the user a malicious eBook. Sensitive information, like Amazon credentials or billing information, could have been exploited in the flaw. The vulnerability was especially worrisome because it would’ve enabled a targeted attack to a certain demographic by releasing the eBook in a specified language. The cybersecurity firm also emphasized that any internet of things (IoT) device is subject to the same attacks as computers.
Electronic conversations at risk for “Glowworm” attacks: In a story that seems to be straight out of a sci-fi novel, researchers have discovered a way in which LEDs from speakers can be used to recover audio. A team at Ben-Gurion University of the Negev used an optical telescope to capture the fluctuations of an LED output and run through an Analog/Digital Converter to be played back. This Glowworm attack requires no active signaling and is novel and passive in its method. However, most users don’t need to worry about this type of attack, as it can’t interact with actual audio, nor can it capture the audio of the individual who’s listening to the speaker.
No more excuses for lack of cybersecurity awareness: In the early days of digitization, non-technical business leaders may have been able to outsource their cybersecurity, often relying on a single “tech guy” to protect their networks. Times are changing and organizations of all sizes and industries need to better educate themselves on cybersecurity practices. Some experts believe that cybersecurity should be a part of a well-rounded education model, similar to reading and writing in school. Ransomware attacks often pursue small and medium-sized organizations because attackers know they’re less sophisticated than the larger organizations with more robust cybersecurity programs. Overall, cybersecurity education needs more attention and business operations need to be fundamentally restructured in order to lay the foundation for a more secure future.
PHI of Illinois patients and healthcare staff exposed in a malware attack: Both patients and healthcare staff were the victims of a recent malware attack that hit Dynamic Health Care, Inc. (DHC) of Illinois. A July 16 data incident notice revealed that malware was found on its systems back in November 2020. DHC determined that the unauthorized actor might have acquired protected health information in January 2021, including names, dates of birth, social security numbers and nursing care facility names. In response to the attack, DHC is mailing notice letters to individuals who were affected and will be improving its cybersecurity efforts through additional employee training and education.
The benefits and challenges of commercial outsourcing: The benefits of outsourcing can be plentiful, as organizations can increase their operational efficiencies. However, they can also see increased risk and decreasing profits when outsourcing isn’t performed well. Both large and small organizations can benefit from outsourcing, whether they take a one-stop-shop approach in finding a single vendor to provide the needed products or services, or if they select the vendor’s offering a la carte. The advantages can include speedy expertise when needed and incorporating an already designed and pre-tested product within a system. Smaller companies can especially profit from outsourcing, as it gives them the capabilities of a much larger organization, while also allowing them to quickly pivot in a new direction when needed. Although commercial outsourcing can bring great value and opportunities to organizations, vendor selection and vendor management can't be outsourced. Internal talent is still needed to determine the best vendor for the job and it’s important to ensure that the organization has the right processes and governance in place to manage the relationship. Also, the metrics for measuring success should be qualitative, quantitative and unique to the organization, and therefore can't be outsourced.
Healthcare systems still challenged with cybersecurity: Despite the advances in healthcare technology, many hospitals still struggle with basic IT security within their supply chain systems. A recent report by a cybersecurity consulting firm revealed the findings after reviewing almost 100 healthcare assessments against the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Supply chain management was the second-lowest scoring assessment, with only 23% of organizations making a passing grade. In particular, there’s been a struggle to confirm whether healthcare organization’s third-party vendors are in compliance with contractual security requirements. There are four major improvements suggested in the report. Organizations should perform exercises and drills at the enterprise level while also focusing on automating and validating. Securing the supply chain is another important factor and it’s also recommended to make improvements on organizational awareness and training of security goals.
Chief Audit Officers are asking these four questions: The pandemic has brought about increased scrutiny on the resiliency of third-party risk management programs. Supply chain vulnerabilities have also been a top concern. Due to this, internal auditors are bringing their focus to a few specific areas. First, they’re looking at fourth-party risk which has been easier to identify since third parties are now required to disclose their significant vendors. It’s generally a good idea to audit at least to the level of your fourth parties to ensure regulatory compliance. Second, they're looking to strengthen the resiliency of their organization by looking at a holistic view of their vendor relationships. Concentration risk is another area of focus for auditors, who are now considering the potential benefit of diversifying their suppliers. Finally, the risk level of critical third parties will likely remain a top priority with a need to continuously track and monitor these vendors who are essential to an organization’s safety, resilience and integrity.
Highlights from a Senate hearing on banking priorities: The Senate heard from the FDIC and OCC regarding banking priorities and challenges, during a recent hearing. OCC Acting Comptroller emphasized the urgency of climate change risk in the financial industry, while the FDIC Chair spoke to the agency’s efforts on consumer protection and the supervisory process. COVID-19 provisions were also included in the FDIC Chair’s statements, particularly regarding curbside and in-home services and online and mobile services. Senator Brown’s statements advocated for no fee bank accounts and to close the regulatory gaps that don’t require fintechs to adhere to bank and credit union rules. There was also some criticism from Committee Ranking Member Toomey who stated that certain actions by the OCC were political and unrelated to risk assessment, especially regarding the agency’s inclusion in the Network for Greening the Financial System.
Recently Added Articles as of August 5
To kick off the month of August, cybersecurity and climate change are hot topics in Washington, as the SEC proposes mandatory climate disclosures and the Senate reveals that America’s data is still at risk. GDPR violations lead to a huge potential fine for Amazon and the FBI issued a fraud alert for investors. There’s also an interesting theory on how ransomware attacks can actually benefit consumers. Read on to discover all the headlines that are making news in third-party risk management.
Ransomware threats require vendor ongoing monitoring: A false sense of security that comes from initial vendor due diligence has caused many organizations to put down their guards against the threat of ransomware attacks on their supply chains. When critical third-party suppliers are helping to generate revenue, they should be held to the same strict standards as an internal security team. It’s recommended that third-party risk management programs implement best practices from NIST and ISO guidelines. This can include things like regular audits, third-party incident response plans and restricted and limited access processes. Surprisingly, organizations have time on their side when it comes to patching vulnerabilities because most attacks today are neither highly sophisticated nor are they zero-day attacks. However, security experts are seeing an emerging trend of hackers working together to deploy more sophisticated and faster ransomware attacks.
SEC proposes mandatory climate risk disclosures: The SEC is getting closer to establishing a framework regarding climate risk disclosures and are expected to be finalized by the end of 2021. SEC Chair, Gary Gensler, recently outlined some disclosure considerations which include location, types of descriptions, types of comparable measures, industry-specific metrics, scenario analysis, jurisdictional factors and external standards. Gensler emphasized that the SEC framework for climate risk disclosures will be developed so it’s appropriate for U.S. markets. The prepared remarks made by Gensler can be found here.
Senate issues a warning about weak federal cybersecurity: The report card is in for federal agencies that are responsible for protecting the personal data of millions of Americans. The aptly titled Federal Cybersecurity: America’s Data Still at Risk gives a C- for not living up to federal-mandated standards. It accuses eight different agencies of using outdated systems and ignoring mandatory security patches. They’re also accused of failing to protect sensitive data like social security numbers, credit card numbers and dates of birth. The Department of Homeland Security has established an effective InfoSec program since a 2019 audit, but the Department of Transportation, Department of Education and Social Security Administration showed little signs of improvement during the same time. The investigators have recommended that Congress updates the Federal Information Security Modernization Act of 2014 and require that federal agencies are contractors notify Cybersecurity and Infrastructure Security Agency in the event of a breach.
Inadequate third-party due diligence leads to $41 million fine: In case you need another reminder about the importance of third-party due diligence, the SEC and DOJ recently announced that engineering firm Foster Wheeler would have to pay $41 million for violations of the Foreign Corrupt Practices Act (FCPA). Foster Wheeler not only admitted to participation in a bribery scheme, but also allowed a third-party agent to continue work on a project, despite failing the firm’s due diligence process. Over $1 million in bribes were paid to third-party agents to secure a contract that resulted in at least $12.9 million in profits. In addition to the hefty fine, other actions include termination of some employees and the requirement of an enhanced compliance program.
How consumers can benefit from ransomware attacks: It may be difficult to believe, but there may actually be a silver lining to all of these ransomware attacks... at least if you’re a consumer. Traditional data breaches have left consumers paying the ultimate price for organizations’ relaxed security measures, as their personal information is forever exposed. However, ransomware attacks are directed towards the organizations themselves, forcing them to be more proactive in defending against these threats to prevent paying these cybercriminals. Improved cybersecurity measures can include continuous employee training and implementing restrictions on apps and software to only those that are needed for work. Patching vulnerabilities quickly and backing up data are also obvious but valuable practices that will help protect against ransomware attacks. As organizations continue to see the gravity of ransomware attacks that affect their bottom lines, consumers will ultimately reap the benefits of better security around their data.
Overview of new Colorado Privacy Act: The new Colorado Privacy Act (CPA) was recently signed into law and will become effective on July 1, 2023. Overall, the CPA mirrors Virginia’s Consumer Data Protection Act (VCDPA) while also taking some aspects from the GDPR and California’s Consumer Privacy Act and Consumer Privacy Rights Act. Employee data and business to business data collection aren't covered under the CPA, but consumers will have the right to access, delete and make corrections to their personal data that was obtained by covered businesses. They'll also have the right to opt out of having their data used in targeted advertising, but won't have a private right of action. Dozens of other states have introduced data protection laws, most recently Ohio with its Ohio Personal Privacy Act.
FBI and SEC issue a warning about fraudulent brokers and advisers: Investors should be aware of criminals impersonating registered investment professionals, according to a recent fraud alert. These scammers are using fake sites and social media profiles, falsified documents and even cold calling to lure their victims. Investors are advised to confirm whether these individuals are registered with the Investor.gov search tool and reach out to the seller with independently verified contact information from the firm’s Form CRS. Beware of certain warning signs such as a guaranteed high investment return, an unsolicited offer or any red flags in payment methods like credit cards, cryptocurrencies, wire transfers and checks.
Amazon’s alleged GDPR violations lead to an $888 million fine: Amazon’s recent 10-Q Form for quarter two revealed some interesting findings, most notably a steep fine issued by the Luxembourg National Commission for Data Protection (CNPD). Amazon intends to “vigorously” defend itself against the claims that are “without merit.” The CNPD decision comes after a 2018 investigation by a French privacy group which filed complaints against several large tech firms to ensure that European consumer data isn’t used for commercial or political purposes.
America’s cybersecurity efforts aren't enough: This year, the U.S. has already seen some pretty significant ransomware attacks on critical infrastructure, such as the ones on Colonial Pipeline and JBS Foods. With these ransomware attacks continuing to rise in occurrence and cost, many are asking if the U.S. is doing enough to prevent them. The Biden administration’s executive order was an important step in addressing these concerns, but some experts think that the guidelines are simply the bare minimum of what should be done. Additionally, the government can't enforce certain guidelines on the private sector unless they’re officially incorporated into procurement or other contractual requirements. Better information sharing through mandatory disclosures is another aspect that can help modernize the government’s cybersecurity efforts. Building more secure and resilient networks will take time, but it’s a worthy and necessary effort that our supply chains need.
Soaring costs of healthcare data breaches: Ponemon Institute’s recent 2021 Cost of a Data Breach Report detailed how the healthcare industry has faced rising costs of data breaches from the pandemic. The average cost of a healthcare data breach is higher than any other sector, at $9.23 million per incident, increasing $2 million since the previous year. Healthcare also dealt with significant operational changes, along with retail, hospitality and manufacturing. The costs from a data breach encompasses legal, regulatory risk and loss of brand equity and customers. Loss of employee productivity can also influence overall cost. Another interesting finding from the report states that the U.S., Middle East and Canada suffer from the most expensive breaches. We learn stolen credentials are the number one cause.
Clerk-treasurer causes a cybersecurity false alarm: An IT director in Indiana believed he was preventing an active cybersecurity breach in Clerk-Treasurer Cindy Gossard’s office, only to discover that the activities were the result of a third-party contractor that was hired by Gossard, but unapproved by the city. The event adds to the ongoing feud in which Gossard accused the city of using spyware on her office computers. Laptops in the clerk-treasurer’s office were running an unknown software and copying hard drives, prompting the IT director to report a breach. The story gets even more interesting when the director seized the unknown computers to stop the breach, after which the third-party contractor threatened to press charges against him for theft. City attorneys are calling Gossard’s acts “unprecedented” for disregarding the security of the city’s data.
Supply chain task force addresses vulnerabilities: The House Armed Services Committee recently released a final report, which details its recommendations for the Defense Department to secure America’s supply chains and reduce the dependence on adversarial critical manufacturing. The report will also be incorporated into the 2022 National Defense Authorization Act (NDAA), specifically in the form are six recommended legislative proposals regarding supply chain risk management, auditing, diversification and improving international partnerships. Congress and the White House also received a few suggestions pertaining to the Pentagon’s Defense Production Act (DPA) which would remove spending limits and permitting the transfer of funds to the DPA to expedite reaction times during a crisis.
OCC appoints new Climate Change Risk Officer: Climate change is continuing to be an ongoing topic throughout Washington, even in the financial sector. The OCC recently announced Darrin Benhart as the new Climate Change Risk Officer and its membership into the Network of Central Banks and Supervisors for Greening the Financial System (NGFS). Acting Comptroller of the Currency revealed that these changes will enable the agency to expedite the development and adoption of climate change risk management practices. The OCC’s involvement with the NGFS will also allow it to collaborate with central banks and share best practices to develop climate risk management as it relates to the financial sector.
Well-written business continuity and disaster recovery plans are important. Ensure your critical vendors are accounted for in your plans. Download the infographic.
June 2021 Vendor Management News
Reading up on latest vendor management news can only help your third-party risk management program....
July 2021 Vendor Management News
Stay up-to-date on the latest vendor management news. Not only will you learn something, you may...
May 2022 Vendor Management News
Stay up-to-date on the latest vendor management news happening this month. Discover information to...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.