August 2022 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of August 25

This week, we’re taking a deeper look at third-party cybersecurity risks, the role your data has in shaping your organization’s future, and how you can protect your organization from malicious actors. There’s plenty of tips to make your third-party risk management and security more effective, so be sure to check it out!

The importance of maintaining and protecting your data: There has been a lot of discussion lately around cybersecurity, how to protect your data, and preventing data breaches. But, why is data so important? According to leading executives and business leaders, data is the lifeblood of your company and the tool that allows leaders to make key decisions, navigate business operations, and analyze consumer behavior. By gathering and protecting data, you can create stronger business foundations and informed business decisions.

What is data exfiltration and how can you protect your organization?: Hackers have continued to create new types of cyberattacks and campaigns to target victims and steal data. Experts have identified a method called data exfiltration in which hackers steal data and extort the victim by threatening to publicize or sell the stolen information if their demands aren't met. To defend against these attacks, cybersecurity experts suggest implementing anti-malware software, creating better security processes, and updating systems with the newest updates to address weaknesses.

Hackers use malware to steal data through email accounts: In a series of cyberattacks, criminals have been able to infiltrate a victim’s email and steal information directly from their accounts. As cyberattacks continue to become sophisticated and evolve, it's important for you and your employees to remain educated on the ways to identify and report suspected cyberattacks, so that you can protect your sensitive data and private information.

Vulnerability in Google Chrome identified: Researchers found a bug in Google Chrome’s code, called CVE-2022-2587. Since its discovery, Google released a patch to fix the weakness.

Business leaders say that cyberattacks are a primary risk: In a survey conducted to find out what areas are top concerns for business leaders, a large number of executives feel that cyberattacks are a top risk. In response, many business leaders have turned to find new ways to improve cybersecurity measures and invest into digital technology. These opinions reflect the shifting attitude towards the importance of cybersecurity as many regulatory departments have also released updates guidance regarding cybersecurity over the past several months.

Understanding the threat of third-party data breaches: As companies continue to outsource products and services through the supply chain, it's important to understand what third-party data breaches are and how to mitigate third-party cybersecurity risks. Hackers have been targeting networks and vulnerabilities in third-party organizations to gain access to networks through the supply chain. To protect against these attacks, you should assess your vendors and their cybersecurity practices to identify any hidden risks and address concerns before a data breach occurs.

CISA identifies vulnerability in PAN-OS network: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a vulnerability in the PAN-OS network which allows hackers remote access with authentication. This weakness, called CVE-2022-0028, has been exploited in at least one known cyberattack, so users should work to update their devices to include the updated patch.

Third-party cybersecurity attacks pose new threats: With the evolution of new technologies, and the reliance on cloud service providers and supply chain vendors, third-party attacks have introduced new threats for many organizations. Within the past several months, we’ve witnessed several large-scale cyberattacks, leaving organizations with severe damages to their reputation, operations, and information security – and these attacks aren’t going away. To protect your organization from third-party attacks, it's necessary to implement effective third-party risk management processes and work to improve security.

Hackers take responsibility for recent cyberattack: A group of ransomware hackers, called LockBit, has come forward to take responsibility for a recent cyberattack which successfully compromised data from a cybersecurity vendor. While it's reported that the breach only affected internal operations, it raises these questions: Are your third-parties vendors secure? How can you work to better protect your organization from third-party data breaches?

FDIC takes action against false and misleading claims: The Federal Deposit Insurance Corporation (FDIC) has issued several cease and desist letters after noticing many companies who made false statements and representations. These companies have been found using language to state that they were affiliated with or endorsed by the FDIC, which goes against the FDI Act prohibiting companies from making false claims in advertising or other materials.

Understanding the CFPB’s regulations on convenience fees: In recent comments regarding the Fair Debt Collection Practices Act (FDCPA), the Consumer Financial Protection Board has stated that debt collectors can't collect convenience fees on debt or credit payments unless there is a specific provision in the contract. These comments cover debt collections within the FDCPA’s scope, and this article delves into deeper detail regarding exceptions, specific definitions, and further restrictions. Most importantly, however, it serves as a reminder to stay updated on the latest policy regulations for your industry and avoid hefty fines and violations.

Federal agencies encourage best practices to mitigate cloud vendor risk: As many organizations have turned to cloud vendors to store their data, federal agencies and regulators have urged healthcare organizations to take a deeper look at cybersecurity and ways to mitigate cloud vendor risks. Experts have recommended implementing several best practices including establishing a zero trust model, performing compliance audits, vetting your vendors, and staying updated on the latest guidelines and regulations for cloud vendors.

How to perform effective vendor management on a collections and recovery vendor: As a vendor risk manager, you understand the importance of document collection and due diligence to create a stable and healthy relationship with your vendors. However, you also know that it can be tedious and difficult at times. There are several best practices to consider when working with a collections and recovery vendor that'll help create an efficient relationship. These include communicating your expectations from the outset, performing on-site audits, and turning to subject matter experts to help communicate with your vendor.

Google releases new patches: As another patch in a series of recent releases, Google has released a patch to address a vulnerability for Google Chrome browsers. Users are encouraged to update to the newest version of the browser to implement the patch.

Third-party cyberattack targets healthcare organizations: Earlier this year, a revenue cycle management vendor became the victim of a cyberattack. During the attack, hackers were able to access a business email account which, in turn, compromised the private information of several healthcare organizations. This attack is only one in a larger line of cyberattacks, including phishing schemes, that target human error to infiltrate networks and steal data through third parties.

Recently Added Articles as of August 18

Top stories this week include recent regulation updates as the Consumer Financial Protection Bureau addresses digital marketing providers. Meanwhile, trends in information security point to emerging threats to healthcare organizations and hackers are using social engineering tactics – so be sure to check out all of this week’s news!

Breaking down SEC’s requirements for corporate boards: In SEC’s proposed legislation on cybersecurity, there are several new regulations that corporate boards would be required to follow. The proposed bill seeks to improve cybersecurity measures and awareness. To prepare for compliance requirements, CISOs will need to understand the importance of risk management, how risk management will affect operations, and how the organization can work with its board to meet the objectives.

Analyzing recent trends in cybersecurity threats: A report detailing the trends in recent cyberattacks has identified email and phone-based phishing attacks as one of the most used methods. In these attacks, the hackers will interact with victims through phone calls or email to trick the user into giving up sensitive information such as passwords. This report highlights the importance of educating your employees how to identify phishing attacks as hackers continue to target victims through social engineering schemes.

Threat hunting helps protect organizations: This article details one expert’s thrill of looking for threats and discovering weaknesses that could make users vulnerable to cyberattacks. As cyberattacks continue to evolve and organizations work to bolster cybersecurity to protect users and sensitive data, it's important that cybersecurity experts identify risks and vulnerabilities before a data breach occurs.

Zoom released a patch to fix security weakness: Zoom has been working to address weaknesses in its systems which could lead it susceptible to data breaches. Most recently, Zoom patched a vulnerability, called CVE-2022-28756, and has warned its customers against several other vulnerabilities.

How third-party risk management can help partnerships with banks: As many banks are turning to third-party fintech vendors to outsource services to, it's important for these companies to understand the importance of third-party risk management. For fintech companies looking to build partnerships in the financial services industry, you should create effective risk management strategies including disaster recovery plans, cybersecurity standards, and monitoring of your own vendors, which will give banks peace of mind and aid the contract process.

How to mitigate threats from third-party workers: Over the past several years, the number of contract workers has continued to increase. However, many organizations have recognized that these third-party workers may pose security challenges, leading to severe data breaches. For organizations looking to mitigate third-party risk associated with contract employees, you should ensure you have an effective third-party risk management strategy in place which manages the level of access employees have, keeps up to date with cybersecurity regulations, and performs ongoing monitoring.

Experts identify vulnerabilities in virtual network computing servers: Recently, experts have noticed a series of weaknesses resulting from virtual network computing endpoints that are unsecured. Without a password, these systems are vulnerable to cyberattacks and hackers and could have detrimental consequences, especially for networks related to infrastructure and industrial control. Administrators in charge of these systems should be sure to restrict access and add passwords to protect sensitive information and improve security.

Healthcare organizations continue to face cybersecurity threats: As cybersecurity continues to be a hot topic, healthcare organizations have reported a high number of data breaches, ransomware attacks, and vulnerabilities within their IT departments. While many organizations have realized the increased need to invest time and resources to address these risks, experts warn that hackers are implementing new and complex cybersecurity threats. In addition, the recent surge in mergers and acquisitions as well as new medical technology may open healthcare organizations up further for cyberattacks.

Understanding fourth-party risks: In today’s world, where supply chain risks and challenges have become a serious threat to production and cybersecurity, it's more important than ever to understand what fourth-party risks are and how your organization can mitigate these risks. While you can't control your vendors' vendors, you should ensure that your organization works to mitigate fourth-party risks by implementing robust security policies and limiting access to sensitive data.

FBI and CISA identified ransomware campaign: The FBI and CISA have recently warned organizations of a new cyberattack campaign which allows hackers to encrypt files multiple times, allowing the malware to avoid detection. To defend against these attacks, the federal agencies encourage organizations to train their employees to recognize phishing attacks and utilize multifactor authentication.

Behavioral targeting advertisements may be in violation of regulations: In a new rule from the Consumer Financial Protection Bureau, regulators state that digital marketing providers may be held liable for violations if found practicing unfair or abusive advertising practices. The regulation outlines that digital marketing providers acting as service providers are in violation of the consumer protection laws and will be held accountable.

Microsoft releases patches for over 100 security vulnerabilities: Earlier this month, Microsoft released a series of patches to fix a range of vulnerabilities in their software. These patches include remedies for flaws including CVE-2022-34713 and  CVE-2022-35743, and will improve overall system security.

Recently Added Articles as of August 11

This week, we’re looking at recent cyberattacks and how you can protect your organization from hackers. Also, stay updated on the latest tips for implementing third-party risk management strategies, proposed regulation changes, and more. Check out the articles below to catch up.

Organizations face increased risks if unable to receive cyber insurance: While many organizations have been working hard to meet increased regulatory demands and maintain production despite supply chain difficulties, they may also face an increased risk of cyberattacks in the future. Increased prices and external factors have been making it difficult for organizations to perform effective cybersecurity processes and many might be unable to receive cyber insurance in 2023. To try to lower insurance premiums, experts suggest improving third-party risk strategies, training employees, and creating disaster recovery plans among other tips.

Understanding the importance of precision to identify vulnerabilities: How effective are your security systems and what is the process for addressing vulnerabilities? This article discusses the importance of precision and finding a balance of false positives. While too many false alarms can cause fatigue and lead to true vulnerabilities being dismissed, a lack of false positives may indicate an ineffectiveness in your systems.

Organization suffers data breach following successful phishing campaign: Earlier this week, a company was targeted in an SMS phishing campaign. Unfortunately, an employee clicked on a malicious link and gave the hacker access to their employee credentials. These types of cyberattacks focus in on targeting vulnerabilities within people by using pointed messaging to force quick decision-making, which opens organizations to attack. To protect your organization, it's important to train your employees to recognize a phishing attack and how to report it.

Tips for dealing with third-party cybersecurity risks: Following a recent cyberattack on one of NHS’s vendors, which led to major disruptions and outages, experts are urging healthcare organizations to implement prevention strategies and third-party risk management best practices. This cyberattack showcases the far-reaching impacts that service outages can have as well as the detrimental consequences of third-party data breaches.

U.S. Securities and Exchange Commission proposes new regulations: The SEC has announced new proposed regulations with the aim of increasing independence and implementing policies to act against conflicts of interest and improve third-party oversight. In a released comment, the SEC stated that the proposals were created to improve investor relations and build a more stable market for the future.

OFAC sanctions money laundering campaign: To combat threats to the U.S.’s cybersecurity, the U.S. Treasury Department’s Office of Foreign Asset Controls has sanctioned a decentralized cryptocurrency mixer. Since it was founded in 2019, the mixer, called Tornado Crash, has laundered over $7 billion and assisted hackers who threaten national security.

Cybersecurity risks pose difficult challenges to small businesses: How is your business working to defend against cybersecurity threats and mitigate risk? Even as the number of cyberattacks continues to increase at an alarming rate, many small businesses are finding it difficult to maintain strong cybersecurity practices. However, despite obstacles, it's important for these businesses to make cybersecurity a priority to effectively defend against severe risks including operational outages, regulatory fines, and reputational damages.

Experts identify new malware: Experts have noticed a new malware used by hackers to gain access into remote servers. Unfortunately, the motive hasn't yet been identified, but users should ensure that they use secure passwords and disable password authentication for SSH.

Social engineering and third-party risks pose major cybersecurity threats: In a recent survey on cybersecurity, respondents answered that phishing attacks, social engineering, and third-party risks are among the top cybersecurity threats to their organizations. As organizations have worked to improve security systems, individuals and third parties are targets for hackers to gain access to sensitive information. To protect your organization, you should be sure to implement staff-wide training and improve password security.

Company enters settlement talks following regulation issues: A chemical company has entered talks regarding a settlement following a possible regulatory violation. Is your company keeping up to date with guidelines and regulations? As part of your third-party risk management strategy, it's important to keep updated with recent regulations to ensure that your organization and your vendors won't be fined for violations.

CUNA shares concern over NCUA’s recent bill: CUNA has reached out to a senator to share concerns regarding a recent bill, Improving Cybersecurity of Credit Union Act, which would give NCUA authority over third-party vendors. In CUNA’s letter, it expresses uncertainty over how NCUA will use this authority. Meanwhile, the League of Southeastern Credit Unions agreed that, while cybersecurity should be a priority, this isn't the bill to provide the necessary protections.

FEMA works to improve cybersecurity for EAS devices: A researcher found that there were weaknesses present in Emergency Alert System technology which could leave it vulnerable to cyberattacks. If compromised, hackers could be able to send out false warnings over broadcast channels. Thankfully, there is no evidence that the systems have been breached and experts urge the system operators to improve their security.

Third-party data breach compromises patient data: A recent third-party data breach impacted over one million people by accessing sensitive data. This attack should serve as a reminder that it is important to monitor your vendors for any cybersecurity risks, as third-party data breaches can lead to reputational and financial damages for your organization.

How to implement third-party risk management in your organization: When dealing with a vendor, it's important to understand the risks that the vendor might pose to your organization. Third-party risk management is instrumental to protect your organization from cybersecurity, financial, reputational, and operational risks, just to name a few. When implementing third-party risk management strategies, you should be sure to include effective risk assessments, ongoing monitoring, and due diligence to ensure that you can mitigate risks associated with your vendor.

How to protect your healthcare organization from cyberattacks: As cyber criminals continue to target healthcare organizations, access sensitive information, and steal data, it's important to understand what you can do to safeguard your organization from data breaches. Experts warn that healthcare organizations will need to be proactive, as cyber criminals continue to improve hacking methods. However, you can work to create an effective defense and mitigate risks by understanding how your third parties and vendors access your data, implement automated cybersecurity programs, and monitor your systems and vendors for any potential weaknesses that could make you a target.

Recently Added Articles as of August 4

Read up on articles from the week below about more cyberattacks that have happened, unethical practices in supply chain, TPRM for healthcare, cyber risk in educational institutions, and more. 

Cyberattacks target victims by posing as trusted applications: Researchers at Google have found a new way that hackers have been targeting victims. By posing as trusted and popular applications, the cybercriminals have been able to deceive their victims into downloading malware. This method can evade standard education and knowledge on avoiding illegitimate applications and highlights the importance of verifying data protection and security measures.

Hackers gain access to cloud applications: Experts have identified a weakness present in Golang-based apps, which has allowed hackers the ability to gain access to cloud applications and exposed data. Fortunately, these issues have been quickly addressed and patched accordingly.

How to stop unethical practices in the supply chain: We all know that it's impossible to monitor each and every activity that our fourth-party vendors perform, let alone vendors even further down the supply chain. However, as consumers and regulatory offices call for more increased transparency and ethically sourced services, you need to be sure that your vendors follow compliance and guidelines, or your organization could face reputational and financial damages. By knowing the signs of unethical practices, you'll be able to identify exploitative vendors and take action to protect your organization and the greater community.

Why the number of cyberattacks continues to rise: Is your organization doing enough to stop cyberattacks? And, what more can be done to decrease the number of cyberattacks across the board? As we continue to hear about cyberattacks each week, it may make you wonder what more can be done to make a difference. Within your own organization, you should issue training for all employees, create effective communication channels for identifying and addressing attacks, and staying updated with best security practices within your organization and with your third-party vendors.

Cyberattack method uses social engineering to pressure targets: A new method created by cyber criminals uses a countdown clock to make their intended targets feel pressured, leading to quick decision-making. This type of attack forces a target to feel as though they need to act quickly and without thinking, which could lead to a poor choice and compromise their data. More than ever, it's important to keep your employees educated on ways to identify and avoid phishing attacks and to protect the organization.

Apple fixes bugs and improves iPhone security: In response to vulnerabilities on the iPhone, Apple has released patched security updates. The patches include remedies to flaws such as CVE-2022-32832, which cybercriminals exploited to gain access to Apple devices. This patch is one more in a line of patches released by Apple, Microsoft, and Google over the past several weeks.

Third-party risk management practices for healthcare organizations: Healthcare organizations deal with a large volume of sensitive data and information. When engaging in relationships with third-party vendors, it's important to understand how your vendors might make your data vulnerable to cyberattacks and how you can manage the risks associated with your vendors. While vendors are essential, healthcare organizations, just as with other businesses, need to be aware of the risks and how to protect their organization or they'll suffer from data breaches, reputational damages, and costly fines.

OCC invites authors to research impacts of fintech on the financial sector: How have fintech vendors changed the banking and financial industry? In its effort to answer this question, the OCC has asked for authors and researchers to submit their findings. The research will, in turn, fuel academic and regulatory discussions regarding recent changes in the industry. Meanwhile, the Commodity Futures Trading Commission (CFTC) has also called for research on the impact climate change has had on financial institutions.

FCC identifies a recent phishing campaign: Recently, the FCC warned Americans of a rise in SMS phishing campaigns in which hackers have tricked their victims into giving sensitive information, which was then exploited. The hackers have lured victims by using deceiving text messages and links impersonating delivery services, banks, and law enforcement. Individuals should not click on unknown links and should report suspected activity to law enforcement and service providers.

Hackers compromise apps in the Google Play Store: Several malicious apps have been identified as malware on Android’s Google Play Store. Thankfully, the apps have since been removed, but experts warn that cyber criminals are continuing to create new methods for hacking and retrieving personal data.

Data breaches target healthcare organizations: Several healthcare organizations have been targeted by data breaches, leading to unauthorized access of data. The lasting impact of these breaches has led organizations to reconsider cybersecurity as a top priority moving forward, to protect their patients’ data and improve both monitoring and reporting capacities.

How to handle the aftermath of cyberattacks: In today’s world, where cyberattacks have become more aggressive and a more daily occurrence, it's important to ensure that your organization has disaster recovery plans in place. By looking at the latest trends and expert advice, you can plan for the worst and be prepared in the case your organization ever falls victim to a cyberattack.

Steps for effective vendor contract management: When selecting a vendor, you want to ensure that the vendor is capable of serving your organization’s needs and that the vendor will meet your performance expectations. During the contract stage of your relationship, you'll need to determine if this vendor is right for you. As a vendor risk manager, it's up to you to effectively assess the vendor, gather proper due diligence documentation, and identify potential risks. It can be overwhelming, but by creating an efficient vendor contract management process and following these best practice tips, you can start off on the best foot.

Banks are adopting new technology: As many banks have considered switching their core platforms, it's important to understand the risks that may be associated with adjusting to new technologies. During the transition stage, these banks will need to consider what processes are in place to mitigate third-party risks. Experts suggest making third-party risk management a higher priority for banks looking to transition to new vendors to effectively assess risks and ensure that proper security measures are in place to protect sensitive data.

The importance of TPRM for navigating vendor relationships: It can be challenging to take on new relationships with third-party vendors. By implementing effective third-party risk management programs and strategies, organizations can build secure relationships and overcome the obstacles that may make these relationships challenging. This article goes over the importance of vendor vetting, a few key considerations during the due diligence process, and how to navigate issues that may arise when considering a possible vendor.

Third-party cybersecurity risks remain in educational institutions: In a recent study, experts found that many educational institutions continue to struggle with managing third-party cybersecurity risks. The study found that nearly half of those who responded said that they don't assess security risks and processes of their third-party vendors, which is an alarming number. To protect your organization, it's important to ensure that your vendors have the capabilities to identify risks, notify organizations of breaches, and provide detailed risk assessments.

Bank pays massive fine after accessing customer accounts: Do you know how organizations are using your sensitive information? U.S. Bank was fined $37.5 million after an investigation by the Consumer Financial Protection Bureau discovered it had been accessing and opening accounts without permission. The CFPB noted that the bank didn't have the capability to detect misuse of information and has since worked to improve oversight processes and compliance.

BECU suffers third-party data breach: In a recent data breach, Boeing Employee’s Credit Union fell victim to a cyberattack, in which sensitive information was compromised. This serves as another reminder of the importance of third-party risk management, as this attack was successful because of a vulnerability in a vendor’s system. All organizations should make cybersecurity and third-party risk management a top priority, to protect against third-party data breaches.

Understanding the importance of TPRM: When dealing with vendors, you want peace of mind that your vendor will perform well, meet your expectations, and protect any sensitive data that they may access. Throughout the course of your relationship with a vendor, from pre-contract stages, all the way to offboarding, you need to identify any risks and understand the best ways to mitigate these risks. This article goes over the basics of vendor risk management, from its importance, to how you can perform effective due diligence, and the most common obstacles facing third-party risk managers.

Microsoft addresses issues with recent patch: Microsoft has recently announced an issue with a patch in its software, KB5015807, alongside remedies for users experiencing issues with the program.

Healthcare organization suffers $100 million loss following a cyberattack: Third-party risk management is crucial when it comes to mitigating risks and protecting your organization from detrimental data breaches and damages to your revenue and reputation. A healthcare company suffered a massive loss in April, including $100 million in revenue. The attack caused large-scale disruptions to its operation, which led to a drastic decrease in admissions and subsequent legal action.