August 2023 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below. 

Recently Added Articles as of August 31

This week’s headlines brought us news on preparing for regulatory updates, new and emerging risks to monitor, the necessity of cybersecurity protections, and the widespread impacts of data breaches. Third-party risk management helps keep the supply chain strong, and software tools can ease the manual burden. Check out all of this week’s news below! 

Risk mitigation is crucial to a strong supply chain: With supply chain disruptions, it’s crucial for organizations to mitigate supply chain risks. Organizations should diversify their suppliers. Focusing on one region or supplier can completely disrupt operations when something goes wrong. Don’t be afraid of technology and how it can help simplify risk identification and mitigation. It’s also important to create strong supplier relationships with open communication and collaboration on business goals. And of course, organizations should regularly review and update risk mitigation strategies. This isn’t a one-time process. Continuously monitoring risk allows organizations to identify weak points in the supply chain and develop contingency plans.  

SEC passes new rules for private fund investment advisers: The Securities and Exchange Commission (SEC) passed its new rules impacting private investment advisers. The rules require registered private fund advisers to provide a quarterly statement to private fund investors that includes performance, investment costs, and fees and expenses of any private fund. Private fund advisers must also audit each private fund at least annually and get an independent fairness opinion when offering current fund investors the option of selling or exchanging interests. All private fund advisers must disclose activities like investigation fees, regulatory fees, and borrowing from a private fund client to investors and receive their consent.  

University of Minnesota is sued after a data breach: The University of Minnesota is being sued for allegedly not doing enough to protect personal information from a data breach. The lawsuit argues that the university knew, or should’ve known, about laws and data security measures that could have prevented the breach. The university learned about the data breach in July, but the extent of it is unknown. A hacker claims to have 7 million Social Security numbers. 

Cybersecurity protections are a critical need for the manufacturing industry: As the manufacturing industry continues to go digital, it’s also becoming a much greater target for cyberattacks. It’s critical for manufacturing organizations to becoming cyber resilient. They should conduct risk assessments and identify risks both in their organizations and with their vendors. Employees should receive comprehensive cybersecurity training, and manufacturers should use a layered defense approach. In the case of a breach, manufacturers must have incident response plans that are well tested. Cybersecurity efforts should extend to vendors and suppliers, including cybersecurity audits and contractual requirements.  

Government agencies are a prime target of Barracuda email attacks: Global government and government organizations have been targeted for cyberattacks using a Barracuda Email Security Gateway zero-day. A report revealed that a third of the hacks in this campaign were government agencies. Barracuda warned customers about the vulnerability in May and released a patch for it. The attack was abused for at least seven months. While there’s no evidence that there have been anymore exploits, the FBI is still monitoring the situation.  

Critical vulnerability being exploited in Citrix systems: Cybercriminals are targeting unpatched Citrix NetScaler systems to launch ransomware attacks. The attacks inject payloads into legitimate executables. People who use Citrix NetScaler ADC and Gateway appliances should apply patches to mitigate any potential threats.  

Vendors using your data to train AI models is a risk that must be mitigated: As the rise of artificial intelligence (AI) continues, it’s not going to be uncommon for third parties to use customer data to train AI and machine learning models. There’s already been several class-action lawsuits against big names, like Google and Microsoft, for using personal information. Organizations must mitigate this risk with their technology vendors. They can opt out of AI training and generative AI features that don’t have private deployment. They should review the vendor’s terms of service on customer data and ensure that end-to-end encryption is used in AI to protect against cyberattacks.  

Software tools streamline third-party risk management: We know that third-party vendors are essential for organizations to run smoothly, but they also bring risk that needs managed – and spreadsheets, emails, and isolated tools cause bigger headaches than they’re worth. To reduce manual processes, organizations should move resources toward risk management automation. The right software can identify risks, streamline assessments, and aide remediation efforts. As regulators continue to shift focus toward third-party risk management, a software tool can help organizations look at vendor risk at every lifecycle stage. Software can provide dashboards and reporting, centralize vendor contracts in one place, offer risk assessment workflows, and facilitate risk feeds and ratings. Software can be a great tool for your organization, and we have just the place to point you to (hint hint!).  

Financial institutions should evaluate third parties to comply with an upcoming EU regulation: The January 2025 deadline for financial institutions to comply with the European Union’s (EU) Digital Operational Resilience Act (DORA) is approaching faster than you may realize. If a financial institution is in the EU, or provides services to EU financial firms, they’ll be expected to comply. DORA has five main cybersecurity requirements. It recommends the NIST framework for risk management, requires a standardized approach to incident reporting, digital operational resilience testing, the sharing of risk data with the community, and that third-party providers are risk-aligned and property contracted. Financial institutions should conduct an assessment of third-party contracts to ensure they comply.   

More than 2 million users compromised in Duolingo breach: Duolingo became the victim of a data scraping attack, compromising data from 2.6 million users of the language learning app. Names, login names, and email addresses were offered for sale on a hacking forum. This could potentially allow for phishing attempts. The breach originated from an exposed application programming interface that allowed unauthorized access to email addresses.  

Impact of healthcare data breaches on the rise as criminals target third parties: There’s good news and bad news... the number of healthcare data breaches is tracking to be at its lowest since 2019. However, the impact is getting worse. According to a new cybersecurity report, 40 million Americans were affected by healthcare data breaches just in the first part of 2023. In all of 2021, 58 million people were impacted. Although there’s fewer attacks, cybercriminals are getting smarter, finding better ways to get data, specifically targeting electronic medical records. They’ve focused on third parties that provide the records – 65% of breaches in the first half of the year were healthcare providers. Not only should your cybersecurity program be strong, but you need to ensure that your third party’s is as well.  

California introduces bill that expands data deletion rights: California is looking to expand its data privacy law with the Delete Act. This would implement a single opt-out request for Californians that would apply to all data brokers, associated service providers, and contractors. If the data brokers knowingly collect and sell data to third parties, the Delete Act would apply to them. These organizations would be required to register with the California Privacy Protection Agency (CPPA) and provide information on the personal information they collect. The CPPA would also create an accessible delete mechanism for data deletion. This bill currently sits in a committee and hasn’t yet been passed.  

Recently Added Articles as of August 24

The cyber threat landscape is continuing to grow in every industry, from education, healthcare, to agriculture, and many others. And the U.S. government is looking to lend a helping hand with this. Regulatory agencies are setting new requirements. Generative AI is presenting new threats, and ransomware attacks keep rising. Be sure to check out all of this week’s headlines below! 

Survey attributes rise in cyberattacks to generative AI: A new survey has linked the explosive popularity of generative AI with the rise in cyberattacks this past year. While cybersecurity professionals said generative AI has had positive impacts, the threat still remains. Attackers have used generative AI to launch more sophisticated attacks. Professionals who responded to the survey said generative AI has made their organization more vulnerable, and some of them said they’re more willing to pay a ransom. Cybersecurity teams are also feeling the pressure of the growing threats with increased stress levels and burnout, particularly in the heavily regulated financial industry.  

Agriculture industry must be proactive in cybersecurity approach: The agriculture industry has seen great advances in technology, allowing them to easily monitor fields, improve crop yields, and reduce costs, but this reliance on technology can also put the food supply chain at risk as attackers see a new opportunity. Because many of the systems connect to the internet, attackers can take advantage of the vulnerabilities. Software manufacturers must prioritize cybersecurity in their products. The agriculture industry should also use proactive cybersecurity measures and regular risk assessments to ensure safety with their technology vendors.  

Steps organizations should take to comply with the SEC’s new data breach notification rule: The SEC’s new data breach notification rule has made it clear that third-party cyber risk is an important consideration for organizations. More reliance on third parties played a big role in the SEC’s notification requirements. As organizations work to comply by the December deadline, they should have a full view of their supply chain with external attack surface management. They should also standardize their cyber risk assessment to gain a complete view of a vendor’s cybersecurity risk. Third-party risk management should also be a top priority to vet vendors and mitigate the risks. To learn more about how your organization can comply, check out this blog post here. 

Ransomware attacks hit a new record in July: July was a record month for ransomware attacks, according to new research. This is mostly because of the third-party MOVEit data breach, which was responsible for 171 of 502 July attacks. The number of attacks rose 154% from July 2022. Industrial organizations were the number one target in July, followed by consumer cyclicals and technology. The threat landscape continues to evolve, showing the importance of strong cybersecurity programs and third-party risk management.  

Healthcare data breach lawsuits are on the rise: Healthcare continues to be a top target for cyberattacks, and the lawsuits that follow are rising quickly. A new study showed that the number of lawsuits filed over healthcare data breaches has almost doubled from 2022. Most of these suits seek civil damages in the millions. The average cost of a ransomware attack is more than $1 million in the healthcare industry. With data breach notification requirements and state privacy laws, patients are also becoming more aware of and more interested in data breaches. 

New malware disguises itself as an office productivity app: A new macOS malware disguised as a Microsoft office note app has surfaced. It bundles inside a standard Apple disk image and is signed with a developer signature. Apple has since revoked that signature. The office note app can’t be opened once it’s executed, but it launches an agent in the background. Google Chrome and Mozilla Firefox are targeted, but Safari isn’t.  

Ransomware targets remote VPN service to gain access: A new ransomware is targeting Cisco virtual private networks to breach organizations’ networks. Many organizations use Cisco VPNs to encrypt data transmission from remote employees. The ransomware, called Akira, has also targeted accounts that aren’t protected by multi-factor authentication.  

Consumer Finance Protection Bureau plans new rules that would impact data sharing and selling: The Consumer Finance Protection Bureau (CFPB) is planning new rules that would limit how consumer data is sold by organizations. Data brokers that sell certain types of consumer data would be considered a consumer reporting agency, bringing them under the Fair Credit Reporting Act. The CFPB is also planning on clarifying when credit header data is a consumer report, which would prevent credit reporting companies from disclosing sensitive contact information. These new, proposed rules will likely be released sometime next month.  

U.S. cybersecurity agency advocates for artificial intelligence security: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is pushing for artificial intelligence developers to make security a top priority. The agency said machine learning code is difficult to fix after it’s deployed, and that AI should be secure by design. CISA hasn’t proposed or discussed any potential legislation yet, but the agency said AI models should protect against malicious code execution attempts and use memory-safe languages. AI models should also have a software bill of materials and follow privacy principles.  

Cybersecurity is an important step of third-party risk management: As organizations increasingly rely on third-party vendors to provide products and services, cybersecurity measures are all the more important. This will safeguard not just customer data, but also ensure compliance with various regulations. Organizations should evaluate their vendors’ cybersecurity and identify and recommend improvements. It’s crucial to have the right cybersecurity subject matter experts on hand during this process. It’s also important to review a vendor’s cybersecurity policies and procedures, incident response plan, and compliance measures.  

NCUA sets data breach notification requirements for credit unions and their third parties: The National Credit Union Administration (NCUA) is following in the footsteps of recent data breach notification regulations from the SEC. The regulatory agency announced a new policy that requires federally insured credit unions to report incidents within 72 hours of discovery, including attacks from third parties. This takes effect in just a couple weeks, on September 1. Reportable incidents are those that compromise the network or system and expose sensitive information or disrupt services and operations. Also included are incidents that involved unauthorized tampering. Failed attacks don’t need to be reported.  

Key compliance items in state privacy laws: Privacy laws are increasingly common across the states, with almost 13 states passing laws. These laws aren’t uniform – they differ across the states in minor ways. Most of these laws require specific content in organizations’ privacy policies, which is good to include if your organization doesn’t already have a comprehensive privacy policy. Organizations will need to think about third-party vendors and how their data is processed with vendors. Many of these laws have requirements on what your vendors can do with the data they receive. Organizations should also keep opt-out requirements in mind, as many privacy laws require this. For those subject to California’s privacy law or the GLBA, they probably won’t have to add much to their existing processes.  

U.S. looks to address education industry’s cybersecurity challenges: As the education industry becomes an increasingly popular target for cyberattacks, the U.S. is trying to beef up cybersecurity programs. The Biden administration introduced a strategy that would increase funding and provide better federal support. Amazon Web Services has pledged $20 million for a grant initiative. The Department of Education plans to establish a Government Coordinating Council and CISA plans to conduct K-12 cybersecurity exercises.  

Cloud organizations address Intel processor vulnerability: Several cloud organizations are releasing security warnings and patches due to a vulnerability in Intel processors released over the past decade. The vulnerability allows attackers to gain sensitive information, like passwords or encryption keys. These attacks can be launched via a web browser, which impacts cloud environments. AWS and Google Cloud have patched and added protections, while Microsoft Azure rolled out updates to its infrastructure.  

Recent cyberattack offers insights into Zero Trust models: A cyberattack that impacted government agencies and their Microsoft Outlook accounts is offering lessons in Zero Trust for cybersecurity professionals. Organizations should use network analysis tools to gain more visibility into their networks and detect potential threats. Network Detection & Response (NDR) is also a crucial component of Zero Trust security as it gathers data from all switches internally. NDR can create a resilient infrastructure that can prevent and withstand cyberattacks. 

Voice cloning services present another AI threat to mitigate: One of AI’s many capabilities is its voice cloning. It can replicate human speech and has many uses for organizations. But, like the rest of AI’s benefits, it also comes with significant risks. Cyberattackers have capitalized on voice cloning for phishing attacks to spoof someone’s voice and con victims. Voice cloning has become even easier to access with the rise of generative AI and now banks and healthcare institutions are a target. These industries must implement strong security measures to address this growing threat and protect sensitive information.  

Recently Added Articles as of August 17

This week’s headlines remind us of the seriousness of third-party risks. Regulators and enterprise leaders recognize third parties as a top risk, the number of MOVEit attack victims is growing, the real estate industry was hit with a large cyberattack, and third-party applications are leading to more email phishing campaigns. There’s much more to read this week! 

Use third-party risk management to mitigate vendor ESG risks: Not only is it crucial for your organization to manage environment, social, and governance (ESG) risk, but it’s also important to manage your vendors’ ESG risks. There are six steps to implement to manage the ESG risks. Due diligence and evaluation will help you define and understand your vendor’s ESG risks. Onboarding sets the expectations between you and your vendor. Monitoring is an important step because your vendors' ESG risks may change over time. You should also have governance structures with policies and procedures on ESG and a contract that outlines performance expectations and include right to audit clauses. You should then measure a vendor’s performance against the contract and expectations.  

FDIC releases 2023 Risk Review, naming third parties as a key operational risk: According to the Federal Deposit Insurance Corporation’s (FDIC) 2023 Risk Review, operational risk, including risk posed by third parties, remains one of the most critical banking risks. Threats against third-party vendors can result in lost time, money, and consumer trust in the financial industry. As banks continue to rely heavily on third parties, it poses a risk of becoming less knowledgeable about customer accounts. The Risk Report also named crypto assets as a risk for the first time. These activities are difficult to fully assess and manage, but crypto’s volatility in 2022 moved it to the list of risks.  

Victim count from MOVEit breach totals almost 46 million: The victim count from the massive MOVEit breach has continued its climb, with 670 organizations believed to be impacted. Based on the breach notification, a cybersecurity firm tallied that at least 46 million peoples' personal information was stolen. The U.S. accounts for 78% of the victims, and smaller percentages are in Germany, Canada, and the U.K. Victims range from state government departments, universities, financial institutions, and more. This number is likely to keep growing.  Learn more about six steps in your third-party risk management program to make to respond to this breach.

Banks must seek permission from the Fed in stablecoin transactions: The Federal Reserve issued a statement for member banks on activities involving the cryptocurrency stablecoins. Banks must receive supervisory nonobjection from the regulator before activities with stablecoins. The Fed will evaluate the risks before giving a nonobjection to the bank. Those risks include operational, cybersecurity, liquidity, financial, and consumer compliance. Banks should carefully consider the risks before engaging in stablecoin transactions and be ready for the Fed’s scrutiny.  

New vulnerabilities could shut down power plants if exploited: Vulnerabilities that could shut down power plants were recently identified by Microsoft researchers. The flaws are in a software development kit, which is often used in the manufacturing and energy industries. Exploiting these vulnerabilities would be challenging, but researchers have still urged the software company to make the fixes as soon as possible.  

Power management vendors release patches for critical vulnerabilities: Researchers with Trellix identified nine vulnerabilities that could attack power management software if exploited. The vulnerabilities are in CyberPower and Dataprobe. With a simple flip of a switch an attacker could shut down data centers and compromise systems and devices. Both companies were notified and released patches for the vulnerabilities.  

Real estate industry is hit with cyberattack that takes down property listing host: The real estate industry is scrambling after a cyberattack took down property listing data host Rapattoni. Real estate agents are unable to post listings, adjust pricing, or get the latest property information. There’s uncertainty if some properties are even still available to show clients. It seems Rapattoni was the victim of a ransomware attack, and the FBI is allegedly investigating. There’s no estimated timeline for recovery right now, but there is a temporary solution in place. As attackers broaden their scope for information, it’s clear that third-party risk management and cybersecurity protections are critical for all industries.  

Third-party viability and generative AI are top enterprise risks: A Gartner study identified generative AI and third-party viability as top risks. Three areas in particular make generative AI risky: intellectual property, data privacy, and cybersecurity. Generative AI could use sensitive data in its training, share user data with third parties, and be used to initiate phishing attacks. Third-party viability took the top risk spot, particularly because of changing economic conditions. Risk managers will have to remain aware of generative AI’s risks and track their third parties closely through due diligence and ongoing monitoring.  

A known 2022 hacking group targeted weak third-party vendors to execute attacks: A study on the 2022 cyberattacks from a group called Lapsus$ found that the group targeted vulnerable third-party vendors to launch attacks. The U.S. Department of Homeland Security released the investigation. Lapsus$ was able to exploit weaknesses in multi-factor authentication and gain access to third-party vendors. It’s not uncommon for attackers to find the weakest link, which makes the need for third-party risk management all the more important. The report recommended risk-based authentication and incident response procedures in the event of a cyberattack.  

The Fed puts banks on notice for novel activity supervision: The Fed informed its member banks that it will monitor and examine all novel activities. That includes crypto-asset activities, banking services to fintechs, and partnerships with non-banks that use technology like application programming interfaces. Banks should be prepared for questions from the Fed on novel activities, especially those with third-party services. They should identify any novel activities in their organization, update related risk assessments, examine any complaints on novel activities, and review their strategy on novel activities.  

Department of Homeland Security to investigate government email attacks through Microsoft: The Department of Homeland Security will review cloud security practices after the recent cyberattacks on Microsoft Exchange accounts of government employees. The study will cover how cloud service providers and the government can improve identity management and authentication. Any recommendations will move to the administration for action.  

Third-party applications are easy entry for email attacks: Third-party application usage has continued to rise this year, coinciding with an increase in email attacks. According to new research, the average organization integrates almost 400 third-party apps with email. And the larger the organization, the more that number rises. Unfortunately, that also means that many organizations don’t know or track all their third-party applications. That lack of visibility has made them an easy target for cyberattacks. Many of these third-party applications also have high-risk permissions, like the ability to create and delete emails or users. Remember, attackers are looking for the weakest point of entry. Even third-party applications need accounted for and proper due diligence should be completed.  

Law firms must improve their cybersecurity programs: The American Bar Association (ABA) is urging law firms to up their cybersecurity game. Law firms hold a lot of confidential information that’s vital for firms to protect. There’s a growing threat of ransomware and cyberattacks. The ABA said cybersecurity is an ethical obligation for law firms. In a recent survey from ABA, less than half of law firms had incident response plans in place. Law firms should stay informed on new and emerging technologies, improve their cybersecurity infrastructure, advise clients to improve their cybersecurity, and conduct cybersecurity due diligence on third-party products and services. Although the ABA has no regulatory authority, they often advise regulators on rules and legislation.  

Government Accountability Office requests update on banking regulatory recommendations: The U.S. Government Accountability Office (GAO) is pushing banking regulators to implement the GAO’s regulatory suggestions. With recent cases of fraud in cryptocurrency, the GAO is recommending a joint effort from the OCC, SEC, FDIC, and the Fed to address blockchain risks. The GAO has also asked the OCC, FDIC, and the Fed to provide guidance on the appropriate use of alternative data in underwriting for banks that use third-party fintech lenders.  

SEC proposes AI rule to limit conflict of interest risks: The U.S. Securities and Exchange Commission (SEC) is the first U.S. regulator to take aim at artificial intelligence (AI). A new proposed rule would require broker-dealers and investment advisers to remove any conflict of interest with their use of AI. Advisers could put personal interests first within AI models, instead of their clients’ interests. The rule would require broker-dealers and advisers to have policies and procedures that outline AI compliance and maintain documentation on AI usage. Firms will have to carefully review the proposed rule and begin preparing for compliance.   

Scammers imitate California government forms to trick businesses: Organizations registered in California are becoming victims of a scam that imitates official government forms. The scam tells organizations to submit an annual required filing through a third party instead of the official California office. If they don’t, they’re threatened with penalties, fines, suspension, and business seizure. The scammers cite false statutes or laws in the form. Organizations should never submit official filings through a third party and should go directly to the state website. 

Recently Added Articles as of August 10

Lots of regulations hit the headlines this week, from the FTC’s Safeguards Rule, Colorado’s regulations for life insurance companies, and Montana’s new genetic data privacy law. U.S. agencies are also zeroing in on cybersecurity safety, especially with your third parties, as ransomware attacks continue to rise. There’s so much more to read about this week, so check it all out below! 

Pay attention to your third party’s operational resilience: With emerging technology, it’s not uncommon for organizations to use third parties to provide better services to customers. But regulators have zoomed in on the risks these third parties bring. Organizations should update their third-party risk management frameworks and pay close attention to their critical third parties’ business continuity plans. It’s crucial to have an exit strategy in place and be assured that a third party can recover from an interruption quickly. Organizations should also have their own business continuity plan in place in the case of operational downtime with third parties.  

Visibility into the supply chain is crucial to ensure ethical practices: Ensuring that your entire supply chain is ethical and sustainable is extremely difficult as the web of third and fourth parties continues to grow. These complex supply chains make it harder to gain visibility into each subcontractor, but regulatory agencies are placing higher priority on ethical practices, and consumers are paying more attention to it. It’s important to invest in gaining insight into your vendor’s vendors and what those risks are. Spreadsheets and emails can only go so far. Technology can be a huge help toward understanding your supply chain. It’s worth the investment! 

Montana passes its genetic data privacy law: Montana is going a step beyond its data privacy law, passing a genetic information privacy act. Genetic data covers information like a consumer’s sequenced DNA as well as self-reported health information that a consumer provides for scientific DNA research. Consumers will have to give consent for the use, retention, and transfer of genetic data. That includes consent for the disclosure of data to third parties. The law takes effect on October 1, 2023.

Be prepared for the FTC’s regulation of health privacy: The Federal Trade Commission (FTC) isn’t shying away from regulating health privacy violations. Enforcement actions within the past year have shown misuse of health data is a target of the FTC. Organizations should take steps to safeguard health information and comply with regulations. The FTC doesn’t define health information as just traditional medical information, but anything that gives information on a consumer’s health. Organizations should use caution with tracking technologies, which are considered third parties. They should implement robust third-party and data privacy programs.  

The Fed names third parties as a top cybersecurity risk in annual report: The Fed released its annual Cybersecurity and Financial System Resilience report, highlighting its activities and regulations for the year and emerging threats to financial systems. Notably in this report, supply chain or third-party attacks and third-party cyber risks were on the list of emerging threats, especially as financial institutions become more reliant on third parties. Software-as-a-service providers are particularly a concern for cyberattacks. It’s important to review your third-party relationships down the entire supply chain. Challenges in implementing a secure cloud strategy include lack of transparency in due diligence and monitoring and too much market concentration.  

Colorado proposes a regulation for life insurers that requires risk management: Colorado has proposed a regulation for life insurers that would require risk management frameworks and third-party risk management. The proposed regulation would make insurers have a third-party vendor selection process. They would also have to assess the risk and perform ongoing management of anything that uses external consumer data and artificial intelligence and predictive models. Life insurers would have to submit a report detailing its progress toward compliance in June 2024, and be in full compliance by December 2024. The proposed regulation has a rulemaking hearing on August 31, 2023.

Ransomware attacks continue to rise as vulnerabilities become a top target: The number of ransomware attacks has grown 143% between the first quarter of 2022 and the first quarter of 2023. These attacks are focused on stealing sensitive data and then extorting organizations for money. Vulnerability exploitation is rising as a popular way for cybercriminals to gain access, like with the MOVEit breach. Organizations must prioritize patching vulnerabilities and keeping an eye on their third parties’ cybersecurity practices.  

U.S. cybersecurity agency outlines its goals for the next three years: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is focused on addressing immediate cyber threats, adopting strong security practices, and prioritizing safety as a fundamental issue. CISA outlined its goals in its three-year plan. The agency wants cyberattacks to become a rare event. They plan to conduct exercises to ensure quick response to threats and address critical vulnerabilities. The agency also plans to understand how cyberattacks happen and how they can be prevented.  

New email phishing campaign is targeting Salesforce and Meta: A new Salesforce vulnerability was detected. The cybercriminals behind the exploitation send phishing emails designed to look like they’re from Meta and use addresses that look like they’re from Salesforce. Salesforce and Meta were notified of the vulnerability, and it’s been fixed across all Salesforce services. But it offers a reminder to use extreme caution when opening emails and clicking on unknown or unexpected links.  

Healthcare organizations must be prepared to address cybersecurity concerns: Healthcare organizations have become a top target for cyberattacks, particularly because of all the sensitive health data the industry holds. These attacks can put patients directly at risk and disrupt health services. Healthcare organizations must take a proactive approach to cybersecurity, including addressing its third parties’ cybersecurity. Any attack can damage an organization’s reputation and leave them vulnerable to regulatory fines.  

Your organization may be subject to the FTC’s Safeguards Rule: Is your organization considered a financial institution under the Safeguards Rule? More and more businesses are involved in some sort of financial activity that makes them subject to the Safeguards Rule. That could be a retailer that issues its own credit card, a car dealership that leases vehicles, real estate appraisers, and the list goes on and on. The mandatory compliance data with this rule was this past June, so the time is now to strengthen your compliance. Conduct an initial risk assessment to identify risks to your customer’s information, regularly test and monitor your controls, and implement a strong third-party risk management program to ensure you’re choosing the safest providers.    

New crypto bills flood through the U.S. Congress: Congress is looking to pass cryptocurrency bills in an attempt to determine how it will be regulated. The bills include determining the primary regulator (which is often debated to be either the SEC or CFTC), setting criteria for who can issue stablecoins and the rules that govern it, an anti-money laundering bill to protect crypto from misuse, and a bill that would prohibit federal agencies from restricting the personal use of cryptocurrencies. The bills will all have a long way to go to pass both houses of Congress and be signed by the president, but they do show how much crypto is a focus for members of Congress.  

New generative AI tool for cybercriminals is discovered: Another generative AI tool for cybercriminals has popped up - this one leveraging Google Bard’s technology. This tool, called DarkBART or DarkBERT, will allow for more sophisticated phishing campaigns and exploitation of zero-day vulnerabilities. These tools continue to highlight the dark side of generative AI, as cybercriminals rush to take advantage of new technology.

Recently Added Articles as of August 3

AI can transform cybersecurity, but risks still need to be mitigated: AI is revolutionizing many areas, including cybersecurity. Machines can quickly identify cyber threats and mitigate them. These systems can process a large amount of data to identify patterns that could be a cybersecurity threat, catching issues before they’re exploited. Algorithms can also predict future threats using historical data, so it’s one step ahead of cyberattacks. However, organizations should still be aware of AI’s risks and its ability to be exploited by hackers. AI allows them to carry out more sophisticated attacks. Organizations should have strong policies in place around AI and monitor the risks of AI systems.  

China adopts regulations for generative AI: China adopted new regulations governing the use and development of generative AI. These regulations will go into effect August 15. Generative AI providers will have to explain the source and type of data and how the algorithm is trained. They’ll have to take steps to improve the quality, accuracy, and diversity of generative AI. There are also protections in place for personal information and it can't generate anti-government propaganda. Although generative AI isn’t regulated outside of China, it does imply some pressure for these AI services to comply before they enter the Chinese market.  

Printer maker warns of new vulnerability impacting hundreds of printer models: Canon is warning its printer users of a flaw that could allow outsiders to gain access to data. Wi-Fi connections aren’t being wiped, meaning future buyers or technicians could get the details of your network connection. A hacker could gain unauthorized access and launch an attack. Before a third party is given access to your printers, you should wipe the Wi-Fi settings.  

Apple to begin requiring developers to submit application programming interface (API) plans: Developers will have to begin telling Apple how it plans to use APIs in an effort to prevent data misuse. Among the APIs included are file timestamps, system boot times, disk spaces, user defaults, and active keyboards. This is to ensure that app developers don’t collect device signals used across multiple apps that they can then use for targeted advertising, like fingerprints. The policy goes into effect this fall and developers that don’t submit plans by spring will be rejected.  

Nevada passes consumer health data bill: Nevada passed its own consumer health data bill, similar to Washington’s bill. It will take effect on March 31, 2024. This bill is more friendly to businesses, but it still requires a privacy policy that tells consumers what health data is collected, who it’s shared with, and the purposes of processing. Consumers will have to give consent. Nevada’s bill doesn’t allow consumers to sue for violations. It can only be enforced by the state’s Attorney General.  

The United Kingdom eyes AI regulations in the financial services: A recent speech and whitepaper from a United Kingdom regulator gave insight into the UK’s approach to regulating AI. The UK Financial Conduct Authority (FCA) focused on the risks within AI systems for financial services. It opens the door wider for cyberattacks, identify theft, and fraud. Surprisingly, there wasn’t much emphasis on transparency of AI and how it’s trained. The FCA can only regulate the use of technology within financial services and the growth of unregulated third-party providers has only increased their regulatory role. A generative AI provider for financial firms could fall under the FCA’s regulations.  

SEC adopts rule on data breach notifications: Significant cybersecurity incidents will now have to be disclosed within four days by public exchange companies, according to a new rule from the Securities and Exchange Commission (SEC). The four days don’t begin until after an organization determines whether the incident was material. They’ll have to disclose the incident’s scope, timing, and impact. It’s possible to delay the disclosure, but permission has to be given from the U.S. attorney general and the disclosure would have to pose substantial risk to national or public safety. Foreign Private Issuers will also have disclosure requirements. The rule is effective 30 days after release in the Federal Register. To learn more about how your organization and vendors can comply with the SEC data breach rule, check out this blog.

Third-party risk management is critical for higher education: Colleges and universities were among the many victims of the MOVEit breach, and it’s a reminder of the need for third-party risk management in higher education. Every third party in a college’s network should be tracked and the risks should be mitigated. Even a college student using their school email to sign up for a product introduces risks. There should be a process that tracks vendor’s performance, monitors their risk, and implements policies that protect the university. And don’t forget that vendors, students, and faculty need to use good cyber hygiene.  

Cyberattackers compromise Windows search feature to trick users: Hackers have implemented a new attack on the Windows search feature that tricks users with emails, compromised websites, and corrupt files. They’re also sending several phishing emails using the search protocol that are masked as sales quote requests. As a precaution, organizations should be wary of any untrusted or external links, try not to click on unknown links and files, and keep systems updated.  

Health3PT promotes best practices to implement third-party risk management: The Health 3rd Party Trust Initiative (Health3PT) is urging healthcare organizations to adopt best practices for third-party risk management. The organization said 55% of healthcare organizations had a data breach last year, but that the vendor vetting process is flawed and too time-consuming. Health3PT recommends determining a vendor’s risk level and tying that to the amount of due diligence needed, which is a regulatory expectation in the financial industry. They also encourage continuous monitoring of identified risks and corrective action plans. There should also be assurances and updates on the vendor’s security capabilities and reporting on organization-wide vendor risks. Health3PT hopes to create a better industry-wide standard in healthcare for third-party risk management.  

Manufacturing industry must address risks with technology: As technology continues to transform the manufacturing industry, it also continues to introduce new risks. Everything from machines, robots, to smart sensors carry a lot of data that can be vulnerable to cyberattacks. And behind this technology are third parties that support it, putting the manufacturing supply chain at risk if these relationships aren’t properly managed. A breakdown with the technology can cost an organization thousands of dollars, and a reliance on the technology can lead to less personnel to respond to issues. Manufacturers should implement a strong third-party risk management strategy to identify and mitigate these risks.  

Healthcare organizations must identify all third-party vendors: Many organizations don’t have a full inventory of all their third parties and aren’t mitigating all the risks that come with these third parties, especially in healthcare. Healthcare organizations will have to take an active approach to managing these risks. They’ll need to find all the vendors who have access to their networks, determine the appropriate amount of access, and find the right solution to monitor these vendors.  

Organizations gear up for Utah’s privacy law to take effect this year: Last year, Utah became yet another state to adopt a comprehensive privacy law, and it takes effect this December. It gives consumers the right to delete their data, opt out of the collection and use of their data, and receive a copy of their data. Organizations are required to tell consumers how their data is being used. The attorney general will enforce the new law. Unlike other states, Utah’s law is considered more business-friendly because it has a narrow scope of organizations and consumers. For example, employee data isn’t protected. Consumers also have fewer options in Utah’s law.  

Financial firms must be ready to comply with the new SEC cybersecurity rule: Before the SEC’s new rule is implemented, financial firms should be prepared to adapt now. They should be able to provide written proof of how they’re addressing cyber risks. These assessments can’t be a one-and-done, but an ongoing activity. As cyber risks evolve, financial firms will have to demonstrate that they’re prioritizing and addressing the risks. IT leaders will need to update or create company-wide policies on cybersecurity best practices. And as the number of third parties continues to increase, especially with fintech, financial firms will also need to prioritize their third parties’ cyber risks. The new SEC rule will require them to identify what third parties have network access and what the cybersecurity risks are.  

Best practices to manage third-party risks globally: It’s clear. You are responsible for the actions of your third parties. But with so many third parties in the network, how can organizations monitor and manage the risks? Organizations should consider the amount of risk a third party brings, including measuring their interactions with foreign countries, where the third party is located, and the services the third party will provide. As organizations perform due diligence, they should know who the shareholders are, what the financial outlook of the third party is, if there are red flags in their service performance, what the third party’s history and reputation is, and how they comply with global regulations.  

Financial industry’s regulations are more focused on third-party risk and operational resilience: Disruptions to businesses are becoming more frequent and severe, from a global pandemic, Russia’s invasion of Ukraine, to supply chain challenges. Regulators have taken notice and are trying to ensure that organizations are prepared to respond, especially within the financial industry and their third parties. These regulations are ensuring that financial firms are accountable for implementing best risk management practices and have operational resiliency plans in place. It’s now a critical piece of the compliance puzzle. This isn’t just in the U.S., but also the UK, EU, Singapore, and Canada. Financial firms must take on a global mindset to compliance and follow third-party risk management best practices. No longer can firms be reactive, but they must take proactive steps to mitigate risks and remain resilient.