December 2022 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of December 29

In the final week of 2022 , experts explain the importance of improving your organization’s cybersecurity policies. No organization is safe from the risk of cyber incidents, and that's made even clearer this week as we see articles about how the financial services industry has suffered from cyberattacks and a third-party data breach targets a healthcare provider. We also look at new data privacy regulations and the risks that third-party workers can pose to your organization. Check it all out! 

A Louisiana hospital suffers a data breach following a ransomware attack: The Lake Charles Memorial Health System (LCMHS) discovered that it was the victim of a ransomware attack earlier this year after a hacker managed to infiltrate its private network. The hacker was able to steal sensitive information from approximately 270,000 patients, including full names, addresses, medical records, payment information, and health insurance information. LCMHS has been working to notify patients affected by the breach, and victims are warned to stay alert for any suspicious communications or banking activity. 

The importance of resilience in the supply chain: The supply chain has been a hot topic for most of 2022, as geopolitical, economic, and environmental challenges have greatly affected the supply chain and many organizations. These new and changing risks have made resiliency a must, as both vendors and organizations worked to maintain normal operations and meet rising demands despite threats including war, material shortages, and increased transportation pricing. For many organizations, it’s time to invest in your supply chain to maintain operations and avoid future disruptions. 

FTC receives support for proposal on limiting commercial surveillance: Following the Federal Trade Commission’s (FTC) proposed rule for limiting commercial surveillance, the Attorney Generals from 33 states have released a letter to express their support. The letter expresses concern for the way that consumer data is collected and used, including location, biometric, and medical data. As data privacy has become a focus for many agencies and state legislators, it’s important for all organizations to stay updated on the latest news and regulations to ensure that your practices are compliant. 

The financial services sector is a major target for cyberattacks: If we’ve learned nothing else in 2022, it’s that no industry or organization is safe from the threat of cyberattacks. Experts found that the financial services sector has suffered the second-highest number of data breaches during 2022, with phishing, malware, ATM skimming, and money laundering among the most-used tactics. As the threat of cybercrime continues to grow, it’s important for financial services organizations to assess their security policies for any potential gaps and vulnerabilities that could leave their data exposed to hackers.  

Experts patch a vulnerability in WordPress plugin: Security experts discovered a vulnerability in a WordPress plugin, which made it possible for hackers to upload malicious files to WordPress websites. This vulnerability, tracked as CVE-2022-45359, has since received a patch, so users should be sure to update their systems to protect against this vulnerability. 

Facebook agrees to settle in a 2018 class action lawsuit: Facebook and Meta have agreed to pay $725 million to settle a class action lawsuit, which was originally filed in 2018. The lawsuit cited privacy violations and that Facebook allowed third-party apps to access their users’ sensitive data. The application in question gained access to information including names, birthdates, genders, locations, and messages, which was used for voting profiling in 2016. In the settlement agreement, Meta hasn't admitted to any wrongdoing and instead has taken precautions against sharing information with other third parties. 

What is predictive policing?: The ways that organizations and businesses collect and use data continues to grow. While Amazon and other organizations collect data to gather marketing and product insights, for example, law enforcement data brokers, RELX and Thomson Reuters, collect data and make it available to government, legal, and law enforcement. However, as data privacy has become a larger concern in recent years, many are becoming suspicious of the way that data brokers gather and sell sensitive information to the government. Experts point to aggressive surveillance and inaccurate information as two major issues of predictive policing and urge the public to become more involved in advocating for data protection laws. 

Proposed guidance focuses on climate risks for New York financial institutions: In response to growing concerns of climate-related risks, the New York State Department of Financial Services (NYDFS) has released a set of proposed guidelines for financial institutions. These guidelines include provisions for improving corporate oversight, data aggregation, and risk management processes for handling climate risks. The agency has opened the proposals for comments. 

Why your healthcare organization should vet your vendors: Third-party vendors have been one of the leading causes for data breaches and other cybersecurity incidents in the healthcare sector during 2022. As a best practice, your organization should be vetting both new vendors before signing a contract as well as throughout your relationship with your existing vendors. As today’s threat landscape continues to change, it’s essential to verify whether your vendors have the proper controls in place to protect your patients' and your sensitive information. Failing to vet your vendors can have disastrous consequences, such as disruptions, third-party data breaches, reputational damages, and legal action. 

Understanding the risks posed by third-party remote workers: The way in which your organization manages third-party remote workers can have a serious impact on your organization’s security posture. Cybersecurity experts have noted that many contractors and freelance workers are given access to private networks and sensitive data and use their personal devices for work. It’s important to understand that third-party remote workers, if not properly managed, can expose your organization to many serious security risks including data breaches.   

Privacy laws demand compliance in the new year: As we prepare for the new year, organizations should stay informed of new and updated regulations, such as the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). These new regulations will impact the ways in which organizations and data collectors process their customers’ information and make customers aware of privacy notices. Those who operate in California and Virginia will need to revisit their policies and those of their third parties to ensure that compliance is met in 2023, or you may face legal and reputational damages. 

Third-party healthcare data breach affects 271,000 patients: The healthcare industry has been the target of many large-scale third-party data breaches over the past year. Earlier this month, Avem Health Partners reported that an unauthorized user gained access to its private servers after one of its third-party vendors suffered a security incident. The compromised information includes patient names, Social Security numbers, health insurance information, and birthdates. As third-party data breaches are becoming more common and affect a larger number of organizations, your organization should continue to assess and monitor your third parties for any red flags or vulnerabilities. 

The importance of managing your cybersecurity practices: In today’s world, cyberattacks such as phishing, data breaches, and ransomware pose serious risks on organizations of all industries and sizes, and becoming the victim of a cyber incident can severely impact your organization’s operations and reputation. Unfortunately, the threat of cyberattacks only continues to increase, so you need to ensure that your organization is prepared for the challenges ahead. To improve your cybersecurity practices, you should make cybersecurity a priority in your organization, secure an adequate budget, and assess your third parties for vulnerabilities and other risks that could threaten your security.  

Federal Reserve releases principles for managing climate risks: The U.S. Board of Governors of the Federal Reserve System recently released a drafted set of principles for managing climate-related financial risks. Institutions under the Federal Reserve should be sure to read through and note areas where policies may need to be updated. These principles were created to help steer institutions in the right direction for managing climate-related risks and include the separation of oversight responsibilities for the board of directors from other risk management obligations. The Federal Reserve is currently accepting comments on the drafted principles.  

Recently Added Articles as of December 22

As we inch closer to the new year, your organization and third-party vendors will need to stay updated on  regulations and be on the lookout for upcoming changes to ensure compliance. Meanwhile, hackers refuse to take a break for the holidays as a third-party data breach targets the U.S. Department of Health and Human Services. Also, learn how outsourcing your third-party risk management can benefit your organization. Check out all this week’s news!

Human error creates a gap in your organization’s cybersecurity: Every week, we receive more news of new cyberattacks and methods that hackers are using to steal sensitive data. However, one of the more severe weaknesses in your organization’s security may be your employees. Advanced technology and cybersecurity software isn’t enough to protect your organization against social engineering and human error. To defend against the rising threat of phishing attacks and data breaches, experts urge organizations to implement policies that limit employees from using work accounts for personal use and prevent the personal devices that are used for work. 

Malware targets gaming servers: A Go-based malware program, called KmsdBot, has been tracked as the malware used in several recent cyberattacks targeting game servers. After infecting devices, the malware can perform activities such as cryptomining and denial-of-service attacks. Researchers have stated that while gaming servers have been a major target of the attacks, they may not be the only target, so you should always keep an eye out for any suspicious activity. 

Cybersecurity experts discuss expected trends for 2023: 2022 was a difficult year for many organizations as hackers continued to develop new and more sophisticated methods for infiltrating private networks and stealing data. With the new year ahead, experts with Google have discussed several cybersecurity predictions for the next 12 months. These include an increase of insider risks, the continued threat of identify theft and authentication-related attacks, a wider implementation of passkey technology, and more ransomware attacks deployed against both public and private companies. 

Settlement reached in Equifax lawsuit: Equifax, a credit monitoring service, has announced that it has reached a settlement for a class action lawsuit citing a 2017 data breach. In a statement, Equifax has denied any wrongdoing.

Microsoft vulnerability could expose Macs to malicious downloads: A Microsoft bug, tracked as CVE-2022-42821, could leave Mac devices vulnerable to become compromised with malicious apps. This bug was identified earlier this year, and patches were released to address the vulnerability, so users should be sure to update their devices.

Lawmakers focus on preventing the sale of goods made with forced labor: ESG concerns remain a hot topic for consumers and regulators alike, leading to recent legislation such as the Uyghur Forced Labor Prevention Act. However, there is still plenty of work to be done to prevent unethical practices in the supply chain, and lawmakers in the U.S. and EU are developing and proposing laws to prevent the sale and importation of goods produced by forced labor. If your organization or supply chain fails to comply with ESG regulations, your organization may face legal action and damages to your reputation, so be sure to stay updated on the laws and assess your third parties for any red flags. 

Mergers pose potential third-party risks to your organization: With mergers and acquisitions in the technology sector on the rise, what could happen if one of your vendors is acquired? According to information security experts, your organization can face severe risks and challenges if your vendor is merged with or acquired by a company that you don’t have a relationship with. In some cases, you may be able to continue your relationship, though, in other instances, it may be in your organization’s best interest to terminate the relationship and implement your exit strategy. It’s important to thoroughly assess the impact the merger will have on your organization and follow through on the next steps to address the third-party risks.  

Gmail implements end-to-end encryption services: Google has implemented end-to-end encryption options for web-based Gmail applications. While single-end encryption has already been made available, registered users will be able to send and receive encrypted emails to help protect their private data. While the service isn’t available for all users just yet, sign-ups for beta testing are now open. 

Hackers attack food distributors and suppliers by stealing shipments: Cybercriminals have been utilizing business email compromise attacks to impersonate distributors’ employees and steal food shipments. These attacks have allowed the criminals to go unnoticed for some time and have cost their victims several hundreds of thousands of dollars in stolen shipments. As the supply chain and third-party vulnerabilities have been exploited at an alarming rate over the past several months, it’s important to assess your supply chain and vendors for vulnerabilities that could leave your organization exposed to an attack. 

Authorities investigate child labor in supply chain: Researchers found that several major suppliers for Hyundai and Kia employed underaged children in Alabama factories. While investigators are looking at the areas where suppliers and recruiters for the factories were located, Hyundai and Kia are assessing their suppliers’ hiring policies. It’s important to remember that vendor non-compliance and unethical practices in your supply chain can leave negative and long-lasting impacts on your organization, harming your reputation and leading to possible legal action. It’s important to ensure that your supply chain is compliant with regulations and follows ESG guidelines. 

Hackers impersonate websites as part of phishing campaign: Criminals have created websites to impersonate legitimate businesses, including Grammarly, a cloud-based typing assistant, and Cisco, a digital communications company, as part of a phishing attack to spread malware. As hackers continue to utilize social engineering tactics, it’s important for users to stay vigilant and ensure that the websites they visit are reputable and verified. 

The benefits of outsourcing TPRM during times of economic instability: As the threats of recession and economic instability continue to loom over today's market, many teams should find ways to improve overall efficiency and save valuable time and resources. For many, outsourcing your third-party risk management activities may be the perfect solution by offering better management of third and fourth parties, collecting and reviewing due diligence documents, monitoring for new risks, and letting your team address critical incidents and tasks. Labor shortages, cybersecurity incidents, and supply chain disruptions continue to threaten organizations, so it's critical that your third-party risk management processes are stronger than ever, and outsourcing activities can help organizations save money and meet today's growing demands. 

Understanding the impact of third-party risks: Whenever you outsource a product or service to a vendor, you’ve exposed your organization to a wide range of third-party risks. As today’s risk landscape continues to grow and change, it’s important for your organization to thoroughly assess your vendors to determine what risks they pose and to take steps to mitigate those risks. Some third-party risks include production delays and operational disruptions, financial risks, and reputational damage. 

Court ruling impacts compliance with Illinois’s Biometric Information Privacy Act: A recent ruling made in an Illinois appellate court states that companies need to have a written retention-and-destruction policy that complies with the Biometric Information Act (BIPA). As privacy, security, and compliance are all important topics to ensure your organization’s protection against risks, relevant companies should review their policies of retaining and destroying biometric data to ensure that it complies with Illinois law. 

U.S. Department of Health and Human Services suffers third-party data breach: The U.S. Department of Health and Human Services for Medicare and Medicaid Services became the victim of a third-party data breach, which allowed hackers access to approximately 254,000 patients’ sensitive information. Those affected by the breach will be notified of the incident, as the stolen data could include names, addresses, enrollment information, and banking information. This data breach highlights the importance of maintaining third-party risk management best practices to protect your organization and your customers. 

Massachusetts Governor signs executive order to improve cybersecurity: To improve cybersecurity defenses for the state of Massachusetts, Governor Baker signed an executive order. The first part of this order will create a dedicated panel of individuals who will be tasked with assessing the state’s existing cyber resources and developing protocols and strategies for defending against future cyber threats. Among the other provisions in the order, it also issues the development of a Cybersecurity Incident Response Team, consisting of state leaders and representatives of state offices to maintain updated policies and make recommendations for dealing with threats, among other key responsibilities.  

Sephora settlement showcases the importance of regulatory compliance: Sephora, a beauty retail company, has decided to settle following a lawsuit citing violations of the California Consumer Privacy Act (CCPA). The suit alleged that Sephora failed to notify customers that their data would be sold when they visited Sephora’s website, along with other violations. For other organizations that must comply with California’s data protection laws, including CCPA and the California Privacy Rights (CPRA), which goes into effect in 2023, this settlement showcases the importance of staying updated with compliance and following the guidelines. California’s Attorney General has stated his intentions to enforce the laws, and organizations should expect to see further action taken against those who violate CPRA following its implementation. 

American Hospital Association urges federal support and improved cybersecurity policies: Over the past several months, we’ve discussed how hackers have been targeting healthcare organizations and causing severe data breaches and disruptions. In response, the American Hospital Association has called for federal aid to support those suffering and recovering from cyberattacks, and it urges healthcare organizations to continue placing an emphasis on mitigating security risks, including those posed by third parties. In many cases, hackers have targeted third-party vulnerabilities to infiltrate private networks and medical devices. To protect their organization and preserve patient safety, organizations should take active steps to identify and address weaknesses in their cybersecurity. 

Updated PSI DSS requires new security standards for compliance: Businesses that utilize online payment information should familiarize themselves with the updated Payment Card Industry Data Security Standard (PSI DSS) that was released earlier this year to ensure compliance before it goes into effect in 2025. One of the largest updates is a focus on client-side security and new security controls that will make information more secure. To help reach compliance, organizations should read up on the new guidelines and consider automated systems to aid the transition over the next few years. 

Recently Added Articles as of December 15

Cybersecurity is a hot topic this week as we look at Uber’s statement regarding a third-party data breach and the role that third parties have played in 90% of the largest healthcare data breaches of this past year. Headed into 2023, organizations should continue preparations for upcoming regulations such as CPRA. Finally, experts help explain how financial institutions and their vendors should notify customers and authorities of security incidents. Be sure to check it all out!

Australian organizations suffer increase of data breaches: In a report by Surfshark, data shows that Australian organizations saw a massive spike in data breaches during the fourth quarter. According to the study, the Australian breach density was approximately 24 times higher than the global average, which has significantly boosted the global number of data breaches. These breaches include an incident that targeted Medibank, a private health insurance company, in which hackers stole customer information including names, addresses, policy numbers, and Medicare numbers. 

Linux systems become the target of cryptomining malware: Researchers have discovered a cryptomining software which targets Linux systems with the goal of controlling remote operating systems. The malware is tracked under the name Chaos RAT. Users should be wary of any suspicious activity and assess their system’s security to help protect against malware. 

Third-party security gaps leave healthcare organizations vulnerable: During 2022, nine out of the ten largest data breaches that targeted healthcare organizations were tied to third parties. As hackers develop more sophisticated and aggressive methods for stealing data, it’s important for organizations to identify and address third-party vulnerabilities that leave their networks exposed to attacks. These cyberattacks have affected millions of patients over the past year, resulting in severe legal action, reputational damages, and system disruptions against the targeted healthcare organizations. 

Uber suffers third-party data breach: In a recent statement, Uber shared that it became the victim of a third-party data breach which allowed a hacker access to sensitive data including corporate information such as employee email addresses and login names. The attack involved an asset management software provider. When the malicious actor infiltrated the vendor’s private network, they also gained access to Uber’s sensitive information. Uber employees should be aware of potential phishing attacks in which hackers could attempt to steal even more information. 

Companies put ransomware costs onto consumers: The news of recent cyberattacks over the past several months has shown that no organization is safe from ransomware and data breach attacks. However, in a survey, more than half of companies admitted that they have transferred the cost of cybersecurity incidents onto consumers by increasing the cost of their products or services. As hackers continue to develop more aggressive methods of attack and target vulnerable small business and third parties, it’s essential for organizations to bolster their security practices and not pay ransoms. Be sure to revisit and update your organization's security policies and practices, as well as ensure your vendors do the same, to help protect against costly incidents. 

Considerations for assessing bot mitigation vendors: When assessing your vendor’s performance, there are many factors to consider. However, a thorough assessment is critical to determine whether the benefits outweigh the vendor’s cost. For organizations that outsource to bot mitigation vendors, it’s important to verify that the vendor’s service improves your customers’ experience and helps your organization perform better. So, when assessing your vendor, you should consider factors such as the vendor’s security controls, the types of mitigation the service performs, if the controls have improved your organization’s security, and how the vendor measures the service’s success. 

Court ruling sets precedent for paying cyber insurance deductibles: A court ruling from last month stated that T-Mobile could use payment from a third-party breach settlement for its cyber insurance deductible. As the number of incidents tied to third parties continues to rise and organizations are facing high cyber insurance deductibles, this court case will set a precedent for future cyber insurance disputes. However, while this will help organizations negotiate for insurance, your organization shouldn’t falter in assessing third parties for any vulnerabilities or gaps which could lead to third-party data breaches or other attacks. 

How to prepare for CPRA compliance: As we approach the new year, it’s important to stay informed of upcoming regulations and amendments and learn how your organization can comply. For organizations that are within the scope of the California Privacy Rights Act (CPRA), you should be sure to evaluate your organization’s policies for collecting, selling, and sharing consumer information. As a best practice, consider auditing your website to ensure that information on data usage and privacy policies comply with the regulations. Be sure to also assess your vendors’ policies to determine compliance, as your organization can be held liable if your vendors are found in violation of CPRA’s guidelines.
 
How retailers can address in-person risks in a post-pandemic landscape: Over the past several years, retailers have had to navigate a challenging threat landscape, given the COVID-19 pandemic, supply chain disruptions, and natural disasters have all threatened normal operations. As more consumers are beginning to shop in-person once more, it’s important for organizations to understand the risks that could threaten their business and customer safety. Be sure to reassess policies and procedures for preventing violence, training employees, and ensuring that third parties are equipped to maintain operations. As today’s risk landscape continues to change, third parties play a large role in your organization’s success, so they need to align with your policies. 

New attack method allows hackers to evade firewalls: Cybersecurity experts have discovered a new attack method which allows hackers to bypass firewall applications and infiltrate private networks. As firewalls are a major line of defense to protect sensitive information, these vulnerabilities can leave your information open to attack, so it’s important to assess your security policies and controls, as well as those implemented by your third parties, to ensure your data privacy is protected. 

A new cyberattack steals data from air-gapped systems: COVID-bit, a new type of attack developed to target air-gapped technology, utilizes electromagnetic waves to infiltrate private networks, steal data, and download malware. Many air-gapped devices can be found in high-risk environments such as government buildings, critical energy and key infrastructure centers, and weapon control units, so it’s essential for these systems to remain protected against malicious attacks. To protect against this type of attack, experts suggest limiting access to air-gapped systems, monitoring CPU usage, and having a plan in place for reporting suspicious activity. 

Public safety organizations remain vulnerable to cyberattacks: A recent survey found that many public safety organizations, such as first responders and police departments, have experienced a cyberattack over the past year. Also, the majority of first responders stated that they worried about their systems’ vulnerability to data breaches and ransomware attacks. This can cause concern for many, as these cyberattacks can endanger the public by disrupting response times and impeding investigations. To preserve information security and maintain uninterrupted operations, these organizations will need to prioritize cybersecurity and bring in specialized experts.  

Understanding breach notification guidelines for banks and their third parties: In today’s modern threat landscape, there are many risks that threaten a bank’s security and operations making it important to understand exactly when and how banks should notify their stakeholders and customers in the face of cybersecurity incidents or disruptions. A recent panel concluded that banks and third parties should notify regulators and customers when an incident impacts the integrity of systems or the privacy of sensitive information. As regulators continue to amend their guidelines and penalize violators, it’s important to ensure that your organization and third parties update the necessary policies and procedures for responding to incidents in an effective and timely manner. 

Third-party data vendors help marketers comply with new standards: Data privacy and storage has been a hot topic for many in the marketing and advertising sphere. As consumers become more wary of how their private information is gathered, stored, and used, some regulations have started to restrict the way personal data is collected. For many struggling to find a solution to meet their needs and comply with regulations, third-party data vendors may offer the solution. When selecting a vendor, you should look at factors such as the way data is gathered, their data quality guarantee, whether they provide consumers with an opt-in option, and whether their methods comply with industry regulations. 

Hackers exploit zero-day vulnerability on Internet Explorer: Researchers with Google found that hackers have been exploiting a zero-day vulnerability in Internet Explorer. The vulnerability allows malicious actors to attack their victims with malware uploaded through an infected file. Microsoft has since issued a patch for this vulnerability, so users should sure update their system.

Third-party risk management best practices for healthcare organizations: During the 2022 HIMSS Cybersecurity Forum, experts joined a panel to discuss the importance of third-party risk management activities for protecting healthcare organizations against various risks. During the panel, experts highlighted the way that healthcare organizations rely on their vendors to maintain operations and how the implementation of controls and monitoring activities can help organizations improve their resiliency and ability to manage third-party risks. Several critical best practices discussed include collaborating with other stakeholders and departments, performing continually monitoring, developing specific contract requirements to ensure vendor compliance, creating an inventory of your critical vendors, and educating your vendors on the importance of cybersecurity.  

How to manage risks posed by SaaS providers: Organizations have become reliant on Software as a Service (SaaS) providers for storing, accessing, and sharing data. However, it’s important to identify, understand, and address the risks that SaaS systems can pose to your organization. These risks include compliance violations, declining financial health, and operational disruptions. To help manage these risks, you should implement third-party risk management best practices to assess the vendor’s controls, resiliency, business continuity plans, and whether the vendor complies with necessary regulations. 

Recently Added Articles as of December 8

As we inch closer to the end of 2022, we’re looking at the latest trends in cybersecurity, including recent attacks and an investigation into a group of hackers. Also, while regulators set their priorities for 2023, your organization should take proactive steps to understand and prepare for any upcoming changes which require your compliance. Finally, learn how tracking vendor availability can benefit your organization. Don’t miss out on any of this week’s news!

Microsoft warns cryptocurrency companies of recent cyberattacks: Experts with Microsoft have announced that there are targeted attacks being deployed against cryptocurrency companies. The attacks are tracked as DEV-0139. During the attacks, the hackers join exclusive groups of clients to choose a target and send the victim a compromised file which will infect the victim’s device with malware and give the hackers access to sensitive information. 

Major Russian bank suffers DDoS attack: One of Russia’s largest banks, VTB, recently released a statement regarding a recent cyberattack. The distributed denial-of-service (DDoS) attack is suspected to be a product of pro-Ukrainian hackers and is another in a series of attacks between the two countries. While VTB stated that the attack didn’t cause any disruptions, other sources note that the bank may have experienced website and app outages. 

Cloud services provider suffers a disruption following a cyberattack: Rackspace, a cloud services provider, announced that it was the target of a ransomware attack which has been the source of recent service disruptions. In a statement, Rackspace noted that it was too early to determine if any information was stolen in the attack. 

Researchers identify a hacking campaign that reverses mitigation efforts: Cybersecurity experts have discovered a type of hacking campaign in which the hacker gains access to a private network and bypasses security features. For example, in cases where multifactor authentication tools are used, researchers found evidence that the hackers added their devices to the accounts. Many of these attacks begin with social engineering, so users should stay aware of any suspicious activity.  Be sure to educate your employees on how to spot attacks like these, and ensure your vendors are doing the same. 

Third-party data breaches pose a growing problem for healthcare organizations: Over the last several months, we’ve discussed the role that third-party providers play in exposing healthcare organizations to cybersecurity risks. A recent study found that of the 10 largest data breaches in the healthcare industry over the past year, half were caused by third-party vulnerabilities. As malicious actors continue to develop more sophisticated methods of stealing sensitive information, it’s more important than ever for healthcare organizations to reassess how well their vendors can protect their sensitive information. 

OCC sets priorities for new year amid inflation concerns: With 2023 rapidly approaching, the Office of the Comptroller of the Currency (OCC) released a list detailing its priorities for the new year. As concerns around inflation and other market-disrupting events continue to increase, these points serve as a guide for national banks to follow. These priorities include improving cybersecurity and resiliency, assessing bank-fintech partnerships, determining the risks that stem from new payment methods and cryptocurrencies, and maintaining the safety and soundness of institutions.  

The Cyber Safety Review Boards launches investigation into a malicious group: Recently, the U.S. Department of Homeland Security announced that the Cyber Safety Review Board will be looking into the activities of a group of malicious actors, called Lapsus$. The group has been linked to several large-scale ransomware attacks targeting companies including Uber and T-Mobile. During this investigation, the Cyber Safety Review Board will be focusing on best practices for defending against ransomware and social engineering attacks and how organizations can improve resiliency and security measures for future attacks. 

How your organization can prepare for climate-protection regulations: Over the past several months, we've discussed how regulators and consumers alike have shifted their attention towards the impact that businesses and the supply chain has on the environment. In response to regulations that are expected to emerge in the future, it's important for your organization to take proactive steps and implement best practices to prepare for compliance. To offer a starting point, several frameworks have been developed to help organizations reduce emissions by identifying potential climate-altering risks, managing the risks through mitigation techniques, and reporting data to the proper agency.

Breaking down cyberattack trends and projections for 2023: According to recent studies, major world events such as military action in Ukraine and the COVID-19 pandemic has influenced the way that malicious actors target sensitive information and deploy cyberattacks. Experts have highlighted that cyberattacks can mirror military ground combat with cybercriminals targeting key infrastructure and critical industries such as power and telecommunications. Meanwhile, with the rise in remote work and cloud storage, hackers have launched attacks to steal sensitive information from unguarded networks. As we move into 2023, improved cybersecurity should continue to be a priority as cyberattacks will continue to become more sophisticated and aggressive.  

The role of third-party risk management in OFAC compliance: As OFAC continues to impose sophisticated sanctions to protect national security, your organization should implement a thorough third-party risk management process, which will assess potential and current vendors for sanctions. OFAC has created a series of recommendations for ensuring compliance, which includes training relevant stakeholders on the importance of OFAC compliance, assessing for possible engagements with sanctioned entities, and setting a tone of compliance from your organization’s leadership. By failing to assess your vendors for sanctions, you may open your organization to risks of fines and further legal action. 

Many Department of Defense contractors lack sufficient cybersecurity: A recent survey found that a majority of the Department of Defense contractors don’t meet the baseline cybersecurity requirements. In response, experts have stated that this presents danger to U.S. national security. As many of the contractors have responded that they find difficulty in understanding the necessary requirements and because of the expenses needed to update technology and processes, there is a present security gap, which opens confidential information up to the possibility of becoming exploited by malicious actors. To improve cybersecurity, experts urge contractors to work with professional service providers and consider transitioning to the cloud. 

How vendor availability benefits your organization: When your organization outsources a product or service to a vendor, you want to ensure that you receive the best value while posing the lowest amount of risk to your organization. One way to monitor your vendor’s performance is by measuring vendor availability, which is how well the vendor responds to emergency situations. There are many benefits to tracking your vendor’s performance through vendor availability metrics, such as building a stronger relationship with suppliers, improving efficiency, saving money by avoiding costly shipping rates and suffering from delays, and increasing customer satisfaction. 

Recently Added Articles as of December 1

This week, we’re looking at the trends that recent studies have determined regarding cybersecurity and the risks that third parties pose to your organization’s security. Meanwhile, fitness apps may expose your sensitive data to malicious actors. Finally, federal agencies are working to protect national security as the FCC bans equipment from telecom companies. Don’t miss out on any of this week’s news!

Understanding third-party risks to your organization’s security: Cyberattacks, including ransomware and data breaches, could have a severe impact your organization including reputational damages, operational disruptions, and lawsuits. Studies show that third-party vulnerabilities are a contributing factor to many successful cyberattacks which highlights the importance of assessing your third-party vendors to better understand the risks that they pose to your organization’s security. Experts suggest several best practices to help improve your third-party risk management program, including updating your cyber insurance plan to cover third-party incidents, including breach notification requirements in your vendor contract, and determining who will cover the costs of informing your customers following an incident.

Financial services industry faces increased rate of cyberattacks: Over the past year, the financial services industry has been targeted by a surge of web application and API attacks. According to researchers, these attacks occur when web apps contain security gaps and vulnerabilities which grant hackers access to sensitive information. These attacks allow hackers to steal credentials and  information as well as gain access to privileged networks. These attacks are severe, so it’s important for targeted industries, such as the financial services sector, to understand the risks that security flaws pose and how to best identify and address cyber threats.

Acer works to address vulnerability: Researchers have been tracking a flaw, CVE-2022-4020, which gives hackers the ability to bypass security software and install malware on Acer devices. Acer is actively working to fix this vulnerability, so users should look out for updates when released to make their devices more secure.

Tech companies move cargo shipments to prepare for rail strikes: Over the past year, supply chain disruptions, inflation, and political events have forced many organizations to become more proactive and adaptable when responding to risks that threaten normal operations. In response to a potential rail strike, many tech companies have started to move cargo of semiconductor chips from trains to trucks for transportation. While conversations continue in Congress between legislators and unions, it’s important to understand how well your organization can adapt to various situational risks.

Third parties expose organizations to serious security gaps: During 2022, we saw a rise in the number of cyberattacks launched against organizations of all industries and sizes resulting from unchecked security gaps. As malicious actors continue to target vulnerabilities into private networks to steal sensitive data, it’s important that your organization effectively assesses your cybersecurity measures and the risks that your third parties pose. By implementing proactive measures and performing ongoing monitoring activities, your organization will be able to identify gaps before an incident occurs and more effectively address risks that emerge from your third-party relationships.

Companies are expected to increase cybersecurity spending in 2023: As cybercriminals continue to develop more sophisticated methods for attacking organizations of all sizes, studies show that organizations are expected to increase their cybersecurity spending in the new year. Even through inflation and tightening of tech budgets, organizations are looking for the ways to bolster their security measures and protect against malicious actors. However, as many organizations turn to managed service providers (MSPs), it’s important to exercise third-party risk management best practices, to ensure that they can identify and address any additional risks that come with outsourcing services to MSPs.

FCC issues ban against several telecom and video surveillance companies: The FCC recently announced that it has identified several telecom and video surveillance companies which pose threats to national security. These companies include Huawei, Dahua, and Hytera. In its statement, the FCC stated that it’s working to protect the U.S.’s national security and has issued this ban because this equipment has been deemed untrustworthy. Departments have been advised to remove any equipment from these companies.

Fitness apps may pose serious risks to your personal data: Fitness trackers and devices have grown in popularity over the past several years. However, many users may be unaware of the risks that these apps and devices can pose to their personal data, such as location and biometrics. Because the information shared with the apps isn’t protected by legislation like health information, it can be more susceptible to malicious actors and hackers. Users should take proactive measures, such as buying only from reputable and established companies, reviewing the terms of service, adjusting settings that share sensitive information, and enabling multifactor authentication tools.

Google releases patch for zero-day vulnerability: After a zero-day flaw was identified, Google released a patch to improve security for Google Chrome. Users should update their browsers with the patch to ensure that the vulnerability has been addressed.

Cybersecurity expert alleges that Twitter suffered a data breach: In the wake of Twitter’s confirmed data breach earlier this year, a cybersecurity expert took to Twitter to allege that the platform had suffered a data breach and failed to report the incident. In the allegations, the expert stated that the unreported breach affected millions of users, exposing sensitive data such as phone numbers. In the past, Twitter has encouraged users to utilize multifactor authentication tools to protect their credentials.

Interpol seizes assets and makes arrests linked to cybercrimes: As part of an ongoing investigation into cybercrimes and money laundering activities, Interpol has announced that they have seized $130 million worth of digital assets and money and arrested 975 individuals linked to these crimes. In addition, during this operation, the agency was able to identify several crime trends and test the effectiveness of its anti-money laundering rapid response protocol mechanism.

Take proactive steps ahead of sustainability disclosure regulations: We’ve discussed many new and upcoming proposed regulations over the past year. Many of these may require some preparation before your organization will be ready to comply. Experts believe that the SEC will release new regulations surrounding sustainability disclosure without the next few years, so your organization should take proactive measures and get a head start on implementing processes and technology that will aid compliance in the future. These practices include gaining visibility into your supply chain, staying updated on both international and industry-specific regulations, and evaluating your third-party vendors for potential ESG risks.