December 2023 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of December 28

As we prepare for 2024, it's important to note that organizations must be ready to comply with the new SEC cybersecurity rules. Another area of focus is banks and their need for sound third-party risk management practices. ESG-related disclosures continue to rise in priority, too. Check out all of this week’s news below!

Addressing modern slavery in supply chains: Modern slavery cases grew by 25% over the last five years despite greater awareness and new regulations, according to new research. For organizations to be successful in preventing modern slavery, third-party suppliers are critical. Organizations need to gain increased visibility into the supply chain, perform due diligence on suppliers, automate risk management practices, use risk intelligence for continuous monitoring, and make regulatory compliance a must have in supplier relationships. These practices can help reduce the risk and occurrence of modern slavery.

Proposed changes to COPPA include third-party disclosures and data protections: The Federal Trade Commission (FTC) has proposed amendments to the Children’s Online Privacy Protection Act (COPPA) Rule. Notable changes include obtaining two-part parental consent for third-party disclosures – one for the collection and use of data and one for disclosure to third parties. Another change creates more prescriptive guidance for protecting child data. It includes establishing, implementing, and maintaining a written children’s security program. Third parties that can access children’s personal information would have to provide written disclosures that they can secure and protect the information. The FTC will accept public comment on the proposed changes for 60 days. 

Millions of people impacted in healthcare data breaches this year: Healthcare cybersecurity is coming into greater focus as data breaches continue to wreak havoc. In 2023, more than 540 organizations and 112 million people were impacted in healthcare data breaches reported to the Department of Health and Human Services (HHS). Many of these breaches were traced to a third-party vendor, like the MOVEit data breach. In 2024, healthcare organizations should continue to focus on cybersecurity and third-party risk management. 

Proper steps to prepare for and prevent ESG-related fraud: As climate-related reporting becomes a greater focus for regulatory authorities across the globe, organizations should be aware of ESG-related fraud and false statements regarding ESG disclosures. Ensure a strong tone-at-the-top from senior management and proper oversight of ESG controls. It’s important to have ESG risk assessments for third parties and ensure reliable data from third parties. Have a formalized process in place to handle instances of ESG-related fraud and a plan to mitigate ESG misconduct risks. 

Google Chrome steps up safety monitoring to alert users to compromised passwords: Google Chrome will now monitor if passwords saved in its browser have been compromised. They'll also alert desktop users if extensions have been flagged as dangerous. These will automatically be in the background and provide alerts if users need to take action. Chrome will also automatically revoke some website permissions like user location access or microphone access if the site hasn’t been visited for a long time. 

Due diligence on third parties helps protect healthcare data: Healthcare organizations store a lot of data that gets moved around to and between third parties. It’s more important than ever to keep that data safe as cybercriminals continue to target healthcare. Be selective when choosing third parties, especially if they’ll handle protected health information. Due diligence before the contract is crucial, too. If a third party is reluctant to comply with due diligence requests, healthcare organizations should rethink the potential relationship. 

Organizations must now comply with SEC incident disclosure rules: The Securities and Exchange Commission’s (SEC) cybersecurity and incident disclosure rules are now effective. Covered entities must report material cybersecurity incidents to the SEC, even if the breach originates with a third-party provider. The board of directors must also oversee cybersecurity risks and receive standardized reporting. The SEC isn’t requiring organizations to give details that would hinder incident response or remediation. With the rules now effective, organizations should review cybersecurity policies and frameworks, including for third-party providers. It’s important to be prepared to respond to a cybersecurity event and have a disclosure plan in place. 

Banks must establish third-party risk management after a cease-and-desist order: The Office of the Comptroller of the Currency (OCC) issued a cease-and-desist order against Upstate National Bank for alleged unsafe and unsound measures. Among the orders the bank must comply with is it must establish a third-party risk management program. The plans must include the bank’s strategy for third-party relationships, identify inherent third-party risks, and detail how the bank selects, assesses, and oversees third parties. 

Cybersecurity becomes greater focus for healthcare regulations: Now, more than ever, healthcare organizations must identify, and address, cybersecurity vulnerabilities as regulatory scrutiny heightens. The Department of Health and Human Services Office for Civil Rights made recent enforcement actions for a third-party ransomware attack and a phishing attack and cybersecurity has become a top priority for healthcare regulators, especially as data breaches have surged. The Department of Health and Human Services is focusing on a cybersecurity strategy in the healthcare industry and it’s expected that cybersecurity will come into greater focus in 2024. To prepare, healthcare organizations should ensure they know where protected health information is stored, develop a risk management plan, and review business associate agreements for data breach and security incident obligations. 

Third-party ransomware attack compromises information of 2.7 million: Several healthcare organizations are facing the fallout of a data breach with third-party medical software company ESO Solutions. The ransomware attack has compromised the sensitive information of 2.7 million patients. The attack was detected in September, but cybercriminals were still able to encrypt some systems. Compromised information includes Social Security numbers, medical diagnosis, and treatment information. 

The importance of third-party emissions and Scope 3 data: More organizations are focusing on Scope 3 emissions data as regulatory scrutiny and compliance pressure rises. Scope 3 disclosures focus on indirect emissions that are in the supply chain with third-party vendors. However, gathering this data, especially with limited supplier visibility, can be difficult. An activity-based approach focuses on the amount of emissions in a specific supplier activity, even if it’s a low-cost product. Often times, low-cost products have higher risks due to lower quality. Organizations do have to rely on suppliers for this data, which can be challenging, especially if it’s a smaller company. Communicate often with suppliers and encourage them on climate-related disclosures. This can help provide better Scope 3 data. 

Federal regulators update small bank definitions: The Federal Reserve Board and the Federal Deposit Insurance Corporation updated the definition of small bank and intermediate small bank in the Community Reinvestment Act (CRA) regulations. As of December 31, a small bank has assets less than $1.564 billion in either of the two prior years. An intermediate small bank has at least $391 million as of both the two prior years and less than $1.564 billion in either of the two prior years. 

Regulatory actions and supply chain attacks dominate 2023: This year was full of headlines for regulatory actions after massive data breaches. Healthcare took the brunt of negative news, particularly in telehealth. BetterHealth, GoodRx, and Premom all received fines from the Federal Trade Commission. U.S. senators also turned their attention to telehealth providers for sharing patient information. Supply chain attacks were consistent in 2023, with third-party software vulnerabilities seen as the greatest threat. If you’re in for-profit healthcare, prepare for the FTC’s harder enforcement. Organizations should perform risk assessments on third parties and consider using a software bill of materials (SBOM).  

Recently Added Articles as of December 21

As we wrap up the year, the headlines show us the impact of third-party data breaches and regulatory actions. Organizations must be prepared to respond to cyberattacks and do proper due diligence on third parties. Check out all the news below! 

FBI seizes ransomware operation: The FBI breached the notorious ransomware BlackCat. Websites by BlackCat suddenly stopped working earlier in the month. The FBI has been able to quietly monitor a ransomware operation and get decryption keys. This is the third time this ransomware operation has been breached by law enforcement. 

Cybercriminals using GitHub more for malware and cyberattacks: Threat actors are targeting GitHub more and more often to host malware. Cybercriminals can often use these resources to create an attack infrastructure that’s inexpensive. Since these attacks are often blended with genuine communications, it’s harder to detect.

Massive third-party data breach at Comcast: Almost 36 million Xfinity customers were impacted by a third-party software breach at Comcast. A vulnerability called CitrixBleed has been exploited since at least August. Although Citrix made patches available in October, some organizations didn’t apply the path on time. Stolen data at Xfinity includes usernames and passwords. Users must reset passwords, even if their information wasn’t compromised. 

Divided opinions on proposed healthcare cybersecurity requirements: Healthcare lobbyists are opposing the Biden administration’s proposal for mandatory cybersecurity requirements and financial consequences for failing to meet those requirements. Hospitals that participate in Medicare and Medicaid would have to follow these cybersecurity expectations. There are no specifics on what these would be yet, but lobbyists have said healthcare cyberattacks have originated from third-party technology and that imposing fines would lessen the resources hospitals need to prevent cyberattacks. However, other industry experts support the requirements as healthcare organizations have become such a target for cyberattacks.

Almost 7 million more people were impacted in the MOVEit breach: The MOVEit breach has claimed yet another victim as almost 7 million people had their personal information compromised through Delta Dental of California. This is now the third-largest victim of the MOVEit breaches, whose total count stands at 91 million impacted. Delta Dental determined in July that attackers were able to access the system and in November determined that personal information was affected. 

As ransomware evolves, organizations must be prepared to respond: Ransomware extortions are changing, now taking the form of double extortion. This is when cybercriminals demand ransom payment and threaten to publish it unless the ransom is paid. Triple extortion is also growing, where intimidation tactics are used to force a ransom payment. Cybercriminals are looking to inflict the greatest harm – as organizations bolster their cybersecurity, cybercriminals up the ante. Ransomware payments should never be the first option. Instead, organizations should isolate infected systems, notify law enforcement and regulatory bodies, and begin implementing their incident response plan. 

Ransomware operation has infected hundreds of organizations: One ransomware operation has breached around 300 organizations across the world from June 2022 to October 2023, according to the FBI. These ransomware criminals communicate via email and steal sensitive documents before deploying ransomware and pressuring victims. Organizations should implement multi-factor authentication and regularly update and patch software. 

Unprompted one-time passcodes may be the sign of a cyberattack: Multi-factor authentication (MFA) is a great tool to protect your organizational data. One component of this is one-time passcodes sent through email or text. However, unprompted one-time passcodes send immediate red flags as it could be the sign of a cyberattack. If this happens to you or someone in your organization, assume credentials were stolen and log on to immediately change your password. One-time passwords are a riskier credential because someone could access your email or phone number. 

Cyber risks must be addressed with third-party vendors: Organizations must understand cyber risks as the harmful impacts of data breaches and cyberattacks continue to spread. Threat actors target third-party vendors where security may not be the tightest to gain access to larger organizations. It’s important to be prepared and conduct training exercises with your third parties, particularly those that are critical to your organization. Insurance coverage can also help seal any vulnerable gaps and leave your organization covered after a third-party attack. 

Third-party risk management is crucial for law firms: Law firms play such a big role in the business world and are often in the middle of a complex supply chain. This, coupled with the amount of sensitive information they hold, makes them prime targets for cyberattacks. It’s crucial for law firms to ensure to do a few things. First, ensure resilient supply chains and develop good relationships with suppliers. Also, audit supplier incident response plans. Finally, review suppliers’ business continuity and disaster recovery plans. Third-party risk management is becoming harder to ignore, and law firms must implement programs to keep client data safe and the supply chain secure. 

Financial Stability Board identifies third parties and AI as top organizational risk: The Financial Stability Board named reliance on third parties as a key risk. While third parties give significant benefits to financial institutions, they can also introduce operational, compliance, and strategic risks. Cloud service providers in particular were called out as a potential risk to financial stability. Ninety-eight percent (98%) of financial organizations use some form of cloud computing. Complex fintech relationships were also mentioned, especially where fintechs interact directly with end customers. As financial institutions become more reliant on third parties, weaving a complex supply chain, they'll remain vulnerable to cyberattacks. AI was also named as a risk for the first time by the Financial Stability Board, including AI that relies on third parties. 

Regulatory focus turns to banking as a service relationships: The FDIC’s recent action against a banking as a service (BaaS) relationship has made it clear: there’s increased scrutiny of banks and fintech partnerships. The FDIC ordered the bank to build or revise policies for due diligence on BaaS partners before a contract is in place. This is extremely crucial to follow given the compliance risk of BaaS relationships. Banks need to ensure fintechs have compliance programs in place, too. To avoid becoming a regulatory headline, banks should review and update processes in third-party risk management, third parties should get familiar with the recent Interagency Guidance, and fintechs should understand the framework in which their banking relationship exists. 

National Security Agency (NSA) releases software supply chain risk management recommendations: As cyberattacks on the supply chain increase, the NSA has released recommendations for Software Bill of Materials management. This includes identifying software components and then managing them throughout the relationship to mitigate cyber risk. The NSA recommended examining the risks before acquiring software, watching for new vulnerabilities after deploying new software, and implementing incident management to quickly detect and respond to new vulnerabilities. The NSA said these best practices will help ensure the safety and security of the software supply chain. 

Recently Added Articles as of December 14

Regulatory expectations continue to expand and organizations and third parties must be ready to comply. This week’s news brought us several regulations to prepare for and reminded us of the importance of strong third-party cybersecurity. Check out all of the news below!

Third-party business disruptions still occurring despite increased investments: According to a new Gartner survey, third-party cybersecurity risk management investments might be increasing, but many organizations are still experiencing third-party business disruptions. To manage third-party cybersecurity risks, Gartner recommended regularly reviewing the effectiveness of how third-party risks are communicated to business owners, tracking third-party contract decisions, conducting third-party incident response planning, and working with critical third parties on their cybersecurity practices. 

Ensuring third-party security as a small business: Many small businesses rely on third parties to ease burdens and offer services they cannot. However, managing the risks that come with these third parties can be a challenge, as many small businesses may lack the right resources. It’s important to properly screen third parties by ensuring they’re compliant with standards, like SOC 2 and ISO 27001. Understand how sensitive and secure your data is and how it will be used by a third party. It’s important to know what the third party is going to do with your data and set data protection agreements. Third parties should ultimately be helpful to your business, not a burden. 

Russian hackers launch espionage campaign targeting other countries: Russian hackers are targeting at least 13 nations in an espionage campaign, using authentic documents to lure victims. Countries include Hungary, Australia, Ukraine, and Germany. Attackers use documents from places like the United Nations, Bank of Israel, European Parliament, and the U.S. Congressional Research Service. 

Key components of the supplier selection process: It’s more important than ever to keep supply chain risks down to avoid disastrous data breaches and expensive regulatory fines. A strong supplier selection process can help mitigate any potential risks before they become issues. Take a look at the supplier’s security measures, as poor supplier cybersecurity can have massive consequences down the line. You should also evaluate the supplier’s historical performance through financial reports and press coverage. Check out the OFAC to ensure supplier sanctions compliance. From an organizational viewpoint, it’s also important to ensure the supplier’s values and operations align with yours. By understanding these things, your organization can have a safer supplier selection process. 

OCC reiterates third-party risk management in its semiannual risk perspective: The OCC released its semiannual risk perspective for fall 2023, identifying credit risk, operational risk, compliance risk, and rising deposit risks as key themes for banks. Third parties pose operational risks, especially as fintech partnerships and cloud services continue to rise. Risk-based third-party risk management is crucial and the OCC noted more rigorous oversight for critical relationships. It’s extremely important to the OCC that third-party relationships are safe and sound, so banks under the OCC’s regulation should prepare for regulatory scrutiny. 

The CFPB’s proposed rule for personal financial data rights: What will the proposed Personal Financial Data Rights rule from the CFPB mean for organizations?  If a consumer requested it, a covered entity would have to provide consumer information. This includes third-party bill payments, account terms and conditions, and transaction information. Screen scraping would be prohibited, which is when a third party uses a consumer’s login credentials to access online banking and automatically scrape the information. Instead, data providers would have to make the data available in a standard format. Third parties would be required to maintain reasonable written policies and procedures to ensure compliance, including data accuracy. 

Cybercriminals target third parties for massive data breaches: Data breaches were up 20% in the first three quarters of 2023, compared to all of 2022, according to a new report. Cyberattacks on third-party vendors are one of the key reasons data breaches are on the rise. Since 80% of the breaches include data stored in the cloud, it’s increasingly important to have strong cloud security practices. Cybercriminals often target smaller vendors in order to gain access to the larger ones (this often turns into larger scale attacks). Organizations should ensure data is encrypted, especially as more data moves to the cloud. 

Sensitive organizational information stored in Google Drive: How much sensitive information is stored in Google Drive? A recent report shows 40.2%, and much of that is shared with external contacts. This sensitive information includes employee contracts and spreadsheets with passwords. As data breaches continue to rise, organizations must ensure secure clouds and visibility into the use of cloud systems, like Google apps. Organizations should know what data is stored, where it is, and who has access.

Bluetooth vulnerability discovered: A Bluetooth security flaw could give attackers control of Android, Linux, macOS, and iOS devise. The vulnerability allows attackers to bypass authentication and gain access to a vulnerable device. 

Business associate is fined after a ransomware attack: The Department of Health and Human Services (HHS) recently settled with a HIPAA business associate for a ransomware attack. Doctors’ Management Services (DMS) agreed to pay $100,000 under allegations that it didn’t adequately protect health information. DMS was infected with ransomware in 2017, but didn’t detect it until December 2018. An investigation found DMS didn’t monitor health information systems appropriately and didn’t comply with the HIPAA Security Rule. 

Buy now, pay later lending must be done safely, even through third parties: The OCC released guidance to address risks with buy now, pay later lending. Banks that offer these loans should be able to do so in a safe manner and fairly treat consumers, even if the loan is through a third-party provider. Because of the automated nature of buy now, pay later lending, many banks rely on third parties to provide it. It’s important these buy now, pay later third-party providers are subject to third-party risk management requirements. 

Department of Health and Human Services focuses in on healthcare cybersecurity: As the healthcare industry becomes more at risk for data breaches, the Department of Health and Human Services (HHS) is looking to improve healthcare cybersecurity practices. This follows the National Cybersecurity Strategy put out by the Biden administration. HHS has already updated its voluntary cybersecurity guidance, released free training, and issued telehealth privacy guidance. Moving forward, HHS plans to update the HIPAA security rule, planning an early 2024 release. The department also wants to work with Congress to increase monetary penalties for HIPAA violations. HHS will also expand its support and voluntary guidance offerings. 

Trade finance organizations must comply with new sanctions: OFAC started targeting the fentanyl and drug supply chain with sanctions earlier this year. Financial organizations that work in trade finance should be prepared to comply. Trade finance organizations should continue to identify and monitor sanctions and it's also important to perform due diligence on customers and transactions. 

Organizations push for greater credit union support: Two credit union advocates are pushing for greater support for credit unions to reach consumers. CUNA and NAFCU are concerned that credit unions won’t be able to invest in technology as consumer finance becomes more competitive. The two organizations said that the NCUA should streamline and simplify requirements for credit unions. NCUA has pushed for regulatory authority over third-party vendors, which both CUNA and NAFCU have opposed. 

Recently Added Articles as of December 7

What’s happening in the land down under? This week’s headlines show that Australia is increasingly focused on third-party risk management and cybersecurity, third-party vendors are a top cyberattack target, and fintech relationships are increasingly under scrutiny in the U.S. Check out all of the news below!

The importance of vendor partnerships: It can be easy to view vendors as simply service providers for your organization and nothing more. However, relationships with vendors matter and should be a core part of internal operations. That’s why it’s important to be strategic when selecting vendors. Find a vendor you can work together with and that fits culturally within your organization. Vendors should be partners in navigating potential issues and sharing core values. Strong vendor partners ultimately lead to a competitive advantage as they can understand and enforce your organization’s vision. 

Staggering number of energy companies experienced third-party data breaches: Ninety percent (90%) of the world’s leading energy companies experienced a third-party data breach in the last 12 months, according to new research from SecurityScorecard. Many energy companies were victims of fourth-party data breaches and 33% had a C security rating or below. Cybercriminals view third parties as an easier access point to organizations, so it’s critical for energy companies to begin evaluating third-party cybersecurity and implementing third-party risk management best practices. 

Cybersecurity a top priority in Australia and New Zealand: Cybersecurity is the next big investment in Australia and New Zealand, according to a new Gartner survey of CIOs and technology executives. Most organizations are concerned about the potential for cyberattacks and Australian regulators have pushed for stronger cybersecurity. While generative AI is expected to be an innovative technology, only 62% of CIOs are investing in it right now.

Managing cybersecurity risk in the supply chain: No matter the industry, organizations are relying more on a vast network of third-party suppliers. These supply chains can go across countries and continents. A recent survey found that 90% of Fortune 2000 companies are exchanging sensitive information with more than 1,000 third parties. Managing this network is increasingly challenging and complicated. Organizations must implement cybersecurity practices like access controls and privileged access management to build a strong foundation for supply chain risk management.  

More revisions proposed for California’s privacy law: The California Privacy Protection Agency has proposed new revisions to the state’s privacy law. It would update the definition of sensitive personal information to better align with other states’ definitions and include the sensitive information of those less than 16 years old. Most privacy laws define a child as under 13, which is the federal definition. Fine amounts would also increase under the revisions and third-party disclosures are clarified. Businesses don’t sell personal information to third parties for business purposes, rather, they disclose personal information to service providers or contractors for business purposes.

FSB releases toolkit to address third-party risk at financial institutions: With rising concerns over third-party risks at financial institutions, the Financial Stability Board (FSB) released a toolkit for third-party risk management and oversight. It mostly focuses on critical third-party relationships because of how they can severely impact a financial institution. FSB hopes the toolkit will reduce the fragmentation between regulatory requirements and strengthen third-party risk management. It provides a list of common terms and definitions and tools to help financial institutions manage third-party risks throughout the lifecycle. FSB isn’t a regulatory body, but sets international standards and best practices. 

Keeping SaaS secure in 2024: What will software as a service (SaaS) security look like in 2024? Well, it’s likely that artificial intelligence (AI) will only amplify third-party SaaS risks. Securing the AI supply chain will become a key piece of third-party risk management at many organizations as they begin to understand how AI is used within their organization and third parties. In 2024, budget constraints may make SaaS security and third-party risk management even more challenging. However, organizations must remain aware of potential SaaS risks. 

Third-party risks are a top concern for Australian government: Third-party risk management is becoming an increasingly higher priority for Australian regulatory authorities. As organizations are more reliant on third parties, these third parties are at greater risk for cyberattacks. Australia sees small businesses as prime targets for supply chain attacks, which is why they’ve received special attention in Australia’s cybersecurity plan. Cyberattacks on small businesses can have devastating impacts, even leading to business closures. Australian organizations should look to manage third-party risks and follow best practices like Privileged Access Management (PAM) to manage third-party data access. 

Microsoft warns of a new ransomware threat: New CACTUS ransomware attacks are using malvertising to deploy DanaBot and gain access to systems. Microsoft is warning organizations of the new attacks that can steal sensitive and financial information. 

Outlook flaw is being used by hackers: Hackers are exploiting a flaw in Outlook to steal sensitive information in Microsoft Exchange accounts. The main targeted industries are government, energy, and transportation. Organizations should immediately take action by applying available security updates, resetting passwords of compromised users, and enabling multi-factor authentication. 

Third-party vendors a growing target for cybercriminals in 2023: Despite the many advances in cybersecurity, cyberattacks are still continuing to grow more costly. This year, we saw a surge in ransomware, although the overall success of extortion payments fell in the first half of 2023. However, organizations still paid almost $900 million in extortion payments – one of the most expensive years so far. Cybercriminals have set their sights on larger targets and the companies that can afford to pay a higher ransom demand, but they aren’t targeting the bigger organizations immediately. Instead, many cybercriminals go through a third-party vendor to gain access. Organizations must perform due diligence on third parties’ cybersecurity and continuously monitor third parties for any cybersecurity threats and vulnerabilities. 

Australia releases a seven-year cybersecurity plan: Australia has released a new cybersecurity plan that has stricter incident reporting rules and health checks for small businesses. There have been several large data breaches in Australia, leaking the sensitive information of millions and a weekend shutdown of four ports. The recent plan is for seven years with multiple phases along the way. The first phase will establish education and awareness training for the country, give better funding to law enforcement, and create a new cyber incident review board. Australian organizations should also be prepared for increased regulatory scrutiny when it comes to cybersecurity. 

Bank faces regulatory action over fintech third-party risk management failures: First Fed Bank will have to fix several third-party risk management practices after the FDIC found several violations in the bank’s fintech relationship. The FDIC claims the bank made implied claims about debt cancellation features and approved customers who didn’t qualify through its fintech partnership. First Fed Bank can't begin a new third-party relationship without first receiving FDIC non-objection and the bank must also review all third parties’ policies and practices to determine compliance. The bank will also have to implement policies to improve its third-party oversight. This comes as regulators increasingly scrutinize fintech partnerships. 

AI can effectively detect malicious code: Although AI has its own risks, it can also be an effective tool for cybersecurity. New research has shown that AI is more accurate in detecting malicious code. This can be a big advantage against cybercriminals that are attempting to leverage AI for nefarious purposes. 

Third-party data breach impacts almost 2 million people: Almost 2 million people have been impacted by a third-party data breach involving Dollar Tree. A third party of the organization experienced a security incident in August, which resulted in the personal information of Dollar Tree employees being stolen. The information includes Social Security numbers and dates of birth.