Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

February 2021 Vendor Management News

26 min read
Featured Image

Throughout the month of February, make it a goal to stay on top of vendor management news and resources. Find out what you missed and catch up on important information in this blog post.

Recently Added Articles as of February 25

This week, we have a good mix of third-party risk management news for your review. From hackers getting more creative, to COVID-19 lessons learned explained and regulators strengthening oversight, you won't want to miss out on the latest industry news as we wrap up the month. 

A request for private-sector organizations to notify when they have been hacked: Microsoft is requesting the private sector be obligated to disclose major system hacks. Most of this discussion took place in a Senate Intelligence Committee hearing about the SolarWinds hack. Although not a typical request, panelists didn’t challenge it, agreeing there is a need for more information sharing.

SEC suspends auditors over improper audit practices: In third-party risk management, we rely heavily on audits, both internal and external, and the results of the audit to properly assess vendor risk. This week, the SEC suspended two former KPMG auditors for violating the Generally Accepted Auditing Standards for failure to obtain sufficient, appropriate audit evidence, properly prepare audit documents, properly examine journal entries, inadequate assessment of audit risk and many other concerns. This is regarding their audit of the now-defunct College of New Rochelle. How bad was it? They overstated the school’s net assets by a whopping $33.8 million.

Blockchain used to store backup server addresses: Researchers recently found that a decentralized blockchain is being used to store server addresses. This is important to call out because this makes the infrastructure almost unstoppable and that much harder to shut down a hack in progress. Hackers are getting creative, so we must ensure our cybersecurity protocols, as well as our vendors’ protocols, are in tip top shape.

Third-party risk management lessons learned in 2020: In this podcast, well-known, industry expert, Linda Tuck Chapman, joined The Risk Management Association for a 9-minute discussion of lessons learned in 2020. They also cover things to be prepared for from a third-party risk management perspective in 2021. Some familiar themes, to be certain, but always good to have another voice of reason offer clear direction on actions needed.

Helpful advice to mitigate third-party supply chain breaches: The recent SolarWinds data hack is still impacting the industry – causing everyone to be on their toes and more aware than ever. And, although a surprising hack, it really shouldn’t have come as a shock. Hackers are getting better at what they do by the day and no organization is fully immune to a potential breach. So, what’s the key to minimizing the impact of a software-based attack? You should be isolating every application and its data within one area. This will help greatly with mitigation.

NSA exploit tool cloned by a Chinese hacking group: It seems hacking just can’t stay out of the news lately. A Chinese hacking group duplicated and deployed an exploit tool to gain access to a vulnerability tracked as CVE 2017-0005, found in Windows 7 and 8. The hack is especially concerning because it’s brining to light some potential flaws with the Vulnerabilities Equities Process, a United States government program that discloses to vendors any software vulnerabilities. Read on to learn more.

CFPB plans to strengthen oversight: The Consumer Financial Protection Bureau is creating a new enforcement team to increase oversight on banks, mortgage servicers and other financial institutions. It’s not tough to read these tea leaves. Bulking up the attorneys and overall bureau staffing is a pretty certain leading indicator that they’re going to be stepping up their enforcement actions. Time to get prepared!

Mac malware discovered: Own a Mac? A researcher has recently discovered the first piece of Mac malware created for devices with the M1 chip. According to Thomas Reed, director of Mac & Mobile at Malwarebytes, “Overall, I don’t anticipate this being a huge issue in the near future, as antivirus software can detect the Intel code in a fat binary just as well as for an Intel-only binary. However, this does mean that our industry needs to prepare to see malware creators switch to single-architecture M1-only binaries as a means of evading detection. Antivirus companies need to stay proactive and begin to strategize how they will detect these threats as they evolve in the future.” Stay safe out there, friends!

New Office of Cyber Security (OCS) proposal announced in Washington state: Here we go again. Another state is putting focus on cybersecurity as a result of the many, recent data breaches. Washington state announced a proposal for a new Office of Security to protect state data as a result of the December breach that impacted 1.6 million residents. Although OCS already informally existed, this push to move it through legislation will give it broader authority. It’s important to take note of this because there’s another state introducing cybersecurity standards unique to their own state, following the lead already established by New York and California.

Dun & Bradstreet releases annual survey: D&B reached out to over a thousand procurement and supply chain leaders to learn more about their 2021 operational plans, the impact of COVID-19 and recovery, their stance on cybersecurity and more. There are some very interesting takeaways to highlight 99% of respondents said they experienced a COVID-19-related disruption to their procurement operations. And, 98% said that operational efficiency is an area of struggle. Don’t miss out! You’ll want to be sure to give this survey a read.

The importance of considering third parties in business resiliency planning: COVID-19 is still having rippling effects on the industry today. However, while there continues to be daily changes as a result, now is still a good time to take a step back and assess some of the lessons already learned from the pandemic. This article gives more insight into the third-party successes and challenges as well as some helpful best practices to know.

A state privacy law tracker to help you monitor the constant changes: It seems more and more state-level privacy laws are popping up, and it can be challenging to manage all of the new information. This handy tracker breaks it down by state and provides pending, passed and denied legislation resources, making it a one-stop shop for all that you need to know.

Recently Added Articles as of February 18

This week has a little bit of everything: from reporting concerns, new regulatory guidance and foreign hackers with a calling card reminiscent of your very worst sci-fi nightmares (truly, any bad actor going by the name of "Sandworm" has to be pretty diabolical). Not to mention that everyone's favorite online distributor is in hot water with New York City, after claims that Amazon benefited from the pandemic while simultaneously putting employees at risk.  This week, we even have a quiz! You most definitely won't want to miss out on the rest. Read on for more!  

Quiz yourself on the risk of violating FCPA: So, be honest, on a scale from 1 to 10, how likely could your organization violate the FCPA? This piece offers a helpful quiz, and then digs deep into the world of the Foreign Corrupt Practices Act (FCPA).  As many in compliance and risk management knows, FCPA comes with some pretty harsh penalties for non-compliance and, along those lines, your third-party risk management program and protocols need to be wary of these “red flags.”   

 

New York sues Amazon over employee safety concerns: This Tuesday, New York’s attorney general, Letitia James, sued Amazon on the grounds that the company provided inadequate safety protection for New York City Amazon workers during the pandemic. The filing also indicates that Amazon retaliated against employees who raised concerns over the conditions. “Amazon’s extreme profits and exponential growth rate came at the expense of the lives, health and safety of its frontline workers,” Ms. James argued in the complaint, filed in New York Supreme Court. Amazon disagrees. Kelly Nantel, a spokeswoman for Amazon, said the company cared “deeply about the health and safety” of its workers. Just another reminder why it’s important to review your vendor’s pandemic plans and health policies! 

 

Microsoft pulls bad patch update: After releasing a patch last Tuesday to provide fixes or the component that installs Windows updates, Microsoft was forced to pull it once they realized it was causing further security issues. “There is a known issue that halts the installation progress of the February 9, 2021 security update,” Microsoft announced. Now, according to Microsoft, you must install the new servicing-stack update, (SSU) KB5001078, before installing this cumulative update, (LCU). For Windows users who haven’t applied the previous update, the new update “is available through Windows Update,” said Microsoft. “It will be downloaded and installed automatically.” 

 

Data breaches targets a law firm: Another one bites the dust. This time, the data breach victim is law firm Jones Day which is the second major law firm that’s been hit within the last two weeks. The firm is the tenth largest in the country, with more than $2 billion in gross revenue, and some pretty hefty clients, which include Google, JPMorgan Chase & Co., Walmart Inc., Procter & Gamble Co. and McDonald’s Corp. The culprit? Third-party vendor, Acellion, which provides file transfer services. The attack resulted in the exposure of private employee and client data. Accellion said in a statement posted to its website February 1 that its File Transfer Appliance, a two-decades-old file transfer product, “was the target of a sophisticated cyberattack.” 

 

Sandworm hackers infiltrate vendor software: The French National Agency for the Security of Information Systems (ANSSI) has publicly called out the infamous Sandworm APT group, blaming them for a series of long-term hacking attacks against third-party vendor, Centreon, an IT monitoring software provider widely embedded throughout government organizations in France. The French agency published guidance around security recommendations for organizations who may be affected by the hack, including patch management, server hardening and minimizing exposure. “Monitoring systems such as Centreon need to be highly intertwined with the monitored information system and therefore are a prime target for intrusion sets seeking lateralization,” the agency said. While Centreon claims only older versions of its product has compromised, it’s better to shore up cybersecurity defenses as whole and be safe rather than sorry. 

  

COVID-19 and third-party risk: COVID-19 has certainly had an impact even on third-party risk management.  This article by JD Supra highlights a report from overseas, but undoubtedly the story is relevant around the globe. A whopping 35% report that they have no idea if their third parties have effective compliance programs. Meanwhile, a recent report found that 74% of leaders in China and Hong Kong believe COVID-19 has dramatically increased the risk exposure of their organization and 56% of compliance leaders reported budget cuts due to COVID-19.

    

New CFPB director clarifies the role of regulatory guidance: This week, Acting Director Uejio gave the go-ahead to publish the final CFPB ruling on supervisory guidance. As has been done by several agencies a couple of years ago, the director delineates the role of supervisory guidance following a recent Supreme Court ruling.  Also, the CFPB is entering a freeze on new rulemaking – a customary move as they set priorities and also establish tweaks to the direction of the bureau. This Ballard Spahr article from Consumer Finance Monitor lays it out in clear terms. 

  

SBA provides $20 billion in disaster loans. This week, the U.S. Small Business Administration reached a pretty major milestone with its COVID-19 Economic Injury Disaster Loan (EIDL) program. All in all, it has provided U.S. small businesses, non-profits and agricultural businesses a total of $200 billion in emergency funding. This provides some scale around the economic impact on small businesses… and this SBA stat is sobering. Remember, many of those small businesses may be part of your third-party risk management inventory.  

  

CFPB points to slow complaint response: The CFPB Acting Director, Dave Uejio, expressed some concerns around financial institutions who have been slacking when it comes to addressing complaints. In his statement to CEEA, Mr. Uejio indicated that institutions should be “making sure that consumers who submit complaints to us get the response and the relief they deserve” and addressing disparities in response times for black, brown and indigenous communities are among his top priorities. As we’ve said many times, complaints are often the goldmine the Consumer Financial Protection Bureau uses to investigate potential consumer harm. 

 

Most mortgages are now virtual: Like many other things that had to go online during the pandemic, mortgage services too were forced to go virtual. According to Better.com, 63% of homebuyers made offers on homes that they hadn’t actually visited in person. That’s a jump from 32% in 2019, before pandemic-related lockdowns brought much of the real estate world online. From an efficiency and pandemic avoidance standpoint, that’s great news — but there are perils involved from a data security and disclosure standpoint, at the very least.  Also, over the past several years, there have been numerous actions brought against lenders for failing to properly oversee mortgage servicers, so there is a myriad of potential issues brought up from this otherwise good news. 

 

EU Data Protection Board issues data breach report guidance: Since the GDPR took effect a few years ago, there hasn’t really been a lot of elaborative information around the rulings. We knew, of course, that it required notification within 72 hours to supervisory authorities in the EU of a data breach likely to result in a risk to the rights of individual privacy, but that was about it. Finally, the European Data Protection Board has issued practical guidance on specifics around common security incidents to help shed some light around what constitutes a reportable event. Among them, the EDPB has included details around what to do in the event of ransom or malware infection, credential concerns, inadvertent disclosure, lost or stolen laptop and/or paper files, email compromise and preventative security measures.

 

Recently Added Articles as of February 11

Cybersecurity and compliance are the top two topics this week while data protection and security concerns continue to heat up! Hacker schemes are evolving at a rapid pace and regulators are working hard to keep up with measures and protocols that help stem the damage.  Meanwhile, another state joins California in passing a consumer data protection bill... which one? Read on to find out!

“Back-to-the-basics” for cybersecurity: While it’s true that technology continues to advance in pace with all the bad guys out there who are trying to take advantage of it, in many ways, protecting yourself doesn’t have to be all that complex. Truthfully, the fundamentals of cybersecurity remain true, even despite the new gadgets, gizmos and access ports. Sure, there are MORE platforms you need to manage, but the same safety principles apply: consider employees who may be targeted, get serious about cybersecurity training, conduct internal phishing tests, revisit your corporate device policy, define privileged user policies, use MFA, strengthen privileged access controls, schedule security health checks and, of course, review third-party risk management processes.

Why counsel should care about compliance software: As security and safety concerns continue to be top of mind, and as regulatory compliance tightens in response to the many cybersecurity and data protection issues we’ve experienced over the past year, it’s no surprise that experts are pointing towards compliance software to help ease the complexity. Around 72% of legal departments say compliance and risk management are highly important, yet the levels of maturity for organizations don’t seem to quite match the level of need. Compliance software helps organizations level up by staying in control of regulatory requirements, improving risk management and enabling tracking and reporting so important deadlines, compliance obligations and gaps are never missed.

Insight from KPMG on emerging compliance risks: Not surprisingly, in today’s pandemic and remote world, cybersecurity and data privacy are near the top of the list. The expanding and increased risks also include ESG and anti-corruption as well as all the virtual tools and agile methodologies which undoubtedly impact risk profiles and brings up new dangers. KPMG advised that businesses brace for impact in the following areas: change management, reputational risk, climate ESG, core risk management, cybersecurity and resiliency, compliance risk, fraud and financial crime, consumer protection, payments and expanding regulatory authority. Unfortunately, it seems that there really is “no going back to normal.”

The future of the Chief Compliance Officer: There’s a new Attorney General in town and a brand-new Administration. Historically, CCOs have to be mindful of their ever-increasing responsibilities and the associated personal and professional risks. While the Justice Department has relied on the CCO to assist in monitoring and ensuring legal compliance by corporations, the DOJ expectations are expected to increase quite a bit. It seems several issues threaten the success of the CCO along with their ability to exercise authority while also potentially causing an increased danger of personal liability issues.

Microsoft patch fixes for 56 vulnerabilities: Microsoft’s monthly security patch deployment was quite the doozy this past Tuesday. Boasting fixes for 56 known vulnerabilities in a range of operating systems and software products, Microsoft showed some muscle in its attempts to stem damage from weaknesses in its suite of product offerings. So far, it seems CVE-2021-1732 is being exploited in the wild in zero-day attacks which was reported by a Chinese security vendor and involves hackers linked to North Korea. For more details around major vulnerabilities and issues to prioritize, you may want to check out ZDIs roundup!

NYDFS clarifies its cybersecurity filing requirements: April 15, 2021 is the filing deadline – but trying not to make it too taxing, the NYDFS has redesigned and simplified its cybersecurity registration portal. To ensure that filings are matched to the appropriate covered entity or licensed person, NYDFS requires the use of an identifying number when filing. The identifying numbers are: NYDFS license number, NAIC/NY entity number, NMLS number or an institution number. Meanwhile, a look-up feature is included in the portal for anyone who doesn't know which number to use!

RDPs are targeted with the rise of remote work: As more and more employees seem like they will stay home for the foreseeable future, the more the bad guys seem to multiply. Currently, researchers detect billions of cyberattacks attempting to take advantage of people working remotely… and, there’s seemingly no end in sight. Remote desktop protocols (RDPs) attacks can be used to infiltrate networks to examine and steal sensitive information. It can also be used as a means of gaining enough access to the network to deploy ransomware attacks. If we’ve said it once, we’ve said it a million times, when it comes to third-party risk management, the best defense is a stellar offense!

Billions of passwords are sold for $2 a pop: According to dark web researchers, a “compilation of many breaches” – or COMB for short – has been leaked on underground internet channels. This particular COMB seems to have infiltrated a treasure trove of databases and has aggregated a staggering 3.27 billion unique combinations of cleartext email addresses and passwords from older breaches (which include Netflix, LinkedIn and others) and selling them online to other nefarious folk for $2 a pop. So, how can you protect yourself? As always, implement multifactor authentication (MFA) and maintain good password hygiene (strong, unique passwords for all accounts and regular password rotation). This is one of the best ways to prevent the potential fallout from this incident and any future ones.

Sophisticated hackers call for increased vigilance: Ready for your word of the week? As hackers become sneakier, more malicious, and well, harder to catch, a new phishing campaign includes a never-before-seen obfuscation technique. In reality, this is really just a fancy way of saying it hides malicious code. Basically, just last week, a new threat presence figured out how to use Morse code to hide damaging URLs in phishing form to bypass secure mail. So, it’s a little old school, but also pretty innovative. Long story short, hackers are getting scary creative, which only highlights the need to shore up our cybersecurity and data protection tactics.

Cryptocurrency scam targets Discord users: A shakedown centered around a fake cryptocurrency exchange seems to be specifically targeting users of the chat app, Discord. Pretty much it works like this: sending a private message that looks like an ad for a genuine up-and-coming trading platform giving away cryptocurrency, and it deploys social engineering tactics to drive sign-ups. While Discord was originally designed for gamers, its become a go-to chat app for by a wide cross-section of people, ranging from study groups to fans of cryptocurrency, which makes it an ideal target for tricksters. Moral of the story: buyer beware.

The OCC extends a charter to a cryptocurrency firm: All jokes aside about the fact that “currency” is in the title of the OCC’s name, this is another interesting wrinkle and what may continue to spur on the debate between the CFPB and OCC over who has the authority to grant charters, as a cryptocurrency firm would not remind many of a “national bank,” which is what the regulatory authority of the OCC actually is.

The Virginia Senate passes privacy requirements: After the House of Delegates overwhelmingly passed the Virginia Consumer Data Protection Act, the Virginia Senate unanimously passed a companion bill. Much like California has introduced its own privacy standards, now Virginia has as well. However, this will become increasingly complicated in a highly matrixed environment of potentially overlapping or even conflicting regulations. Notably, the bill also doesn't include a private right action.

FTC reports over 2 million fraud claims in 2020: According to newly released data, in 2020, The Federal Trade Commission received more than 2.1 million fraud reports. The largest culprits? Imposter scams, online shopping, internet and telephone heists. Overall, consumers reported losing more than $3.3 billion to fraud in 2020 — an increase from $1.8 billion in 2019. Just over a third of all consumers who filed a fraud report with the FTC—34%—reported losing money, up from just 23% in 2019. People often forget that the FTC wields considerable enforcement authority and many of these has third-party implications as they're perpetrated by third parties operating on behalf of another institution. Often wielded under section 5 of the FTC Act, UDAP (note the lack of the abusive “A” in UDAAP) can bring huge fines and major enforcement actions.

Rising API attacks highlight vulnerabilities: Amid the landscape of increased security concerns, researchers are sounding the alarm on threats to enterprise security from insecure application programming interfaces, or APIs. A recent survey showed that 91% of organizations in the survey suffered an API-related problem last year. More than half reported finding vulnerabilities in their APIs, while 46% pointed to authentication issues, and 20% described problems caused by bots and data scraping tools. Michelle McLean, a vice president at Salt Security, said "APIs present a significant risk to organizations. Attackers are taking advantage of them now, and current strategies and technologies are not providing sufficient protection."

PCI compliance becomes increasingly challenging for call centers. The Payment Card Industry Data Security Standard (PCIDSS) has always been a challenge, but it’s proving to be even more difficult in this remote environment. Call centers offer an array of unique hurdles. For one, call recordings often contain a lot of private information, which should (but often aren't) protected with encryption and access controls. Bluetooth enabled devices like headsets and keyboards may also prove to offer vulnerabilities, which must also be considered, while hard copies of paperwork are often not destroyed properly. There are a variety of security risks at play, and as compliance increases, call centers will have to rise to meet increased regulatory scrutiny.

Recently Added Articles as of February 4

It may be a new month, but some similar stories continue on, especially as it pertains to data security and privacy. There's some BIG movement across the nation when it comes to consumer privacy and cybersecurity, and the headlines are here to prove it. We don't want to be a tease, but some of the whoppers include Biden's final CISO pick and the latest on the SolarWinds drama. You won't want to miss out. Read on for all the details!

Severe new SolarWinds vulnerabilities found: The full scope of the damage from the SolarWinds hack is still slowly, but surely, revealing itself. This week, cybersecurity researchers discovered three, severe security vulnerabilities still impacting SolarWinds products. The most critical of the three may have been used during the hack to achieve remote code execution with elevated privileges. Two of the flaws (CVE-2021-25274 and CVE-2021-25275) were found inside the SolarWinds Orion Platform, while the third, CVE-2021-25276, was found inside the organization’s Serv-U FTP server for Windows. Unfortunately, there’s likely still more damage to come. 

Minnesota considers a CCPA-inspired bill: California has blazed a path, and now Minnesota is on board the privacy train, too. The Minnesota bill, titled HF 36, will do a few things. Number one, it would expand consumer rights over personal information. Number two, the bill would create a private right-of-action for any person injured by a violation. And, number three, it would impose specific transparency obligations on businesses collecting and disclosing personal information. Overall, the legislation largely aligns with the California Consumer Privacy Act, but with a few relatively big differences, which include an expanded scope of private right of action. Seems big things are coming in the world of data privacy and security across the nation. 

New Linux malware taking aim at supercomputers: Named Kobalos after a small creature in Greek mythology who was believed to cause mischief, this new strain of malware is wreaking havoc on supercomputers worldwide. It’s worrisome for a variety of reasons. First, the malware's codebase is tiny, but is sophisticated enough to impact at least Linux, BSD and Solaris operating systems. Second, ESET suspects it may possibly be compatible with attacks against AIX and Microsoft Windows machines, too. In a nutshell, the Linux malware grants operators remote access to file systems and can then initiate terminal sessions while acting as a connection point to other servers infected with the malware. Experts are still analyzing the malware in hopes of learning how to raise awareness and protect against it. 

Data breach impacts millions of unemployed: This week, The Office of the Washington State Auditor is investigating a security incident which has compromised the personal information of more than 1.6 million people who filed for unemployment during the 2020 pandemic. It seems the breach has stemmed from a third-party software provider named Accellion, whose services are used to send computer files. In a news release on Monday, state auditor Pat McCarthy said, “I know this is one more worry for Washingtonians who have already faced unemployment in a year scarred by both job loss and a pandemic. This is completely unacceptable. We are frustrated and committed to doing everything we can to mitigate the harm caused by this crime.” This is just more fodder for the case of third-party risk management and cybersecurity protocols.

Virginia House passes a consumer data protection act: As privacy and security becomes increasing more important, Virginia is the next state to move closer to enacting consumer privacy legislation. On January 29, the Virginia House of Delegates passed HB2307 — the Virginia Consumer Data Protection Act (Act) — in an 89 to 9 vote. Now, the Act is hanging out with the Senate Committee on General Laws and Technology. A companion bill, SB 1392, already passed the Senate Committee on General Laws and Technology on January 27, 2021. The question remains. Is it better to have state-level privacy regulations or one federal regulation? 

FTC finalized Zoom data security allegations: Welp, folks, they did it. The FTC agreed that Zoom did in fact mislead consumers about the level of security it provided for its Zoom meetings and  compromised the security of some Mac users. The final order requires Zoom to: one, implement a comprehensive security program, two, review any software updates for security flaws prior to release and three, ensure the updates will not lessen third-party security features. Zoom must also obtain biennial assessments of its security program by an independent third party, which the FTC has authority to approve, and notify the Commission if it experiences a data breach. This is a great reminder that the FTC wields considerable enforcement authority as well as the fact that all organizations need to consider the validity claims they make and the third-party impacts as well.  

New California DFPI is large and in charge: The “mini-CFPB,” which took effect January 1, 2021, is beginning to exert its muscle, and we’re taking notice. Just a few weeks into the new year, the California Department of Financial Protection and Innovation (DFPI) entered into “first-of-their kind” memoranda of understanding (MOUs). With this, the DFPI will regulate earned wage access products offered by five companies in California. So, prepare well and use the opportunity to gather any documentation related to business dealing with and data related to California businesses and consumers.  We expect that focus to continue, especially in California, given the DFPI’s expanded authority over financial products offered by fintechs and non-bank lenders that historically have fallen outside of the agency’s authority. 

Elizabeth Warren weighs in on the need for enforcement: Senator Elizabeth Warren was pretty upset over the trading activities last week, expressing that she felt it “is a rigged game.” Warren specifically pointed fingers at the Securities and Exchange Commission (SEC), the premiere Wall Street regulator, stating that the agency needed “to grow a backbone” and "get off their duffs and do their jobs." Whew… rough one. When the former head of the CFPB jumps into the fray, you know there will be actions taken and does signal a possible new round of aggressive enforcement at the federal level.   

The Fed upholds security measures with attestation materials: In response to the need for greater security, this week, the Federal Reserve Bank gave the FedLine Solutions client organizations a heads up that the Federal Reserve Bank will be distributing attestation materials via emails from "Assurance Program" (and from the sending domain @adobesign.com.) This comes in part of a new Security and Resilience program which requires organizations that use the FedLine Solutions to conduct an assessment of their compliance. For our clients and friends in the financial services industry, this headline is in the category of really important – if you use FedLine, please be on the lookout for this notice from the Federal Reserve Bank – it’s arriving vie email and requires your attention to complete an assessment by the end of the year to help maintain appropriate cybersecurity standards.  

Biden appoints federal CISO: Need further proof that cybersecurity is quickly becoming a national priority? This week, the Biden administration named Chris DeRusha as federal CISO. DeRusha, who previously served as the top cybersecurity officer for the Biden presidential campaign, will be responsible for coordinating cybersecurity policy across federal agencies. Mark Montgomery, Executive Director of the Cyberspace Solarium Commission, said, that along with Rob Silvers as CISA director, "These two billets will be key to establishing secure and resilient federal IT networks, and to building an effective public-private collaboration for the defense of our critical infrastructure." If nothing else, a step that further establishes the role of cybersecurity in the essential functioning and safeguarding of national assets.

The power of collaboration: The ICBA has certainly been fostering the growth of innovative new companies and, as shown in this article, the need for bankers to work closely with their fintech providers and counterparts has really been proven during the pandemic.  In addition, it highlights a shift in tone by the regulators from “no” to “how” — and that’s an incredibly important distinction since ever since 2008, the regulators have pretty much gone the opposite direction, presenting hurdles (in the form of additional rulemaking or enforcement actions) rather than solutions (like the much-touted fintech sandbox).

How does your approach to third-party risk management compare to the rest of the industry? Download the industry whitepaper to find out more.

state of third-party risk management 2021

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo