February 2022 Vendor Management News
By: Venminder Experts on February 24 2022
28 min read
Stay up-to-date on the latest vendor management news. Discover information to help improve or keep your third-party risk management program fresh. Below we've listed some notable articles to check out.
Recently Added Articles as of February 24
This week, all eyes are on the Russia-Ukraine conflict, which is expected to increase cyber risks. The SEC is looking to improve cybersecurity with a proposed rule and supply chain issues are still causing headaches for CFOs. Third-party cybersecurity monitoring is highlighted and a couple of vendor data breaches have impacted over 600,000 individuals. Read on for all the latest in this week’s headlines!
Entropy ransomware strain being deployed by Dridex: The general-purpose malware known as Dridex may have rebranded itself in a new strain called Entropy. Researchers found similarities in the software packer malware subroutines used to find conceal commands and decryption subroutines. However, there were differences between the two which include the initial access vector and length of time spent in the environment. These parallels were discovered after two unrelated incidents involving a media company and regional government agency. Both incidents revealed a lack of current patches and updates. Researchers also noted that multi-factor authentication would’ve presented challenges for unauthorized users to gain access.
Meyer employees impacted in data breach: Employees of a cookware distributer, Meyer, were notified of a data breach that may have exposed a broad range of personal information such as social security numbers, medical conditions, drug screening results, immigration statuses and COVID-19 vaccine data. The notice claimed that the company saw no evidence that the information was accessed, but employees will receive two years of identity protection services. Similar letters were also addressed to employees of other Meyer companies including Hestan Vinyards and Blue Mountain Enterprises. It’s still unknown exactly how many individuals were affected.
NFTs stolen from 17 OpenSea users: A phishing attack was apparently the source of a recent theft targeting $1.7 million in non-fungible tokens (NFTs). According to OpenSea CEO Devin Finzer, seventeen users were tricked into signing a malicious payload, which transferred their NFTs to the criminals for free. Finzer was confident in ruling out OpenSea’s website as a vector for the attack and said that the company was working with the victims to narrow down a list of common external websites that may be to blame.
Best practices for third-party cybersecurity monitoring: Do you know if your third party’s cybersecurity environment is secure? Vulnerabilities within a third party can expose an organization to significant incidents like ransomware attacks and data breaches. The answer to these concerns lies in a robust continuous cybersecurity monitoring strategy. To begin, experts recommend the inclusion of cybersecurity requirements in your third-party vendor contracts, from pre-contract negotiations to offboarding. It’s also a good idea to utilize technology in your monitoring strategy, which will help during periodic risk assessments. Organizations should also consider taking advantage of open-source intelligence that can provide valuable insight into a vendor’s cybersecurity risk.
Rise in ransomware data leaks for 2021: The results are in from CrowdStrike’s annual threat report. And, it should surprise no one that ransomware attacks are on the rise. The report revealed that there were 50+ ransomware attacks every week in 2021, with the demands increasing 36% from the previous year. The healthcare industry was a prime target for ransomware gangs, with over 150 attacks. The report further revealed 21 new adversaries, specifically from China and Iran. Double extortion tactics have also been on the rise where criminals demand payment to decrypt data and to prevent the data from leaking. Experts urge cyber professionals to learn more about the adversaries that are likely to attack their industries while ensuring their response plans are tested.
CFOs still grappling with supply chain issues: Eighty-four percent of CFOs say supply chain disruptions as the biggest risk to their business, according to a recent BDO survey. Other risks include talent shortages and the possibility for changes in tax law. Supply chain risks are caused by a variety of interconnected issues such as the rising costs of material and transportation, delays and shortages and customer preferences for things like same-day shipping. To address these issues, CFOs are prioritizing accurate demand and inventory management that does away with the ineffective just-in-time approach.
Increasing cyber risks amid Russia-Ukraine tensions: The current conflict between Russia and Ukraine is expected to expose a number of cybersecurity, operational and supply chain risks. Russian invasion will result in significant sanctions which will in turn push them to respond using their cyber capabilities. CISA had already issued a cybersecurity warning related to Russian attacks, with the European Central Bank following suit. To prepare and defend against possible conflict, organizations are urged to evaluate their business continuity plans and closely examine their supply chains for any hidden dependency on Ukrainian services. Connect with peer networks and vendors to identify and mitigate cyber threats while ensuring that your employees possess a security mindset. Cybersecurity is closely aligned to business security and risk, so it’s important that departments work together instead of in silos.
SEC aims to improve cybersecurity: The SEC is taking an active approach to address security gaps that have been identified in exams. The agency has proposed a rule that would amend the two separate laws – the Advisers Act and the Investment Company Act. First on the list is improvements to policies, procedures and oversight, with specific elements that advisors and funds would need to include in their cybersecurity programs. Initial and ongoing due diligence of third-party vendors would play a critical role in this rule. Disclosures and reporting is another area of improvement with a proposal to create of confidential cyber incident reporting. Firms would also be required to document their cybersecurity practices through policies and procedures. The public comment period will remain open until April 11th, or 30 days after publication in the Federal Register, whichever is later.
Vendor-related breaches impact over 600,000: Two separate hacking incidents involving vendors have impacted over half a million individuals, proving once again the importance of managing vendor cybersecurity risk. The first breach was detected in late 2020 and reported earlier this month, involving 94,000 individuals and multiple fraudulent wire transfers. Comprehensive Health Services (CHS) reported the breach and described it as an external hacking incident which may have exposed names and social security numbers. The second breach was a ransomware incident reported by Morley Companies and is the second largest breach posted so far in 2022. Experts are looking to these two events as evidence that vendor risk management is a must for any organization that handles protected health information (PHI) or other sensitive data. It’s important to not only know who your vendors are, but assess the potential risks and review periodically.
CEO impersonations lead to extortion: Business email compromise (BEC) scams have taken on a much more sophisticated form during the pandemic. Criminals are now utilizing video conferencing platforms in addition to written communication. This is accomplished by requesting a virtual meeting and using a still picture of the CEO. Scammers will then use deep fake audio, or no audio at all, to claim that their video or audio isn’t working and then request transfers of funds. Criminals can also compromise emails to join workplace meetings and collect valuable information. Gift card scams are another popular strategy for scammers who impersonate CEOs and ask for money. Implementing a strong cybersecurity program with regular testing is a good practice for organizations and their vendors that ensures they’re taking a proactive approach to mitigate risk.
Takeover trojans attack Microsoft Teams: Users of Microsoft Teams are being warned to stay aware of threat actors who are targeting the popular app through malicious files. Criminals are planting malicious documents into chat threads which can take over the user’s computer. The inherent trust in the widely used platform has made it easy for hackers to compromise. Users often don’t think twice about sharing sensitive or confidential data. Researchers have observed that criminals are gaining access through either a phishing email or a lateral attack on the network.
How healthcare providers can manage ransomware risk: Ransomware attacks against healthcare providers are becoming more sophisticated, according to BD’s 2021 Cybersecurity Annual Report. These types of attacks can significantly disrupt business operations and harm reputations, and more importantly, affect patient care and risk lives. An incident response plan is a key component to managing cyber risks. These plans should cover how to contain, preserve, investigate, restore and remediate after an attack. It’s also important to consider negotiation tactics, though this is highly discouraged by the Department of Treasury and the FBI. In some cases, paying a ransom may be illegal if the ransom group is on the OFAC list. Make sure to understand any applicable breach reporting laws and the litigation you may face because of an incident.
Recently Added Articles as of February 17
Ransomware gangs have been keeping busy over the past week, with attacks on the San Francisco 49ers and a British snack company. The recent protests at the Canada-U.S. border have highlighted supply chain risk and Apple dropped 12 suppliers last year over responsible mineral sourcing. There’s no shortage of interesting headlines this week, so read on for all the details!
CFPB invites public to petition for action: The public will now have easier access to request regulatory changes from the Consumer Financial Protection Bureau (CFPB). The agency has invited Americans to exercise their Constitutional rights, without the need of a lawyer or lobbyist. This reform ensures that individuals can directly submit a petition to the CFPB with government employees and other paid individuals now required to go through the same channel.
SafeDNS provides cloud-based solutions for MSPs: The International Workplace Group recently conducted a survey which revealed 70% of the world’s workforce are working remotely at least one day a week. While remote working has been a practical solution during the pandemic, remote workers need a special set of cybersecurity solutions to keep their organizations safe, including multi-factor authentication, a virtual private network and DNS filtering. Web filtering is particularly important for managed service providers (MSPs), as it helps to prevent remote employees from accessing harmful content. Performance monitoring and threat intelligence against things like malware and ransomware are other important features of web filtering solutions.
Andrew Moyad named new Shared Assessments CEO: Third-party risk assurance leader Shared Assessments has appointed Andrew Moyad as its new CEO. Moyad brings over 25 years in risk management experience to the role, having served at some of the top asset firms like Blackstone and BlackRock. His experience includes leading risk management teams through all stages of the vendor lifecycle from risk assessments and control due diligence to contract reviews and performance monitoring. Members of Shared Assessments practice and lead risk management initiatives, which in turn produces an industry-standard toolset that’s used by more than 15,000 risk management programs.
Canada border protests highlight supply chain risk: After a string of protestors temporarily blocked the U.S.-Canada border because of COVID-19 policies, corporate leaders are seeing the broader impact of supply chain risk that’s affecting their organizations. Supply chain challenges are expected to improve in the second half of 2022, but shipping disruptions and semiconductor scarcity are still ongoing issues. Experts state that supply chain resiliency won’t happen overnight but efforts are being made to find solutions. To address these risks, the U.S. government is focusing on securing critical infrastructure and building domestic capacity while also improving coordination with Canada, Mexico and China.
Ransomware attack hits San Francisco 49ers: As if missing out on Super Bowl LVI wasn’t enough, the San Francisco 49ers were dealt another blow after an attack from the ransomware gang BlackByte. The gang reportedly stole team documents and posted them on the dark web in a file named “2020 Invoices”. A team statement said that there was no indication that the security incident affected outside systems related to Levi’s Stadium or ticket holders and law enforcement and cybersecurity experts have been brought in to assist in the investigation. This attack comes shortly after the FBI and U.S. Secret Service issued a joint cybersecurity advisory on this ransomware-as-a-service gang.
Google bug hunters paid $8.7 million in 2021: As the old sports saying goes, “The best offense is a good defense” and Google has invested millions to play by this rule. Over $8 million was rewarded to 696 third-party bug hunters who had discovered and reported a number of vulnerabilities that could have been exploited by bad actors. This amount was nearly a 30% increase from 2020 and accounted for higher payouts for specific bug discovers and an overall high number of flaws. Chrome was a leader for these vulnerabilities, with bug hunters finding 333 total flaws. Google’s own Project Zero team also discovered 376 bugs within other vendors, dating back to 2019. With threat actors always on the hunt for new vulnerabilities, this should serve as an important reminder to always prioritize a strong cybersecurity environment.
Prepare to see ESG as a necessary strategy: Many organizations have traditionally seen third-party environmental, social and governance (ESG) disclosures as “nice to have," but experts are predicting that these are soon to become a “need to have”. Corporate social responsibility (CSR) has long been a strategy for a lot of leading companies, who will in turn be well-prepared when ESG regulations start emerging from lawmakers. Organizations would be wise to accept that ESG disclosures will soon become a necessity to appeal to investors, customers and employees.
British snacks threatened by ransomware attack: Fans of popular English treats like Butterkist, Hula Hoops and Space Raiders should prepare for a difficult period of snacking shortages. A recent Conti ransomware attack on KP Snacks is expected to disrupt the UK’s snacking supply chain until late March, with the food supplier stating they’ll be capping orders to reflect their remaining stock. Cybersecurity experts say that an incident like this highlights the impact of ransomware attacks on the supply chain, with criminals holding the power to halt day-to-day operations. The incident was discovered on January 28th, after which KP Snacks immediately responded by working with third-party cybersecurity experts. The Conti group is another ransomware-as-a-service gang that prompted a joint cybersecurity alert from the FBI, CISA and NSA back in September.
Twelve suppliers removed as Apple cleaned house in 2021: In a recent SEC filing from Apple, the tech giant stated that their supply chain was independently audited in an effort to ensure 100% responsible mineral sourcing. As a result of their findings, 12 suppliers were removed because of their unwillingness to participate in the audit or their failure to meet audit requirements for conflict minerals known as 3TG (tin, tantalum, tungsten and gold). Since 2009, Apple has removed 163 suppliers that don’t meet their requirements. Apple further stated that they’re committed to strengthening industry-wide due diligence in areas that are common sources for 3TG minerals. With more attention being given to environmental, social and governance issues, it seems likely that global supply chain will continue to be put under the microscope.
Third-party risk challenges highlighted in report: Despite the enormous value of third-party risk management, many risk professionals are still faced with challenges, according to a recent report from CyberRisk Alliance (CRA). Their survey revealed that the biggest challenge is a lack of qualified staff to execute a third-party risk management program closely followed by the inability to prioritize, assess and manage a high volume of partners. Many risk professionals also struggle with a lack of resilience against their vulnerable third parties. CRA makes it clear that third-party risk management needs to be prioritized, with organizations understanding and preparing for third-party risks. Visibility across the supply chain and the utilization of third-party risk management technology are also good strategies to ensure organizations are protected.
Cybersecurity alliance launched by Mastercard: Third-party risk is getting increased attention from Mastercard as the credit card leader recently launched its own Global Cybersecurity Alliance Program. The program aims to help businesses manage the cyber risks that arise out of their vast environment of third-party vendors. Mastercard stated that 60% of cyberattacks are the result of outside vendors and acknowledged that businesses often struggle with the time-consuming task of understanding third-party risk. An important feature of the program is cyber risk monitoring and scoring to its partners’ customers which can be used to create an effective third-party risk management program.
Recently Added Articles as of February 10
New guidance from NIST addresses software supply chain security and the America COMPETES Act was recently passed by the House. The FISMA Modernization Act is also moving forward. And, cryptocurrency is again making the news after a significant wormhole hack. There’s a lot happening in the world of cybersecurity and third-party risk management, so read on for more.
Pay-per-install malware being used by malicious programs: In third-party risk management, remaining aware of the latest and greatest breach efforts is key. PrivateLoader, a Pay-per-install (PPI) malware service, has played a vital role in a variety of malware including SmokeLoader, RedLine Stealer and Vidar. A loader is a type of malicious program that’s used to load additional executables onto an infected machine. PPI services are used by malware operators to install their payloads onto their targets. It's written in C++ and works to retrieve URLs for the malicious payloads. It relies on a network of bait websites that are designed to appear prominently in search results and targets users searching for pirated software.
Supply chain disruptions cause CFO troubles: Experts are warning of potential compliance issues caused by supply chain disruptions. By switching suppliers, your organization may be exposed to tax nexus which occurs when you have a physical or economic presence in a state. In other words, simply having sales in the state means that an organization has an economic presence, though states differ on how they apply this nexus. Tax compliance requires organizations to know the difference and stay informed of changes to regulations. A knowledgeable CPA or attorney can help navigate these grey areas and ensure that your organization remains compliant.
Tips to strengthen vendor relationships: IT vendors provide great value to many organizations, so it’s important to optimize those relationships so they can continue delivering the best products and services. To accomplish this goal, make sure to seek out front-line support and maintain regular communication with the vendor. It’s also important to actively participate in vendor panels and conferences, while also defining service level agreements (SLAs) and adjusting them if needed. Deconversion should be addressed pre-contract and vendor IT audits should be requested on an annual basis. Also, make sure you agree with your vendor’s hiring practices and have strategies in place to protect against vendor mergers and acquisitions.
Vendor data breach exposes patient data for over 6,000: Texas-based Memorial Hermann Health System notified patients that a vendor data breach exposed protected health information. Their vendor, Advent Health Partners, discovered suspicious activity in September of 2021 and immediately began an investigation. An employee email account that contained sensitive information was apparently accessed by an unauthorized third party. Names, health insurance information and treatment information were exposed in the breach. Advent Health Partners has since taken action to provide affected patients with free credit monitoring services. This story should serve as another example of the potential impact of a third-party data breach, which can affect thousands, if not millions, of individuals.
CyberRisk Alliance report shows third-party risk shortcomings: A recent survey from CRA Business Intelligence reveals some key findings on how security teams are managing third-party risk. One highlight showed that 60% of respondents experienced a third-party IT security incident, 45% of which resulted in costs over $100,000. Supply chain visibility was an important issue for many respondents, but many stated that this was very limited. Fortunately, 76% of IT leaders agreed that managing third-party risk is a high or critical priority.
Cybersecurity tips for remote workers: For many organizations, remote working is likely here to stay, so it’s a good idea to stay on top of cybersecurity best practices to ensure that employees aren’t exposing you to unnecessary risk. Public Wi-Fi, personal computers, unsafe flash drives and sensitive information sent by email are just some of the risks that organizations are exposed to when adopting a work from home policy for their employees. To better secure a remote work environment, begin by implementing two-factor authentication for your virtual private network (VPN). It’s also important that employees use a secure Wi-Fi access point and that their password strategy is strong. Providing employees with company-approved computers is another strategy that helps protect against cybersecurity threats. While many business owners see this as an added expense, it’s worth considering the potential costs of a cyberattack that can occur on an employee’s unsecured personal computer.
Budgeting for cybersecurity under the threat of ransomware: Many organizations risk wasteful cybersecurity spending because they don’t fully understand what they need to protect and how. Cybersecurity budgets should be personalized to the organization’s needs by using a quantitative process to avoid guesswork. Begin by performing an asset inventory and determining your current cybersecurity posture and risk appetite. You can then calculate the budget according to that appetite, assets and potential losses, while also using key performance indicators (KPIs) to measure effectiveness. Also, make sure to avoid some common myths about cybersecurity budgeting, such as thinking that more money means better protection or that cyber insurance will completely cover your losses.
Enhancing cybersecurity with quantum computing: As new technological innovations emerge, cybercriminals are utilizing equally innovative methods to steal large amounts of data. Many experts are looking towards quantum computing to enhance the effectiveness of cybersecurity programs, though there are a few factors that may discourage this practice. For example, new devices that are based on quantum physics have a reputation of enabling cyberattackers to hack into secure cryptography methods. However, some experts believe that quantum technology can create a more robust method of cybersecurity encryption by using privacy-enhancing computing techniques. Organizations should begin thinking strategically about the benefits of quantum computing technology and how they can best implement them within their cybersecurity platform.
NIST guidance targets the software supply chain: After the release of the cybersecurity executive order, NIST was tasked with enhancing cybersecurity related to the software supply chain. The agency was ordered to publish a variety of guidance that details standards, procedures and criteria as well as initiate two labeling programs related to the internet of things (IoT). NIST has responded with the release of five new documents that cover software security practices and software security labeling.
CPRA compliance and third-party vendors: January 1, 2023 is set to usher in a new era of privacy regulations as the California Privacy Rights Act (CPRA) goes into effect. The CPRA applies to data collected on California residents and imposes stricter regulations and heavier fines than the already existing California Consumer Privacy Act (CCPA). The CPRA amends the CCPA in a few key areas. The applicability threshold from organizations that buy, sell or share personal data increases from 50,000 plus California consumers to 100,000 or more. The CPRA also introduces new rights, including the right to correct information and the right to limit use and disclosure of sensitive information. A critical thing to remember is that these regulations extend to third-party vendors who have access to an organization’s users’ data including information security providers, payment processers or chatbot operators. One study found that 99% of sites use third-party code and open-source libraries, but 56% of businesses were unable to ensure that their third parties were compliant with the CPRA. To ensure that third-party vendors are compliant with these regulations, experts recommend asking a series of questions related to the capture and use of data.
PHI exposed from third-party breaches: Three recent cybersecurity incidents against small outpatient facilities are proving once again that attackers are continuing to target the healthcare industry. First on the list is iRise Florida Spine and Joint Institute, which discovered a compromised employee email account back in November. Over 60,000 individuals have been notified about the potential exposure of their names, treatment information and dates of service. Moving up north, we have Boston-based Medical Healthcare Solutions, which also discovered an incident in November. The medical billing company stated that an unauthorized party potentially removed files from its network, which included social security numbers, claim numbers and procedure codes, though the number of impacted individuals isn’t clear. Last on the list is the Colorado Department of Human Services (CDHS), which experienced a breach through their third-party vendor, Sound Generations, and impacted over 6,000. The vendor was targeted in two separate attacks in July and September of 2021. Let these incidents serve as critical reminders that third-party data breaches are a constant threat that should be monitored.
COMPETES Act passed by the House: In an effort to bring semiconductor chip manufacturers back to the U.S., the House recently passed the America COMPETES Act, which will invest more than $50 billion in federal funds. Policymakers have long worried about the semiconductor supply chain, as China is the world leader in rare metals and minerals. The COMPETES Act will also help to establish a data initiative to measure the cybersecurity workforce, which has long been in short supply for both government and private organizations. House Homeland Security Committee chair, Bennie Thompson, supported the Act, stating that it would reduce our dependence on foreign countries and improve supply chain security.
Wormhole hack results in $320 million crypto theft: A Groundhog Day hack on Wormhole resulted in a major theft of cryptocurrencies worth over $320 million making it the second largest exploit of this kind in history. Wormhole is a popular bridge that links the Ethereum and Solana blockchains, which are leaders in decentralized finance. Many users don’t rely on one blockchain exclusively, so bridges like Wormhole are an important component in allowing users to shift their holdings between chains. The funds were retrieved the next day, but this incident is highlighting the growing concern with the security on the blockchain.
Healthcare leads the way in Department of Justice fraud cases: 2021 was a big year for the Department of Justice (DoJ) as it brought in $5.6 billion in civil settlements and judgments involving false claims and fraud against the U.S. government. The Department released a statement which identified healthcare fraud as the leading source of settlements and judgements related to the False Claims Act. Medicare billing and COVID-related Paycheck Protection Program kickbacks were some of the cases resolved last year by the DoJ. Some experts point to the security challenge of malicious insiders who attempt to bypass data security controls. However, cutting off access isn’t always feasible, as some employees like customer service workers need access to a lot of data. The recently launched Civil Cyber-Fraud Initiative will allow the DoJ to hold entities or individuals accountable that put information or systems at risk by knowingly engaging in risky cybersecurity behavior. While the healthcare industry continues to face the pressures of cybersecurity and fraud, it’s important that organizations implement a strong third-party risk management program to combat these risks.
Partnerships between cybersecurity and small credit unions: Cybersecurity requirements can be challenging for all credit unions, but even more so for smaller institutions that often lack sufficient resources. Jay Lee, IT vice president of three California-based credit unions, refers to vulnerability testing as an example of the challenges he faces. While this testing is usually run on a quarterly basis to meet examiners’ requirements, he states that monthly testing would be ideal. However, the costs and follow-up measures put a strain on this level of testing frequency. To support their cybersecurity efforts, many credit unions turn to third-party IT providers for audits, testing and other consulting needs. These partnerships with IT providers can provide great value for smaller credit unions, but it’s important to remember that proper due diligence still needs to be performed.
FISMA Modernization Act moves forward: It appears as though federal civilian agencies are one step closer to extensive cybersecurity updates as the House Oversight and Reform Committee moved forward with its version of the Federal Information Security Modernization Act (FISMA). Highlights of the bill include giving the Office of Management and Budget the power to establish cybersecurity and oversight policy as well as allowing Cybersecurity and Infrastructure Security Agency (CISA) to manage operational coordination. Chairwoman Carolyn Maloney pointed to recent attacks by Russian and Chinese hackers as evidence that FISMA needed modernization. Another important bill in the works is the Supply Chain Security Training Act which aims to create a training program so federal employees can identify and mitigate supply chain threats. With the recent attacks on U.S. infrastructure, it’s more apparent than ever that cybersecurity should be a top priority for all organizations.
Telehealth technology puts data at risk: Healthcare providers are increasing patient access to virtual visits, but a new report shows that vulnerabilities in telehealth technology aren’t always being addressed and these could lead to unprotected data. The products and services used to support telehealth include a wide range of third-party components, which aren’t always verified as having the safeguards necessary to ensure patient confidentiality. Researchers specifically looked at a common protocol called MQTT which doesn’t require authentication to transfer data and can therefore lead to man-in-the-middle attacks. Patient data continues to be highly valuable for cybercriminals, so it’s crucial that healthcare providers continue to verify the security of the applications they use.
Recently Added Articles as of February 3
As we head into a new month, things are heating up between Ukraine and Russian hackers. The SEC is planning on some new cybersecurity laws related to reporting and data breach disclosures. Cryptocurrency is gaining in popularity, but facing opposition in Indonesia. The supply chain crisis is also influencing taxes and legal issues with an increasing demand on third-party audits. There’s a lot to dig into this week, so read on for all the details!
How to achieve operational resilience: After global events like a pandemic, Brexit and increase in cyberattacks, operational resilience has been brought into the spotlight. Organizations have been forced to identify their critical business services and understand how to address their own vulnerabilities. Third-party risk management is a key component of operational resilience. This practice can be used to establish a level of stability during chaotic times. A good first step to achieve resilience is to understand the volume and velocity of third-party risks within an organization and then move on to considering automated processes and implementing AI technology.
New cybersecurity laws to emerge from SEC: In a recent keynote address by SEC chair Gary Gensler, the message was clear that the agency plans to enhance data privacy and cybersecurity requirements in the near future. Cybersecurity failures have been a high priority for the SEC, especially considering the latest enforcement actions related to cloud-based email accounts. Three actions against investment advisors ultimately resulted in six figure penalties. In his speech, Gensler highlighted three SEC projects that may expand to a broader group of organizations. The first project is the expansion of Regulation Systems Compliance and Integrity, which governs stock exchanges, clearinghouses and alternative trading systems. The second project will institute reforms that cover other registrants like investment companies and the third project will modernize Regulation S-P, a regulation that requires broker-dealers, investment companies and advisors to protect customer data.
PowerLess Backdoor malware used by Iranian hackers: New research has revealed that the Iranian-linked hacking group Charming Kitten has updated its malware toolset to include a PowerShell-based implant. The threat actor has been active for at least four years and has posed as journalists and scholars to trick victims into installing malware. The group was also discovered to have exploited the Log4Shell vulnerabilities and is potentially linked to several other malware artifacts and a new ransomware strain called Memento.
CFPB’s substantial assistance authority used in lawsuit: The recent lawsuit against three debt-buying companies highlights the CFPB’s use of substantial assistance authority. The agency used this authority to hold the defendants accountable of their third parties’ actions. This shows a willingness of the CFPB to target creditors who engage with deceptive third parties and highlights the importance of a strong third-party risk management (TPRM) program. To minimize this risk, a TPRM program should include proper due diligence of the collection agency, ongoing monitoring and an analysis of complaint data.
Russia increasing cyberattacks against Ukraine: The recent WhisperGate attack on Ukraine now appears to be one of many that has been launched by Russian advanced persistent threat (APT) actors. Two other Russian state-sponsored groups have been carrying out cyberattacks on their western neighbor, most notably Gamaredon (aka Armageddon), and possibly Sandworm. The Security Service of Ukraine released a report this past November, which details how Armageddon has been using in-memory tools to steal credentials and move laterally within a network. WhisperGate hasn’t officially been blamed on Russian threat actors, but it shares many similarities with previous attacks from Russian APTs.
How to declutter your data: If you’re thinking about your spring cleaning plan of attack, remember to include digital organization. Declutter Your Data author, Angela Crocker, advises to regularly clean up your digital debris to avoid leaving sensitive information on your devices. Photos and inboxes are often the biggest culprits to a massive online collection and Crocker offers a few helpful suggestions on how to stay on top of your data. For photos, it’s best to go through them on a daily or weekly basis and save them to the cloud. Email messages should be dealt with when you have the time, rather than quickly opening it and forgetting about it immediately. Unfortunately, email isn’t secure so any messages that include sensitive information should be stored in an encrypted form before deleting the original email. Decluttering both personal and professional data is a worthy effort that can keep you safe.
Ukraine unprepared for Russian cyberattack: As Ukrainian leaders brace for potential hybrid warfare with Russia, cybersecurity experts aren’t too confident in Ukraine’s ability to secure its infrastructure. A 2015 hacking incident left 200,000 Ukrainians without power during winter, and the U.S. has since invested about $50 million to help the country with hardware and software training. One expert points out the potential crisis if the telecommunication were to be attacked. Ukraine would then face difficulty in letting its people know what to do and where to go. In addition to cyberattacks, Ukraine must also deal with the threat of Russia’s disinformation and fake news. However, the country has made some efforts by blocking pro-Russian TV. The current tensions rising between Ukraine and Russia are just another example of why it’s important to stay informed of any attacks that could threaten your supply chain.
Guide to ransomware as a service: You’re probably familiar with the software as a service (SaaS) business model, but did you know that hackers are also using this model for criminal activity? Ransomware as a service (RaaS) is increasingly being utilized by business-savvy cybercriminals who lease their ransomware variants to other hackers. Cybercriminals without a lot of technical knowledge can simply sign up for the service and use RaaS kits to deploy ransomware attacks. DarkSide, REvil, Dharma and LockBit are some of the top leaders in the RaaS world. Prevention is key to protect against a ransomware attack, so it’s important to implement cybersecurity best practices such as maintaining a patch program, performing and testing backups on a regular basis and segmenting the network environment.
Important criteria of an ITaaS vendor: If you’re in the market for a new IT as a service (ITaaS) vendor, it’s important to consider some factors such as your organization’s needs, budget and timeline. Begin by evaluating the cost of establishing an in-house team vs. outsourcing to a vendor. It’s also important to understand any knowledge gaps surrounding the management of an in-house IT staff. Many business leaders may not know how to measure an IT staff, so it may benefit them to utilize a vendor. Identify the highest priority and desired results, while also ensuring that the service level agreement is clearly defined. Also, make sure to evaluate the vendor’s experience in your industry and whether they use cloud-based tools.
Crypto services barred in Indonesia: Cryptocurrency is not welcome in Indonesia, according to the commissioner of the country’s financial services authority Otoritas Jasa Keuangan (OJK). Financial institutions are prohibited from using, marketing and/or facilitating the trading of crypto assets. The agency warned that it doesn’t regulate crypto trading and the value of cryptocurrency can be highly volatile, while also stating that Ponzi schemes are associated with this type of investment. Despite this warning, Indonesia allows crypto mining, so the agency’s advice doesn’t constitute an official ban. Russia and China are two other nations that oppose cryptocurrency and time will tell who else might join them.
The supply chain’s impact on taxes and the law: Global supply chains continue to face pressure and many organizations are faced with new challenges and a greater need for close collaboration. In episode number 2 of Supply Chains Disrupted, industry leaders discuss the ways in which tax, legal, trade and regulatory issues can emerge from these global challenges. Trade wars, Brexit and the country of origin for products are all things to consider as organizations map out their supply chain strategy. The video also touches on U.S. enforcement activities regarding forced labor in supply chains, causing many organizations to perform a complete mapping of their supply chain environment. Third-party audits are also increasing in demand to ensure the integrity of the supply chain.
Cyber insurance can be difficult, but necessary: With the rise in cyberattacks, many experts agree that cyber insurance is a must, but implementing a policy can come with its own set of challenges. Insurance companies are facing risks themselves and are increasingly wary of accepting new customers. Cyberwar and state-sponsored attacks have led to insurers creating new model clauses which limit the scope of risks and ransom payments are often excluded from coverage. When shopping for cyber insurance, it’s recommended to accept as few exclusion clauses as possible, while also being proactive in reducing cyber damage risk. Some insurance companies will never require extensive questionnaires to determine the risk potential, so it’s important to ensure that your cybersecurity program is well established.
The Power of Outsourcing Vendor Risk Management
2017 was a year of change in the financial services industry. This includes the OCC proposed...
Why and When You Look at a Fourth Party’s SOC Report
Some say that your business is only as good as your employees. The same can be said for your...
What Is Vendor Risk Management?
After publication, Venminder created and released a new, simplified third-party risk management...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.