February 2023 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of February 23

In this week's news, ESG standards and regulations are in the spotlight healthcare data breaches receive more attention, and importance of upping your TPRM knowledge to stay on top of best practices. Check out the articles below to learn more!

Enterprise risk management departments are "missing" third-party risks:  A recent Gartner survey of 100 executive risk committee members found that 84% of respondents said that third-party risk "misses" resulted in operational disruptions. What Gartner classifies as a third-party risk miss is a third-party risk incident resulting in an outcome such as operation disruption, adverse financial impact, and more. If you're a larger organization practicing enterprise third-party risk management, then you’ll want to know the three  key aspects enterprise risk management must do differently to improve success and effectiveness in managing third-party risks. 

The FBI experiences malicious cyber activity: The Federal Bureau of Investigation (FBI) is looking into malicious cyber activity on their own network. The isolated incident has been contained, but the agency is assessing further to determine its scope and impact. There are no further comments from the agency at this time. 

Web hosting company attacked by an unknown threat actor: An Arizona-based web hosting company's source code was stolen, and their systems were infected with malware, by an unknown malicious actor. They're still trying to identify the root cause of this event, but believe these incidents were part of a multiyear campaign by a sophisticated unknown threat actor group.

Many feel tech vendors need more scrutiny: These days, there’s an increased reliance on tech vendors. While outsourcing products or services to a tech vendor can certainly bring organization's a competitive advantage and operational efficiencies, it also comes with additional vendor risk. It's always the organization’s responsibility to assess due diligence on their vendors; however, many feel there needs to be more regulatory oversight on tech vendors to help with the process. There are many ideas being tossed around to accomplish this, but the reality is, it’s not going to be a quick or easy industry fix.

Stolen employee data leaked through a third-party vendor: Atlassian has confirmed that employee data has been leaked on the web through an account used on a third-party application. Although the data doesn’t appear to come from Atlassian’s systems, they say an employee’s compromised credentials are to blame. The third-party application in question, Envoy, has responded quickly to the event and is working with Atlassian to enhance physical security across offices globally. 

Don’t forget the ‘S’ in ESG: As ESG becomes an increasingly hot topic, it’s important to remember what each letter stands for. On February 3, Activision Blizzard settled charges with the SEC to pay a whooping $35 million to resolve claims that they failed to maintain adequate disclosure controls relating to tracking workplace complaints. They also violated whistleblower protection rules by discouraging former employees’ abilities to communicate with regulators.

The use of AI in the EU has privacy regulators stepping up their game: European privacy regulators are increasing their scrutiny of companies utilizing artificial intelligence (AI). They're planning on hiring experts in the field and opening new teams to crack down on any data violations. As AI is appearing in many sectors, it’s pertinent to understand risks posed to your organization when utilizing AI vendors and ensure you’re following regulations.

Continue to protect yourself from COVID-19... and vendor risk: Remember back in 2020 when COVID-19 was ravaging the world? As our exposure to COVID-19 and its various strains was increasing, at the same time the healthcare industry was also experiencing an increase in protected health information (PHI) exposure. Cyberattacks on the healthcare industry are continuing, just as they are in any industry, so it’s important to stay on top of your cyber risk efforts.

The Hive has been contained – for now: The Hive, a ransomware group, has been found by the Department of Justice (DOJ) after months of effort. With ransomware attacks increasing as of late, including the Colonial Pipeline hack in 2021, the Biden Administration looking into upping its National Security. The Hive was responsible for focusing its attacks on hospitals, school districts, and other organizations with a technique know as the “double-extortion” model. Hive started with phishing emails containing ransomware. After that they would extract sensitive data from the network and demand payment. Ensure your organization stays on top of the risk that ransomware can pose or else you may fall victim. Tactics to implement include yearly security awareness training, phishing training, and more. 

Vendor cybersecurity checklist: With cyberattacks increasing year-over-year, now’s the time to ensure your organization is vetting your vendors and their subsequent cybersecurity. Items to review on vendor cybersecurity include cybersecurity posture, type of user authentication and access controls used, and more. 

ESG importance in 2023: Organizations must continue to make strides in their ESG efforts in 2023, whether they planned on it or not. There are a few regulations to watch for this year around global supply chains, including the German Supply Chain Due Diligence Act effective January 1. In the U.S., the SEC may soon require large, publicly traded companies to disclose their Scope 3 greenhouse gas emissions, too. Now is not the time to sleep on ESG with U.S. regulators and EU regulators alike increasing their scrutiny on organizations.

Recent security updates to Apple products: Apple recently shared security updates for iOS, iPadOS, macOS, and Safari. These updates, tracked as CVE-2023-23529, are to address a zero-day flaw. It’s advised users update iOS 16.3.1, iPadOS 16.3.1, macOS Ventura 13.2.1, and Safari 16.3.1 to reduce potential risks.  

Addressing third-party risk management challenges in healthcare: Did you know the majority of the top 10 healthcare data breaches in 2022 stemmed from third-party vendors? Now you do. This shows that better third-party risk management is needed. Current third-party risk management strategies need to be updated as the vendor ecosystem continues to expand. Before you can improve those process, it’s vital to get back to the basics and ensure your organization’s third-party risk management program will be successful.

Recently Added Articles as of February 16

This week's news brings us information on healthcare data breaches, the FTC annual summary on ECOA, securing your organization's domain, a manufacturer suffering a malware attack, and more! Read the articles below to stay up-to-date.

Healthcare organizations are the most common victim of third-party data breaches: It’s no surprise that healthcare organizations fall victim to the most third-party data breaches. In a recent analysis, the common root cause of these attacks was unauthorized network access. Healthcare organizations and its business associates need to ensure they properly vet each other to mitigate the risk of a cyberattack.

Manufacturer suffers a data breach: Pepsi Bottling Ventures LLC is one of the latest malware attack victims. In December of 2022, the manufacturer installed information-stealing malware which led to the extraction of data from its IT systems. The incident was discovered 18 days later, in January of 2023. Pepsi Bottling Ventures LLC shares they took quick action to contain the incident and secure their systems, implementing additional network security measures. An investigation is still underway.

Threat Intelligence is often ignored in cybersecurity decisions: According to a recent survey, when it’s time to make cybersecurity-related decisions, insights about attackers tend to be ignored. However, if an organization doesn’t factor in threat intelligence, it can lead to many consequences, such as a weaker cybersecurity strategy and poorly informed purchasing decisions for security tools. We learn that 79% of those surveyed shared that, “the majority of the time, they make decisions without adversary insights.” Understanding the data is critical to remain aware and take appropriate next steps related to cybersecurity.

FTC annual summary on the Equal Credit Opportunity Act (ECOA): Earlier this week, the Federal Trade Commission (FTC) provided the Consumer Financial Protection Bureau (CFPB) with an annual summary of activities enforcing the ECOA. The ECOA prohibits discrimination in consumer credit transactions for several protected categories. The summary outlines recent enforcement on certain activities, including discrimination in auto dealership transactions, artificial intelligence technology, and more. Your organization must understand the basis of vendor transactions to ensure they're complying with ECOA, and in turn, your organization must comply, too.

Gartner Security & Risk Management Summit reveals top cybersecurity predictions for 2023 and beyond: Gartner recently held their Security & Risk Management Summit in Mumbai, India. Some predictions that were shared included how 60% of organizations will embrace zero trust from the starting point, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements, and more. It’s critical your organization prepares for these predictions and implement measures to stay on top of cybersecurity risk.

Standing guard of your bank's domain: Securing your bank’s domain name is a key component of any bank’s cybersecurity posture. Your bank’s domain is where your customers interact, engage, and complete transactions, so it’s critical you stay in control over it. Domain name security is of utmost importance and the ABA has invested in the creation of the .bank top-level domain. Investing in this will make a special corner of the internet just to be used by banks exclusively. This will help prevent malicious actors from having access.

SEC recently published a risk alert: The SEC recently published a risk alert that summarizes recent enforcement actions in which some financial institutions were charged in violation of Rule 201 of the Reg. S-ID. Firms under SEC supervision are encouraged to review their identity theft prevention programs to ensure the programs are secure and in compliance for when the SEC publishes their Division of Examinations Priorities for 2023. Be sure to keep an eye out.

Wireless IIoT device vulnerabilities found: Security vulnerabilities have been discovered in wireless industrial internet of things (IIoT) devices. Not just one or two, but thirty-eight security vulnerabilities to be exact! The vulnerabilities offer a remote entry point for attack, which can cause significant damage. To help avoid vulnerabilities like these, it’s recommended you disable insecure encryption schemes, hide Wi-Fi network names, deactivate unused cloud management services, etc. 

Banks struggle to strengthen digital verification: A bank located in Colorado has a unique way of opening credit cards to help security. They usually only open those types of relationships for existing customers, but unfortunately, it hasn’t stopped the fraud. What they refer to as synthetic fraud is a growing species of fraud that could become much worse. Synthetic fraud identities take multiple years as the fraudsters build the fake identities credit history. Some wait 3 - 5 years before using the stolen information. In a three-step strategy covered in this article, banks can strengthen their digital verification methods to help curb this fraud.

Importance of sanctions in third-party risk: In 2022, there was an increase in sanctions as it dominated the global compliance landscape. The sanctions ranged from new additions to the Specially Designated National and Blocked Persons List (SDN Lists) to new export controls, and more. Complying with the sanctions enacted is imperative for your third-party risk management program. Risk-based due diligence should be conducted on your vendors to mitigate the risk of sanctions. 

Data breaches nearly doubled in 2022: A new analysis by Sontiq’s BreachIQ's AI algorithm shows over 3,400 compromised entities in 2022 – 1,745 of those entities originated from a third-party data breach. This is a 45% increase from 2021, and a more than 220% year-over-year increase in third-party data breaches. Sontiq’s Breach IQ algorithm also analyzes more than 1,300 risk factors to assess severity of data breaches and assigns a unique breach risk score on a scale of 1 to 10 for each incident reported. This data reiterates the importance of monitoring vendor cybersecurity compliance in 2023.

European Union is cracking down on digital operational resilience with DORA: The Digital Operational Resilience Act (DORA) is being implemented in the EU for the financial sector and will come into effect in early 2025. DORA isn't just significant for the financial sector, but also for the IT community. This regulation has nine chapters, and although the text is concise, each financial firm will need to create specific measures for its own information and community technology (ICT) risk management to comply.

The race for consumer privacy law continues: Colorado's and Connecticut’s consumer privacy laws come into effect on July 1, 2023, with Utah following on December 31, 2023. To ensure your organization is following privacy expectations and laws, you may need to update disclosures regarding personal information, opt-in/opt-out options, and more.

Recently Added Articles as of February 9

This week, regulatory agencies are very active with proposed rulemaking and rule enforcement happening. Supply chain risk is more important than ever these days and there are trends to be aware of in the new year. You’ll also find a couple of interesting industry studies to read. Check out all the news below. 

Supply chain trends for 2023: Did you know that risk resilience is a top focus for many organizations? According to a recent Gartner survey, the top four priorities for supply chain organizations are commercial growth from the supply chain, real-time supply chain execution, authentic fulfillment of ESG commitments, and flexible work experiences. This article explains how industries are dealing with complicated supply chain issues as well as trends for the new year. 

CFPB announces a notice of proposed rulemaking: This month, the CFPB issued a notice of proposed rulemaking to amend Regulation Z provisions as they relate to credit card late fee charges. This effort is to ensure credit card penalty fees are “reasonable and proportional” to the late payment. Public comments on the proposed rule must be submitted by April 3, 2023.

Vendor contracts and managing privacy and cybersecurity law risks: There are many steps involved in ensuring your organization and its vendors operate in accordance with compliance requirements as well as maintain data security. To help, this checklist covers shifting liability, information sharing and notifications, flow down requirements, and ongoing compliance. 

A spyware vendor receives a $410,000 fine: Is anything we do on our mobile devices truly private? The New York attorney general’s office announced a fine on a developer who promoted surveillance tools illegally. The spyware vendor, Patrick Hinchy, and his customers secretly monitored phone users’ activity while using certain applications. This enabled tracking location, browsing history, call logs, text messages, photos, and more. But that’s not all… the customers using Patrick Hinchy’s spyware were misled by him, thinking it was legal to install this type of software on others’ devices. It’s important to remain alert and be cautious as you install updates and application on your devices. 

FTC seeks rule enforcement under the Health Breach Notification Rule: The Health Breach Notification Rule requires some organizations not covered by HIPAA to disclose a breach of unsecured, individually identifiable electronic health information. The Federal Trade Commission feels a direct-to-consumer telehealth and prescription drug discount provider violated the Health Breach Notification Rule when the provider didn’t notify customers of unauthorized disclosure of their personal health information to big name companies, like Facebook and Google. Although the rule became effective in 2009, this is the first time there has been an enforcement action. 

The increase in AI will come with regulatory and legal scrutiny: Lawmakers are noticing the increase in AI-powered models. Many industry watchers anticipate AI regulations and the government focus on AI to increase throughout 2023. In advance of regulations, to help prevent ethical issues, it’s recommended that organizations implement an AI framework that is lead by human values-based principles in the development of AI applications. These principles include inclusiveness and respect for data privacy, fairness and objectivity, transparency and explaining how decisions are made, safety and security, and accountability. 

The SEC is close to finalizing rules governing cybersecurity obligations: As the SEC quickly approaches final rules governing organizations’ cybersecurity obligations, it’s important to be proactive and prepare. The SEC’s proposal isn’t only regarding disclosure of cybersecurity incidents. It will also mandate organizations to share their policies and procedures for identifying and managing cyber threat risks. This includes third-party vendors. Additionally, the rules will require companies to disclose their board of directors’ cyber risk oversight, too. The time to review existing cybersecurity disclosures is now. It’s best to be ready in advance of these upcoming changes!

The cyber breach impact doubled in 2022: According to Black Kite’s annual Third-Party Breach Report, the level of breach impact and destruction doubled in 2022 with 7.72 affected organizations per vendor. In 2021, it was 2.46 companies per vendor. The cyber risk landscape is evolving and becoming more complex, and continuing the path to effective third-party risk management is one of the best ways to prevent these risks.  

Microsoft takes steps to disable a recent phishing attempt: A recent phishing campaign created malicious OAuth applications to breach cloud environments. The campaign deceived users into granting permissions to fake apps. Microsoft is working diligently to disable the fake accounts and customers have been alerted by email. Additionally, Microsoft is taking steps to implement more stringent security measures which will hopefully reduce future fraudulent behavior.  

Most organizations are working with a recently breached vendor: According to a recent study, 98.3% of organizations across the globe are working with a third-party vendor who experienced a breach in the last two years. And, over 50% of them have an indirect relationship with 200 fourth-party vendors. With organizations relying more than ever on third and fourth parties, it’s important to remain aware of your organization’s supply chain, vendors’ information security procedures, and any other elements that could impact your operations to reduce exposure to risk.

Recently Added Articles as of February 2

This week, the U.S. government has warned the healthcare sector of a surge in cyberattacks, and meanwhile, the TSA investigates an incident that made the U.S. No Fly list public. Several healthcare providers notify their customers after suffering third-party data breaches and experts urge caution when it comes to smart devices. Finally, learn several best practices for effective third-party risk management. Don’t miss out on this week’s news!

Court ruling found a third party in violation of the Anti-Discrimination Rules: In a recent court ruling, a third-party administrator was found in violation of the Affordable Care Act’s Anti-Discrimination Rule for deciding to administer a self-insured health plan that didn’t include gender-affirming care. This ruling is significant for a few reasons. First, it expanded the scope of what a covered entity is. Next, determined that the Anti-Discrimination Rules couldn’t be overruled by ERISA. Third, concluded that the consensus on gender-affirming care isn’t relevant in cases where medical coverage is denied based on sex. Finally, determined that the Religious Freedom Restoration Act doesn’t apply in cases between private individuals. Relevant entities are encouraged to read the ruling and stay informed of further developments. 

U.S. government warns of cyberattacks targeting healthcare providers: Earlier this week, U.S. government agencies and the American Hospital Association warned healthcare providers of an increase in the number of distributed-denial-of-service cyberattacks deployed by Russian hackers. During these attacks, the hackers attack the organization’s website with the goal of making it crash and unable to operate. Healthcare organizations should be on the alert for these attacks as well as possible ransomware attacks. 

NIST releases framework for using AI safely: The Nation Institute of Standards and Technology (NIST) released a framework to help guide users on how to use artificial intelligence safely. The framework, called the Risk Management Framework, encourages organizations that use AI to consider the risks related to principles such as safety, validity, security, transparency, and privacy, which can pose potential risks when using the technology. While this framework isn’t required, it can be very useful for organizations that use AI and provides key practices for exercising risk management to protect against potential risks. 

Breach notifications may lack important details for determining risk: Understanding the root cause of data breaches and cyber incidents can help businesses and individuals make informed decisions and determine potential risks. However, data trends show that only 34% of breach notifications contain attack and victim details, compared to 72% of notifications in 2019. This means that affected businesses and individuals may not have sufficient data to make informed decisions about how they should act following a breach. As cyberattacks and data breaches remain a major concern for many organizations, understanding potential risks is essential, so be sure to continue reviewing cyber policies and breach notification timelines. 

Hackers made the U.S. No Fly list public: The U.S. government is currently investigating a cyber incident, in which the TSA’s confidential No Fly list has been accessed and made public on a hacking forum. The No Fly list has been said to contain the names, dates of birth, and possible aliases of individuals who are terrorists or are considered a threat to national security. This incident highlights the importance of maintaining security, addressing vulnerabilities, and understanding that any organization, even key infrastructure and government agencies, can become the victim of a serious cyberattack. 

White House proposes rules for managing climate and supply chain risks: 2022 showed many of the ways that climate and supply chain risks can negatively impact all organizations, and the U.S. government has proposed a series of rules meant to improve organizational resilience. There’s a clear parallel between these rules and the goals of effective third-party risk management processes to help protect organizations manage risks that can threaten operations. As federal contractors and financial institutions prepare to comply with new and emerging regulations, it may be beneficial to look toward third-party risk management processes to ease the transition.

Microsoft encourages users to update Exchange servers and improve security against malicious actors: Experts with Microsoft are speaking up on the importance of updating Exchange servers to protect against potential cyber threats. As hackers are constantly on the lookout for vulnerabilities that they can exploit, it’s essential to ensure that your systems are patched with the newest releases. Researchers have commented that many recent attacks using Exchange have been opportunistic, meaning that the best way to defend against a cyberattack is to bolster your network’s defense and stay updated with security patches as they’re released. 

The role of data protection in ESG standards: Environmental, social, and governance (ESG) standards are an ongoing hot topic for many organizations. However, as regulators have also turned their attention to data protection, it’s important for your organization to understand the role that data protection has in ESG standards. Under ESG requirements, your organization must preserve consumer data privacy rights whenever processing personal data and inform users how their data is used. In addition, it’s your organization’s environmental responsibility to store and process data sustainably by using methods such as using cloud storage over physical facilities and using energy-efficient technology. To ensure compliance, revisit your organization’s ESG and data protection policies to avoid regulatory risks. 

Five best practices for third-party risk management: Whenever your organization outsources a product or service to a third-party vendor, there are potential risks that can threaten your security, reputation, and operations. However, by implementing third-party risk management, you can begin protecting your organization against third-party risks. Several best practices that your organization should follow include performing ongoing risk and performance monitoring, getting buy-in from senior management and the board of directors, only working with third parties that are transparent, complying with regulatory and industry standards, and outsourcing or using a dedicated third-party risk management software. 

Chick-Fil-A faces a lawsuit following a user privacy violation: Chick-Fil-A has been sued for violating the Video Privacy Protection Act of 1988 for using Pixel to track customer video-watching trends. Under the law, Chick-Fil-A was in violation for collecting and sharing data without user consent. As customer privacy rights and protections remain a hot topic, it’s important to stay updated on regulation changes to ensure your organization complies. 

Hackers target federal employees in recent phishing attacks: Since June 2022, federal agencies have been tracking a series of phishing attacks that are targeting federal employees. During these attacks, the malicious actors have reached out to employees using legitimate remote monitoring tools and by impersonating brands, including PayPal. While these attacks have been focused on employees of the civilian executive branch, experts urge caution as these attacks could happen to anyone and be used against more sensitive targets. 

Studies highlight the negative impact of ransomware on patient care: According to recent studies, cyberattacks can have serious implications for healthcare providers, especially when it comes to patient safety. In a survey, about half of responding healthcare organizations stated that ransomware attacks have disrupted patient care, with situations ranging from having to move patients to a different location to creating complications during procedures. To protect their organization and patients, it’s important for healthcare organizations to take cybersecurity seriously and make it a priority by implementing third-party risk management practices. 

Understanding vulnerabilities related to smart devices: For many people, smart devices have become commonplace as technology continues to evolve. The range of smart devices is wide, from cars and phones to speakers and doorbells. And, with these devices comes an increased risk of becoming the target of a cyber incident. In the event a malicious actor is able to compromise one device, the target could be vulnerable to a large-scale attack that compromises all their devices. As news stories of hackers spying through smart speakers and doorbells, for example, have been in the news over the last several years, it’s critical to ensure that both individuals and organizations exercise cybersecurity best practices to keep smart devices secure. 

Cyberattacks target Iranian government: Geopolitical tensions have affected individuals, organizations, and government entities all over the world. In 2022, the Iranian government became the target of cyberattacks, which were suspected to be carried out by a hacker called BackdoorDiplomacy.