February 2024 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of February 29

This week’s headlines showed the ranging impacts of third-party data breaches, from operational disruptions, impacted customers, and regulatory scrutiny. There’s many lessons to take away from it, so check out all of the news below. 

What organizations can do when software vendors increase pricing: Organizations across all industries likely saw price increases with their software as a service (SaaS) vendors. Most software vendors did raise prices, or at least reduced the size of discounts offered to customers. These increases can be difficult for organizations to manage, particularly in economic challenges. To help, organizations should have visibility into their entire SaaS inventory and understand the spending, usage, and renewal policies. Maybe your organization has duplicative services, or one particular tool isn’t used often enough. It’s important to monitor how usage and services change over time, and ensure you understand the SaaS vendor’s pricing. That way, there’s less surprises down the line. 

Sites at risk with WordPress plugin vulnerability: Five million sites are at risk with a WordPress plugin vulnerability. The plugin, called LiteSpeed Cache, has a vulnerability that could allow attackers to steal sensitive information. The vulnerability was addressed in a LiteSpeed version. 

Third-party cyberattack causes pharmacy disruptions throughout the U.S.: Pharmacy chains have experienced downtime and delays after a third-party cyberattack. Change Healthcare, which provides payment processing services for healthcare organizations, experienced a cyberattack that caused network issues and outages. It’s suspected that a nation-state actor was able to access Change Healthcare’s IT systems. Pharmacies and other healthcare organizations were encouraged to be disconnected from Change Healthcare until it’s safe to reconnect. 

NIST updates cybersecurity guidelines: The U.S. National Institute of Standards and Technology (NIST) released a major update to its cybersecurity guidance. A new focus of the guidance is governance and urging organizations from all sizes and industries to consider cybersecurity threats as a major risk. This new framework will allow for more updates over time, instead of a massive overhaul every 10 years. Governance was added to the 5 existing core elements of the framework, emphasizing that organizations should have a cybersecurity strategy that has oversight. 

Healthcare provider is required to audit third parties: An investigation into a ransomware attack in 2018 led healthcare regulators to fine Green Ridge Behavioral Health $100,000 and require a risk management plan and an audit of third-party vendors. Regulators said Green Ridge failed to implement security measures and conduct a thorough risk analysis on potential vulnerabilities. Green Ridge will need to ensure business associate agreements are in place to keep protected health information (PHI) safe. 

ESG practices of third parties may pose higher litigation risk: Legal action on environmental, social, and governance (ESG) practices have picked up steam lately, including the argument that organizations should be responsible for the ESG actions of their third-party supplier. Although many of these cases haven’t won in court, there’s still a push to extend liability to the supply chain. If a third-party supplier has poor ESG practices and compliance, organizations could face a higher risk of litigation. Litigation can then have a negative impact on the organization, which can have a long-term impact. It’s important to be aware of third-party suppliers and their ESG practices before a lawsuit is filed.

New AI framework released: The Open Web Application Security Project (OWASP) released an artificial intelligence (AI) framework to help organizations mitigate AI risks. The framework includes steps to take before using an AI strategy and then five model types for large language model deployment. 

Third-party cyberattack compromises patient information: A third-party administrative services firm experienced a data breach that has impacted more than 2 million eyecare patients. The third party provides services to several eyecare practices in Arizona. Compromised information included medical information, names, and contract information. The incident is yet another in a series of third-party attacks in healthcare. It’s important for healthcare organizations to prepare for these incidents with their third parties and monitor the third parties’ controls.

Be aware of open-source Wi-Fi software vulnerabilities: Two flaws in open-source Wi-FI software in Android, Linux, and Chrome were identified. The flaws could allow an attacker to join networks without passwords. Attackers are also able to trick victims into joining malicious networks that are clones of trusted networks. Advisories and some fixes for the vulnerabilities have been released. 

What regulators expect with bank and fintech relationships: Banks and their fintech partnerships should prepare for more intense scrutiny, particularly after the Interagency Guidance on Third-Party Relationships: Risk Management that was finalized last year. Several recent regulatory actions have required banks to step up their third-party risk oversight with fintech companies. Based on regulator comments, it’s important to ensure you have the staff to manage and monitor third parties. Due diligence is also crucial for third parties and it should be a risk-based activity. Regulators are looking for strong documentation, including limitations to due diligence, understanding of the risks, and alternatives to mitigate the risks. A third party is ultimately just an extension of your bank, so it’s crucial to manage the third-party risks.  

The risks of third-party AI and how to manage them: Organizations and their third parties have quickly picked up the use of AI to drive innovation forward, but it’s extremely important to understand how third parties are using the powerful tool. Organizations should know the data source of AI and ensure the training data isn’t biased. It’s essential to have a clear explanation of how the AI model works, as not knowing can lead to unmitigated risks. Organizations should implement strong AI frameworks that promote transparency and accountability. 

Recently Added Articles as of February 22

This week’s headlines emphasize the importance of third-party cybersecurity with software as a service and artificial intelligence risks. Best practices like audits, regulatory compliance, and strong contracts can help mitigate the risks. Check out all of this week’s news below. 

Following PCI DSS third-party requirements: Organizations must ensure third parties that store, process, and transmit data of credit cardholders follow the Payment Card Industry Data Security Standard (PCI DSS). To accomplish this, organizations should maintain an inventory of third parties that have access to account data and then determine the levels of risk these third parties pose. There should also be thorough due diligence before contracting with the third party, and annual assessments afterwards. A written agreement is where to outline proper security controls for the third-party provider. If organizations follow PCI DSS requirements, they can help ensure safe third-party relationships. 

FDA warns device manufacturers to be careful with third-party testing: The U.S. Food and Drug Administration (FDA) issued a reminder to medical device manufacturers to carefully evaluate third parties and verify testing results before submitting them to the FDA. The FDA noted an increasing number of device manufacturers that use third parties to test medical devices, which are generating fabricated or unreliable testing data. This results in denied authorization to medical devices, which then reduces access to new devices for patients and healthcare providers. Device manufacturers should scrutinize all third-party data and use third parties that have been accredited under the Accreditation Scheme for Conformity Assessment (ASCA) program.

Using audits to evaluate third-party vendors: A mature third-party risk management program helps ensure an organization’s data remains secure, even in the hands of a third party. Organizations should evaluate a third party’s risks before signing the contract and then monitor it throughout the relationship. This may include security risk and compliance audits, like a SOC 2 attestation. Before conducting an audit, organizations should inventory third parties and classify their risks, as the higher risk third parties should receive more attention. It’s important to notify third parties of the audit and get their participation. Once an audit is complete, your organization's next step is to review it and identify what areas need improved. 

How to manage IT third parties: Most organizations have a relationship with a third party that’s experienced a data breach, emphasizing the need to manage third-party risks, particularly with IT third parties that handle sensitive data. It's recommended organizations prioritize third parties with the highest risk and implement controls based on the scale of the risk. As cybercriminals continually evolve practices, your organization should continually monitor third-party risks, too. The third-party risk management lifecycle is a useful tool to follow the relationship from beginning to end. This may seem like a lot of work, but there’s no need to rely on manual processes! Software can help organizations manage the entire third-party relationship. 

Best practices to protect organizations from software as a service risks: Organizations rely increasingly on software as a service (SaaS), which can increase the risk of data breaches and cyberattacks. Organizations should ensure SaaS vendors have implemented cybersecurity best practices, like multi-factor authentication. A complete inventory of SaaS applications and regular monitoring of software configurations can also help manage risks. Organizations should regularly audit SaaS vendors to ensure security practices remain up to date. Following these practices can help organizations remain secure.

Defending against cyberattacks in 2024: Despite all the efforts to safeguard organizations and implement strong cybersecurity, data breaches still rose in 2023. There are three lessons to take away from it. First, as organizations put more data in the cloud, they should ensure they don’t have too much permissive cloud access and avoid unsecured backups. Second, ransomware continues to become a bigger threat, so organizations should back up all data in the case of an attack. Finally, third-party cyberattacks are more and more common, so it’s important for organizations to assess the security practices of third parties. Limiting the data third parties can access can also protect against data breaches. 

A new active Microsoft Exchange vulnerability is identified: An actively exploited vulnerability was discovered in Microsoft Exchange servers, leaving at least 28,500 servers vulnerable, although that number may be higher. The most impacted countries are Germany and the United States. Microsoft released a patch for the vulnerability, which organizations should apply as soon as possible. 

Healthcare data breaches increased in 2023; many targeted third parties: Data breaches in healthcare have continued to rise year after year, impacting millions of people whose data is compromised. Cybercriminals have targeted not just healthcare providers, but the vendors and third parties who service them. In fact, most of the largest hacks in 2023 were targeted at vendors. Overall, 133 million health records were compromised in 2023 – a new record in healthcare! The Department of Health and Human Services (HHS) reported 725 healthcare data breaches – the highest number ever recorded. These data breaches have led to expensive lawsuits seeking to hold vendors and healthcare organizations responsible for the damage. Although it can be difficult to have a full view of their third-party network, it’s becoming increasingly important in healthcare. 

How insurers can safeguard against third-party AI risks: As insurers look to use third-party AI services at their firms, it’s important to manage these third parties. Using addenda, in addition to third-party contracts, can help. This includes specific definitions of AI and AI technology. It also allows insurers to have specific requirements for AI usage. An addendum may include prohibiting the vendor from using your organization’s data to train an AI model and requiring testing for the AI service. There may be greater regulatory scrutiny this year on how insurance uses AI, so it’s important for insurers to be prepared. 

California’s privacy laws are now enforceable: The timeline to comply with California’s privacy laws just got much shorter. A California court ruled that the California Privacy Protection Agency can immediately enforce the new regulations, which overturned a previous court decision that delayed enforcement to March 29. If your organization hasn’t yet addressed these privacy regulations, it’s crucial to do so now. Review and update your privacy policy and audit all contracts with service providers and third parties that access customer or employee data. These contracts should address compliance with privacy regulations and what the third party can do with your organization’s data. 

Complying with cybersecurity reporting requirements with third parties: Organizations may still be grappling with the U.S. Securities and Exchange Commission’s (SEC) new rules on cybersecurity incident disclosures, especially the requirements around third-party providers. It can be difficult to know when a third party has experienced a data breach, particularly if visibility into that provider is limited. It becomes even more challenging with a four-day reporting window. Before sharing information with a third party, organizations should review data for personally identifiable information (PII). If PII doesn’t need to be shared with the third party, it should be removed. Organizations should also have a record of what data is shared with third parties. When an incident occurs, organizations can assess what information may be at risk. These steps can help organizations be better prepared for when a third-party cybersecurity incident happens. 

Managing third-party AI risks: Third-party AI services can revolutionize organizations and provide a better experience for customers. However, organizations must also understand the risks that come with these services and how to manage them. Data security and privacy, bias in algorithms, third-party AI concentration, and operational disruptions are also risks that come with third-party AI services. Organizations should conduct due diligence before using third-party AI by assessing security practices, compliance, and financial stability. Outline security practices in the third-party contract, including a right to regular security audits and penetration testing. Your organization should also have detailed information on the AI model and its training data. While third-party AI can be a great tool, it also needs its risks managed. 

Common risks of software as a service applications: Software as a service is becoming a greater concern as data breaches continue to grow. One common risk is shadow SaaS, where employees use SaaS products without alerting IT and risk management. Another risk is users of SaaS bypassing multi factor authentication. Shadow AI is a rising SaaS risk as these services begin to implement AI capabilities. This may slip past an organization’s radar. Organizations should consistently monitor SaaS applications for misconfigurations and AI usage to stay on top of risks.

Recently Added Articles as of February 15

This week’s headlines bring us news on a massive data breach in France, software supply chain attacks impacting organizations, and best third-party risk management practices. Check out all the news below!

Agency is investigating a massive third-party data breach in France: A third-party data breach has impacted more than 33 million people in France. Two third-party payment organizations were victims of a cyberattack, which then impacted medical insurance organizations. Compromised information includes social security numbers, the name of the health insurer, and dates of birth. France’s data protection agency has said it’s investigating the breach.

Majority of organizations were impacted in a software supply chain attacks in 2023: A new report showed that 91% of organizations experienced a software supply chain attack last year. This includes zero-day exploits on third-party code, open-source software exploitation, and API data breaches in third-party software. Most organizations believe it’s important to have an inventory of third-party APIs and also of application code in use. 

Ensure software vendors adopt core cybersecurity principles: Software vendors should be implementing Secure by Design (SbD) principles. These are the three principles that were introduced by the National Institute of Standards and Technology (NIST): software vendors should take ownership of customer security outcomes, vendors should embrace transparency and accountability, and software company leadership should lead from the top. Vendors should take cybersecurity seriously, and implementing these three principles can guide them on the right track. 

Bank of America is the victim of a third-party data breach: A third-party data breach impacted Bank of America customers. Although the hack took place last fall, a data breach notification was filed on February 6. Sensitive information included Social Security numbers and financial account information. It’s unclear in total how many people were impacted, but Maine’s data breach notification filing said more than 57,000 people. This incident showcases the need for third-party risk management. It’s extremely important to ensure vendors have the appropriate security controls in place and then continuously monitor for emerging threats. 

The importance of monitoring the supply chain: As the number of documented supply chain incidents continues to rise, organizations prioritize third-party risk management to stay ahead. Suppliers that aren’t considered high risk were more targeted for cyberattacks in the past 12 months. This is often because cybercriminals try to target the weakest link in the supply chain. Organizations should put cybersecurity requirements in place for each level of the supply chain. It’s essential to continuously monitor these risks so your organization can prevent cyberattacks or at least quickly respond to one. Third-party risk management requires an investment to ensure your organization remains protected from supply chain attacks. 

Hospital services pulled offline after a third-party cyberattack: A third-party cyberattack in Romania took at least 20 hospitals offline. A third-party system that automates activities for patient diagnosis and treatment was targeted in a ransomware attack. Studies have shown that ransomware attacks increase the in-hospital mortality rate for patients. 

Hackers working for China infiltrated U.S. infrastructure: The U.S. federal agencies have warned that hackers working for China may have been accessing critical U.S. infrastructure for years. Although specific organizations weren’t named, the infrastructure is communications, energy, transportation, and waste and wastewater systems. Hackers would even be able to shut down systems in the event of an attack. The hackers potentially used a number of techniques to gain access, including zero-day vulnerabilities and social engineering tactics. Critical infrastructure organizations should identify vulnerabilities and implement patches, ensure vendors and suppliers have strong security practices in place, and make upgrades where available. 

Executives targeted in phishing attacks: Hackers are using phishing email campaigns to target senior corporate accounts in Microsoft Azure. Some of the phishing attempts include shared documents with malicious links. Once a victim clicks on the link, attackers are able to gain access and download files like financial assets and internal security protocols. Executives at organizations should use caution opening links through email. 

Best risk assessment practices to mitigate risks: As supply chain attacks continue to increase and get broader in scope, organizations must take a hard look at third-party risk assessments and new best practices to implement. Many organizations treat third-party risk assessments as a one-time exercise, but it should really be a continual practice. Third parties should be classified by risk, with the highest risk getting the most intensive assessments. Periodic reviews should instead be continual with real-time data. Risk assessments can be a time-consuming process, so it's recommended to have a standardized template to ease the burden. It’s important for these assessments to consider international regulations, business continuity and disaster recovery plans, and fourth-party risks. These practices can help ensure a safer third-party environment. 

FTC actions brings attention to third-party location data: What kind of location data do your third parties store? The Federal Trade Commission (FTC) has had two recent actions against location data brokers for the collection, use, and processing of location data. According to the FTC, consumers should be made aware of how their location data is used, even if the third party is the one storing and using it. There must be oversight of these third parties and organizations verify that third-party apps have consent for location data collection. Consumers should also understand what they’re consenting to. In the FTC’s enforcement actions, it has required the two organizations to develop supplier assessment programs to ensure third parties are gaining consumer consent. 

Tips for valuable vendor relationships: As vendors become more important to organizations, it’s crucial to ensure you’re getting the most out of the partnership. Rather than just transactional relationships, organizations should seek to build collaboration. The vendor should share in your organization’s goals and priorities, and your organization should openly communicate with the vendor. It’s extremely important to perform due diligence before the relationship begins. This helps determine if the vendor is the right fit for your organization and if they have the right capabilities. Throughout the relationship, your organization should monitor how the vendor performs and meets key metrics. This may be weekly, monthly, or quarterly, depending on your organization’s needs. These tips can help ensure your vendor delivers the value to your organization. 

Multiple patches released for vulnerabilities: Organizations should implement multiple patches released for vulnerabilities with Cisco, Fortinet, and VMware. These vulnerabilities could allow attacks to gain access to systems and sensitive data. If organizations use any of this software, it’s important to move forward with updates as soon as they’re available. 

Tips for selecting software vendors: As software vendors become more important for organizations, it’s crucial to be sure you’ve selected the right vendor. Before choosing a software vendor, have a proof of concept or trial to check that the vendor will work for your organization. Software is a bigger target for cyberattacks, so check the vendor’s security practices and readiness. Ask for a software bill of materials to understand the entire supply chain of the software vendor. Your organization will want a vendor that provides value, so look at your vendor’s philosophy and work environment. And of course, be sure to have an exit strategy in case the relationship doesn’t work out. 

Recently Added Articles as of February 8

This week’s headlines show the importance of third-party cybersecurity, with a record 2023 for data breaches in healthcare, mass exploited vulnerabilities, and new data breaches. Be sure to check out all of this week’s news below!

Creating an effective third-party risk management program: CISOs are becoming increasingly concerned about third-party risks, according to a new survey, especially as third-party risks become more complex. For effective third-party risk management, it’s important for executive leadership to have a unified approach, setting a strong tone-from-the-top. A formal third-party risk management program establishes a consistent strategy and framework. Then, it’s important to create an inventory of third parties – working with finance to review recurring payments can help identify third parties. The most difficult step is to understand what risks third parties present. A risk-based approach helps this process be less overwhelming as those with the highest risk have the stringiest assessments. The contracting process is extremely important to set expectations with the third party, too. And remember, the third-party risk management process is ongoing, as third-party risks can change quickly. 

Two new state privacy laws in 2024: Another state privacy law has passed, becoming the second one this year. New Hampshire became the 15th state with a state privacy law and New Jersey passed its own privacy law earlier this year. These laws are similar to others passed across the U.S. New Hampshire’s will become effective on January 1, 2025, while New Jersey’s will take effect on January 16, 2025. 

Ivanti vulnerability being massively exploited: An Ivanti vulnerability is under mass exploitation. Even though Ivanti tried to mitigate the issue, attackers have been able to bypass the system. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to disconnect Ivanti Connect Secure and Policy Secure VPN appliances. 

EU’s IT and third-party risk management regulation to take effect in 2025: The EU’s Digital Operational Resilience Act (DORA) will come into effect in 2025, so financial institutions should be ready to comply. Organizations should have IT risk management, including risk assessments and vulnerability identification. DORA also requires organizations to have incident reporting plans and to promptly report incidents to regulatory authorities. Testing is another important component, particularly operational resilience testing. Third-party risk management is a key piece of the DORA regulation, with due diligence and ongoing monitoring of cyber practices. Complying with this regulation may require extra investments, so organizations should begin preparing now. 

Service provider reveals breach after third-party data breach: IT service provider Cloudflare said its systems were compromised in November last year after a cybercriminal used stolen credentials from the Okta breach. Cloudflare said it didn’t rotate the stolen credentials after the Okta breach. No customer data was compromised in the incident and the attack was stopped after it was discovered in November. 

Third party is compromised in a cyberattack: AnyDesk, a remote access solution, was the victim of a cyberattack where cybercriminals stole source code and private code signing keys. Ransomware was involved, but AnyDesk hasn’t shared more information about it. The third-party solution said it remediated the issue and that customers are safe to use AnyDesk. 

Healthcare has a record-breaking year for data breaches: Healthcare broke records in 2023 for the sector’s number of data breaches – with nearly 135 million people impacted. Although there were only 23 more data breaches in 2023 than in 2022, last year’s breaches had a much wider impact, affecting over double the amount of people. Of the largest data breaches in 2023, many of them stemmed from third-party business associates. This situation could get even worse in 2024. New regulations could be on the horizon to address this, but healthcare organizations should still improve security standards and monitor their business associates. 

Blackbaud faces regulatory consequences after 2020 data breach: After Blackbaud’s massive 2020 third-party data breach, the organization has been required to delete personal data it doesn’t need as part of a settlement with the Federal Trade Commission (FTC). The FTC has alleged that Blackbaud’s poor security allowed a hacker to breach the network and compromise millions of personal data. Blackbaud provides third-party data, financial, administrative, and fundraising services. The FTC’s order would also prohibit Blackbaud from misrepresenting their data security practices, as they’re accused of doing during the 2020 breach. 

CISA alerts to an exploited Apple vulnerability: A new high-severity vulnerability impacting OS devices was added to the U.S. CISA list. Apple has released patches for the flaw and said it was addressed with improved checks. Organizations should apply these patches as soon as possible. 

Components for Uyghur Forced Labor Prevention Act compliance: It’s extremely important for organizations to minimize the risk of forced labor and human trafficking throughout the supply chain, as well as be compliant with the Uyghur Forced Labor Prevention Act (UFLPA). Organizations should know their supply chain and map out where suppliers (and nth parties) are sourcing their products and services. Due diligence is an important piece to the UFLPA, particularly with higher-risk suppliers and countries, like China. This due diligence should extend to fourth and nth parties, which requires working with suppliers. Contracts should include a code of conduct that specifically addresses forced labor and human trafficking. Remember that it’s not over once the contract is signed as suppliers should be continuously monitored for violations. 

Preparing and understanding privacy audits: Privacy audits are becoming more popular, particularly with new privacy legislation across the globe. Audit should identify compliance issues that may affect an organization and what regulatory body would have jurisdiction over it. It’s important to clearly communicate during a privacy audit – ensure teams fully understand privacy policies and requirements. Audit findings may need to be disclosed to regulators at some point, so organizations should conduct test audits to ensure there are no surprises. 

Biden says he’ll veto Senate resolution to rescind SEC rules: With movement in the U.S. Senate to rescind the recent SEC cybersecurity disclosures rule, President Joe Biden has said he’s prepared to veto the Senate resolution. With ransomware attacks on the rise, the Biden administration said it’s important to have transparency from public companies. However, some Republicans in the Senate have argued it’s just an additional layer that doesn’t actually address cybersecurity issues. 

FBI removes malware from hacked routers: Chinese hackers were disrupted by the FBI after they used malware to infect routers that were at end of life. The cybercriminals used the malware to connect to U.S. critical infrastructure organizations. The FBI was able to disinfect hundreds of routers. 

Steps to ensure third-party cybersecurity: As supply chain attacks increased 26% from 2022 to 2023, vendor security has become more important than ever. Most organizations use some type of third-party tools and software. No organization can assume that these third parties have the right security measures in place. Instead, it’s important to perform due diligence before the third-party relationship begins and then periodically throughout. Third-party cybersecurity should be a priority throughout the entire relationship and contracts should clearly outline cybersecurity requirements and expectations. A risk-based approach, meaning where the highest-risk third parties receive the most attention, is an effective way to manage third parties. These steps can help prevent your organization from being the victim of a data breach. 

Recently Added Articles as of February 1

This week’s headlines revealed that third-party risk management continues to be a critical function to help prevent supply chain attacks and the impacts of a third-party data breach continue to spread. Be sure to check out all of this week’s news below. 

Preparing for third-party AI risks: Generative artificial intelligence (AI) has introduced new risks in third-party risk management. Many organizations are likely taking a second look at products and services third parties provide and must stay vigilant with third parties adding AI services. Contracts should be updated as necessary to address AI usage and organizations should use caution before contracting services that use AI. 

Using third-party risk management to avoid supply chain attacks: Supply chain attacks have become a favorite method by cybercriminals to gain access to organizations’ data through vendors with weak security. No organization can assume vendors have proper security controls in place. It’s important to do proper security due diligence in the beginning of the relationship and then monitor throughout. Organizations should implement service level agreements (SLAs) in the contract that cover how vendors will manage and protect organizational data. These steps may seem like a lot when considering the entire vendor base, but a risk-based approach ensures the highest-risk vendors receive the most monitoring. 

How to mitigate third-party cyber risks: Third-party cyber risks can have devastating impacts on organizations, so it’s important to mitigate and monitor these risks. If your organization doesn’t have one already, creating a vendor risk management program is crucial to help identify, assess, monitor, and manage third-party cyber risk. This includes risk assessments and due diligence before entering a third-party relationship and continuously throughout the relationship. After a thorough review of a third party’s cybersecurity practices and security posture, organizations should set contractual standards to mitigate the risks. Security training with third parties is crucial to ensure they’re prepared for phishing and social engineering attacks. Regular security audits help ensure third parties remain secure. These steps can help prevent or lessen devastating consequences of third-party cyberattacks.     

Evaluating cybersecurity vendors: As cyberthreats continue to evolve and become more complex, many organizations have turned to cybersecurity vendors to help manage the workload. However, these vendors still need evaluated for risks before a selection is made. These vendors should align with your organization’s risk profile. Cybersecurity vendors should reduce risk, so it’s important to evaluate their security posture and practices. Ensure the cybersecurity vendor can help your organization work toward its cybersecurity goals and solve a problem for your organization. 

The risks of software as a service platforms and how to mitigate those: The amount of software as a service (SaaS) platforms organizations use has widely increased over the years. However, these platforms can also introduce new risks that need to be mitigated. Weak SaaS providers can easily be targeted in cyberattacks, and as more organizations turn to SaaS platforms the attack surface expands. Data breaches with SaaS providers can leak confidential information of thousands of organizations, so it’s important to conduct thorough due diligence on SaaS providers’ security posture and monitor it throughout the relationship. The APIs used to integrate with SaaS providers can also result in more attacks if connected SaaS providers aren’t monitored. 

Ransomware attacks increased in 2023: Ransomware attacks increased in 2023 by 68%, according to a new study. On the bright side, law enforcement takedowns seem to be having a positive impact, as ransomware attacks fell in the last quarter of 2023 compared to Q3. However, cybercriminals will adapt and form new groups, so the threat of ransomware is still active. 

Third-party risk management is a crucial investment: As third-party data breaches become more common, third-party risk management is all the more important. It helps avoid third-party disruptions through ongoing monitoring and it safeguards reputations. It’s important for organizations to follow the third-party risk management lifecycle and have a risk intelligence team to continuously monitor vendors. Regular audits are also fundamental for catching vendor issues before they become a problem. With an increased investment in mature third-party risk management, organizations can be better prepared for the unexpected. 

Paid ransoms drop to a record low: The number of paid ransoms dropped to a record low in the last quarter of 2023, following a trend that began in 2021. This is due to a variety of factors, like better preparedness, a lack of trust toward cybercriminals, and regulations in some areas where paying a ransom is illegal. The amounts of actual ransom payments have also dropped. 

Former government employees sentenced for stealing U.S. data: Three former Department of Homeland Security (DHS) employees will have jail time for stealing U.S. government databases that had the personal data of 200,000 employees. The data was shared with India software developers for a similar product to sell to government agencies. 

New data breach record is set, which is driven by an increase in supply chain attacks: 2023 set the record for data breaches, according to a new report from the Identity Theft Resource Center (ITRC). Part of this is due to an increase in supply chain attacks, where cybercriminals targeted vendors to gain access to multiple organizations. The report also noted more zero-day attacks in 2023, which could be due to the rise in the use of open-source software. Both supply chain and zero-day attacks are only expected to increase, so it’s extremely important for organizations to be prepared and manage and monitor their vendors. 

Another 4 million patients were impacted in a healthcare third-party data breach: The fallout from last year’s Perry Johnson & Associates data breach is continuing to expand with another 4 million reported patients compromised. PJ&A provided medical transcription services to many healthcare providers. Since the breach, at least 14 million patients have been impacted. So far, more than 40 class action lawsuits have been filed. 

Addressing privacy law compliance in third-party contracts: As more privacy laws pass, it’s increasingly important for organizations and third parties to comply with data privacy requirements. Third-party contracts are a great place to help ensure compliance. Provisions on cyber insurance can help mitigate the risks of third parties handling customer data and should cover ransomware attacks. Contracts should also address information sharing, like being updated on security incidents and updates in security practices. Fourth-party security standards should be outlined in the contract, including the vendor’s third-party risk management practices. Contracts should allow for ongoing monitoring and the right to audit so organizations can continuously monitor third parties.

Scrutiny on vendor incidents likely to continue: As many organizations have experienced, vendor incidents can be extremely disruptive and challenging. When your vendor has an incident, your organization can face the fallout of reputation damage, monetary loss, and operational disruption. However, you’re also at the mercy of the vendor communicating the details of the incident. Regulatory agencies paid special attention to vendor incidents in 2023 with cyber incident reporting rules, and this scrutiny is expected to only increase. Organizations should consider how they onboard and vet new vendors and how those vendors are then managed.