Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of February 15
This week’s headlines bring us news on a massive data breach in France, software supply chain attacks impacting organizations, and best third-party risk management practices. Check out all the news below!
Agency is investigating a massive third-party data breach in France: A third-party data breach has impacted more than 33 million people in France. Two third-party payment organizations were victims of a cyberattack, which then impacted medical insurance organizations. Compromised information includes social security numbers, the name of the health insurer, and dates of birth. France’s data protection agency has said it’s investigating the breach.
Majority of organizations were impacted in a software supply chain attacks in 2023: A new report showed that 91% of organizations experienced a software supply chain attack last year. This includes zero-day exploits on third-party code, open-source software exploitation, and API data breaches in third-party software. Most organizations believe it’s important to have an inventory of third-party APIs and also of application code in use.
Ensure software vendors adopt core cybersecurity principles: Software vendors should be implementing Secure by Design (SbD) principles. These are the three principles that were introduced by the National Institute of Standards and Technology (NIST): software vendors should take ownership of customer security outcomes, vendors should embrace transparency and accountability, and software company leadership should lead from the top. Vendors should take cybersecurity seriously, and implementing these three principles can guide them on the right track.
Bank of America is the victim of a third-party data breach: A third-party data breach impacted Bank of America customers. Although the hack took place last fall, a data breach notification was filed on February 6. Sensitive information included Social Security numbers and financial account information. It’s unclear in total how many people were impacted, but Maine’s data breach notification filing said more than 57,000 people. This incident showcases the need for third-party risk management. It’s extremely important to ensure vendors have the appropriate security controls in place and then continuously monitor for emerging threats.
The importance of monitoring the supply chain: As the number of documented supply chain incidents continues to rise, organizations prioritize third-party risk management to stay ahead. Suppliers that aren’t considered high risk were more targeted for cyberattacks in the past 12 months. This is often because cybercriminals try to target the weakest link in the supply chain. Organizations should put cybersecurity requirements in place for each level of the supply chain. It’s essential to continuously monitor these risks so your organization can prevent cyberattacks or at least quickly respond to one. Third-party risk management requires an investment to ensure your organization remains protected from supply chain attacks.
Hospital services pulled offline after a third-party cyberattack: A third-party cyberattack in Romania took at least 20 hospitals offline. A third-party system that automates activities for patient diagnosis and treatment was targeted in a ransomware attack. Studies have shown that ransomware attacks increase the in-hospital mortality rate for patients.
Hackers working for China infiltrated U.S. infrastructure: The U.S. federal agencies have warned that hackers working for China may have been accessing critical U.S. infrastructure for years. Although specific organizations weren’t named, the infrastructure is communications, energy, transportation, and waste and wastewater systems. Hackers would even be able to shut down systems in the event of an attack. The hackers potentially used a number of techniques to gain access, including zero-day vulnerabilities and social engineering tactics. Critical infrastructure organizations should identify vulnerabilities and implement patches, ensure vendors and suppliers have strong security practices in place, and make upgrades where available.
Executives targeted in phishing attacks: Hackers are using phishing email campaigns to target senior corporate accounts in Microsoft Azure. Some of the phishing attempts include shared documents with malicious links. Once a victim clicks on the link, attackers are able to gain access and download files like financial assets and internal security protocols. Executives at organizations should use caution opening links through email.
Best risk assessment practices to mitigate risks: As supply chain attacks continue to increase and get broader in scope, organizations must take a hard look at third-party risk assessments and new best practices to implement. Many organizations treat third-party risk assessments as a one-time exercise, but it should really be a continual practice. Third parties should be classified by risk, with the highest risk getting the most intensive assessments. Periodic reviews should instead be continual with real-time data. Risk assessments can be a time-consuming process, so it's recommended to have a standardized template to ease the burden. It’s important for these assessments to consider international regulations, business continuity and disaster recovery plans, and fourth-party risks. These practices can help ensure a safer third-party environment.
FTC actions brings attention to third-party location data: What kind of location data do your third parties store? The Federal Trade Commission (FTC) has had two recent actions against location data brokers for the collection, use, and processing of location data. According to the FTC, consumers should be made aware of how their location data is used, even if the third party is the one storing and using it. There must be oversight of these third parties and organizations verify that third-party apps have consent for location data collection. Consumers should also understand what they’re consenting to. In the FTC’s enforcement actions, it has required the two organizations to develop supplier assessment programs to ensure third parties are gaining consumer consent.
Tips for valuable vendor relationships: As vendors become more important to organizations, it’s crucial to ensure you’re getting the most out of the partnership. Rather than just transactional relationships, organizations should seek to build collaboration. The vendor should share in your organization’s goals and priorities, and your organization should openly communicate with the vendor. It’s extremely important to perform due diligence before the relationship begins. This helps determine if the vendor is the right fit for your organization and if they have the right capabilities. Throughout the relationship, your organization should monitor how the vendor performs and meets key metrics. This may be weekly, monthly, or quarterly, depending on your organization’s needs. These tips can help ensure your vendor delivers the value to your organization.
Multiple patches released for vulnerabilities: Organizations should implement multiple patches released for vulnerabilities with Cisco, Fortinet, and VMware. These vulnerabilities could allow attacks to gain access to systems and sensitive data. If organizations use any of this software, it’s important to move forward with updates as soon as they’re available.
Tips for selecting software vendors: As software vendors become more important for organizations, it’s crucial to be sure you’ve selected the right vendor. Before choosing a software vendor, have a proof of concept or trial to check that the vendor will work for your organization. Software is a bigger target for cyberattacks, so check the vendor’s security practices and readiness. Ask for a software bill of materials to understand the entire supply chain of the software vendor. Your organization will want a vendor that provides value, so look at your vendor’s philosophy and work environment. And of course, be sure to have an exit strategy in case the relationship doesn’t work out.
Recently Added Articles as of February 8
This week’s headlines show the importance of third-party cybersecurity, with a record 2023 for data breaches in healthcare, mass exploited vulnerabilities, and new data breaches. Be sure to check out all of this week’s news below!
Creating an effective third-party risk management program: CISOs are becoming increasingly concerned about third-party risks, according to a new survey, especially as third-party risks become more complex. For effective third-party risk management, it’s important for executive leadership to have a unified approach, setting a strong tone-from-the-top. A formal third-party risk management program establishes a consistent strategy and framework. Then, it’s important to create an inventory of third parties – working with finance to review recurring payments can help identify third parties. The most difficult step is to understand what risks third parties present. A risk-based approach helps this process be less overwhelming as those with the highest risk have the stringiest assessments. The contracting process is extremely important to set expectations with the third party, too. And remember, the third-party risk management process is ongoing, as third-party risks can change quickly.
Two new state privacy laws in 2024: Another state privacy law has passed, becoming the second one this year. New Hampshire became the 15th state with a state privacy law and New Jersey passed its own privacy law earlier this year. These laws are similar to others passed across the U.S. New Hampshire’s will become effective on January 1, 2025, while New Jersey’s will take effect on January 16, 2025.
Ivanti vulnerability being massively exploited: An Ivanti vulnerability is under mass exploitation. Even though Ivanti tried to mitigate the issue, attackers have been able to bypass the system. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to disconnect Ivanti Connect Secure and Policy Secure VPN appliances.
EU’s IT and third-party risk management regulation to take effect in 2025: The EU’s Digital Operational Resilience Act (DORA) will come into effect in 2025, so financial institutions should be ready to comply. Organizations should have IT risk management, including risk assessments and vulnerability identification. DORA also requires organizations to have incident reporting plans and to promptly report incidents to regulatory authorities. Testing is another important component, particularly operational resilience testing. Third-party risk management is a key piece of the DORA regulation, with due diligence and ongoing monitoring of cyber practices. Complying with this regulation may require extra investments, so organizations should begin preparing now.
Service provider reveals breach after third-party data breach: IT service provider Cloudflare said its systems were compromised in November last year after a cybercriminal used stolen credentials from the Okta breach. Cloudflare said it didn’t rotate the stolen credentials after the Okta breach. No customer data was compromised in the incident and the attack was stopped after it was discovered in November.
Third party is compromised in a cyberattack: AnyDesk, a remote access solution, was the victim of a cyberattack where cybercriminals stole source code and private code signing keys. Ransomware was involved, but AnyDesk hasn’t shared more information about it. The third-party solution said it remediated the issue and that customers are safe to use AnyDesk.
Healthcare has a record-breaking year for data breaches: Healthcare broke records in 2023 for the sector’s number of data breaches – with nearly 135 million people impacted. Although there were only 23 more data breaches in 2023 than in 2022, last year’s breaches had a much wider impact, affecting over double the amount of people. Of the largest data breaches in 2023, many of them stemmed from third-party business associates. This situation could get even worse in 2024. New regulations could be on the horizon to address this, but healthcare organizations should still improve security standards and monitor their business associates.
Blackbaud faces regulatory consequences after 2020 data breach: After Blackbaud’s massive 2020 third-party data breach, the organization has been required to delete personal data it doesn’t need as part of a settlement with the Federal Trade Commission (FTC). The FTC has alleged that Blackbaud’s poor security allowed a hacker to breach the network and compromise millions of personal data. Blackbaud provides third-party data, financial, administrative, and fundraising services. The FTC’s order would also prohibit Blackbaud from misrepresenting their data security practices, as they’re accused of doing during the 2020 breach.
CISA alerts to an exploited Apple vulnerability: A new high-severity vulnerability impacting OS devices was added to the U.S. CISA list. Apple has released patches for the flaw and said it was addressed with improved checks. Organizations should apply these patches as soon as possible.
Components for Uyghur Forced Labor Prevention Act compliance: It’s extremely important for organizations to minimize the risk of forced labor and human trafficking throughout the supply chain, as well as be compliant with the Uyghur Forced Labor Prevention Act (UFLPA). Organizations should know their supply chain and map out where suppliers (and nth parties) are sourcing their products and services. Due diligence is an important piece to the UFLPA, particularly with higher-risk suppliers and countries, like China. This due diligence should extend to fourth and nth parties, which requires working with suppliers. Contracts should include a code of conduct that specifically addresses forced labor and human trafficking. Remember that it’s not over once the contract is signed as suppliers should be continuously monitored for violations.
Preparing and understanding privacy audits: Privacy audits are becoming more popular, particularly with new privacy legislation across the globe. Audit should identify compliance issues that may affect an organization and what regulatory body would have jurisdiction over it. It’s important to clearly communicate during a privacy audit – ensure teams fully understand privacy policies and requirements. Audit findings may need to be disclosed to regulators at some point, so organizations should conduct test audits to ensure there are no surprises.
Biden says he’ll veto Senate resolution to rescind SEC rules: With movement in the U.S. Senate to rescind the recent SEC cybersecurity disclosures rule, President Joe Biden has said he’s prepared to veto the Senate resolution. With ransomware attacks on the rise, the Biden administration said it’s important to have transparency from public companies. However, some Republicans in the Senate have argued it’s just an additional layer that doesn’t actually address cybersecurity issues.
FBI removes malware from hacked routers: Chinese hackers were disrupted by the FBI after they used malware to infect routers that were at end of life. The cybercriminals used the malware to connect to U.S. critical infrastructure organizations. The FBI was able to disinfect hundreds of routers.
Steps to ensure third-party cybersecurity: As supply chain attacks increased 26% from 2022 to 2023, vendor security has become more important than ever. Most organizations use some type of third-party tools and software. No organization can assume that these third parties have the right security measures in place. Instead, it’s important to perform due diligence before the third-party relationship begins and then periodically throughout. Third-party cybersecurity should be a priority throughout the entire relationship and contracts should clearly outline cybersecurity requirements and expectations. A risk-based approach, meaning where the highest-risk third parties receive the most attention, is an effective way to manage third parties. These steps can help prevent your organization from being the victim of a data breach.
Recently Added Articles as of February 1
This week’s headlines revealed that third-party risk management continues to be a critical function to help prevent supply chain attacks and the impacts of a third-party data breach continue to spread. Be sure to check out all of this week’s news below.
Preparing for third-party AI risks: Generative artificial intelligence (AI) has introduced new risks in third-party risk management. Many organizations are likely taking a second look at products and services third parties provide and must stay vigilant with third parties adding AI services. Contracts should be updated as necessary to address AI usage and organizations should use caution before contracting services that use AI.
Using third-party risk management to avoid supply chain attacks: Supply chain attacks have become a favorite method by cybercriminals to gain access to organizations’ data through vendors with weak security. No organization can assume vendors have proper security controls in place. It’s important to do proper security due diligence in the beginning of the relationship and then monitor throughout. Organizations should implement service level agreements (SLAs) in the contract that cover how vendors will manage and protect organizational data. These steps may seem like a lot when considering the entire vendor base, but a risk-based approach ensures the highest-risk vendors receive the most monitoring.
How to mitigate third-party cyber risks: Third-party cyber risks can have devastating impacts on organizations, so it’s important to mitigate and monitor these risks. If your organization doesn’t have one already, creating a vendor risk management program is crucial to help identify, assess, monitor, and manage third-party cyber risk. This includes risk assessments and due diligence before entering a third-party relationship and continuously throughout the relationship. After a thorough review of a third party’s cybersecurity practices and security posture, organizations should set contractual standards to mitigate the risks. Security training with third parties is crucial to ensure they’re prepared for phishing and social engineering attacks. Regular security audits help ensure third parties remain secure. These steps can help prevent or lessen devastating consequences of third-party cyberattacks.
Evaluating cybersecurity vendors: As cyberthreats continue to evolve and become more complex, many organizations have turned to cybersecurity vendors to help manage the workload. However, these vendors still need evaluated for risks before a selection is made. These vendors should align with your organization’s risk profile. Cybersecurity vendors should reduce risk, so it’s important to evaluate their security posture and practices. Ensure the cybersecurity vendor can help your organization work toward its cybersecurity goals and solve a problem for your organization.
The risks of software as a service platforms and how to mitigate those: The amount of software as a service (SaaS) platforms organizations use has widely increased over the years. However, these platforms can also introduce new risks that need to be mitigated. Weak SaaS providers can easily be targeted in cyberattacks, and as more organizations turn to SaaS platforms the attack surface expands. Data breaches with SaaS providers can leak confidential information of thousands of organizations, so it’s important to conduct thorough due diligence on SaaS providers’ security posture and monitor it throughout the relationship. The APIs used to integrate with SaaS providers can also result in more attacks if connected SaaS providers aren’t monitored.
Ransomware attacks increased in 2023: Ransomware attacks increased in 2023 by 68%, according to a new study. On the bright side, law enforcement takedowns seem to be having a positive impact, as ransomware attacks fell in the last quarter of 2023 compared to Q3. However, cybercriminals will adapt and form new groups, so the threat of ransomware is still active.
Third-party risk management is a crucial investment: As third-party data breaches become more common, third-party risk management is all the more important. It helps avoid third-party disruptions through ongoing monitoring and it safeguards reputations. It’s important for organizations to follow the third-party risk management lifecycle and have a risk intelligence team to continuously monitor vendors. Regular audits are also fundamental for catching vendor issues before they become a problem. With an increased investment in mature third-party risk management, organizations can be better prepared for the unexpected.
Paid ransoms drop to a record low: The number of paid ransoms dropped to a record low in the last quarter of 2023, following a trend that began in 2021. This is due to a variety of factors, like better preparedness, a lack of trust toward cybercriminals, and regulations in some areas where paying a ransom is illegal. The amounts of actual ransom payments have also dropped.
Former government employees sentenced for stealing U.S. data: Three former Department of Homeland Security (DHS) employees will have jail time for stealing U.S. government databases that had the personal data of 200,000 employees. The data was shared with India software developers for a similar product to sell to government agencies.
New data breach record is set, which is driven by an increase in supply chain attacks: 2023 set the record for data breaches, according to a new report from the Identity Theft Resource Center (ITRC). Part of this is due to an increase in supply chain attacks, where cybercriminals targeted vendors to gain access to multiple organizations. The report also noted more zero-day attacks in 2023, which could be due to the rise in the use of open-source software. Both supply chain and zero-day attacks are only expected to increase, so it’s extremely important for organizations to be prepared and manage and monitor their vendors.
Another 4 million patients were impacted in a healthcare third-party data breach: The fallout from last year’s Perry Johnson & Associates data breach is continuing to expand with another 4 million reported patients compromised. PJ&A provided medical transcription services to many healthcare providers. Since the breach, at least 14 million patients have been impacted. So far, more than 40 class action lawsuits have been filed.
Addressing privacy law compliance in third-party contracts: As more privacy laws pass, it’s increasingly important for organizations and third parties to comply with data privacy requirements. Third-party contracts are a great place to help ensure compliance. Provisions on cyber insurance can help mitigate the risks of third parties handling customer data and should cover ransomware attacks. Contracts should also address information sharing, like being updated on security incidents and updates in security practices. Fourth-party security standards should be outlined in the contract, including the vendor’s third-party risk management practices. Contracts should allow for ongoing monitoring and the right to audit so organizations can continuously monitor third parties.
Scrutiny on vendor incidents likely to continue: As many organizations have experienced, vendor incidents can be extremely disruptive and challenging. When your vendor has an incident, your organization can face the fallout of reputation damage, monetary loss, and operational disruption. However, you’re also at the mercy of the vendor communicating the details of the incident. Regulatory agencies paid special attention to vendor incidents in 2023 with cyber incident reporting rules, and this scrutiny is expected to only increase. Organizations should consider how they onboard and vet new vendors and how those vendors are then managed.
January 2024 Vendor Management News
Stay up-to-date on the latest vendor risk management news happening this month. Check out the...
December 2023 Vendor Management News
Stay up-to-date on the latest vendor risk management news happening this month. Check out the...
Vendor Risk Management and the CFPB
The Consumer Financial Protection Bureau (CFPB) has broad regulatory authority of the financial...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.