January 2021 Vendor Management News

Recently Added Articles as of January 28

Lots of changes are afoot this week as a new administration, new appointments and other shifts will undoubtedly have a ripple effect for regulators, businesses and consumers alike. Meanwhile, the SolarWinds debacle rages on as more big-name victims come forward. However, sometimes the bad guys do finally get what's coming to 'em.  This week, a major crimeware service was seized by a global group of enforcement professionals known as "Operation Ladybird." This international tale  has all the makings of a good crime thriller: cyberthieves, Interpol and a good old fashioned crack-down! You're not going to want to miss this... read on for the full scoop.

New administration has regulators bracing: It seems regulators everywhere are on pins and needles awaiting President Biden’s pick to lead the Consumer Financial Protection Bureau (CFPB). Many expect the choice will further strengthen the powerful agency with a more aggressive approach to how banks, lenders and debt collectors treat their customers. Over the past few years, quite a few Wall Street critics have felt CFPB choices have weakened the agency’s structure, and some feel that Biden, who is widely regarded as pro-banking, will return to an era of enforcement rather than rulemaking. Staying abreast of these changes is incredibly important for compliance officers, as the actions will speak volumes to the manner of the annual examinations. 

HIPAA compliance risk and remote work: Now that so many of us are working from home, for months and months at this point, it's opened up a wormhole of security concerns. But, the stakes are arguably even higher in the healthcare industry, which, in addition to contending with many of the same challenges of other industries, must also consider how a remote workforce impacts HIPAA compliance. Personal Health Information can easily slip through several, specific healthcare industry gaps which include: a paper-based system, disposal issues, security weaknesses, back and forth disruption as offices reopen, improper vendor management and compliance issues. So, what’s the solution? Legal and compliance teams subject to HIPAA requirements must work together with key stakeholders, including their IT departments, to understand the full scope of challenges remote work brings to an organization.

More SolarWinds vendors affected: We knew it was only a matter of time before more big organizations came forward with some damages. This week, cybersecurity organizations Mimecast and Qualys announced they were also targeted. Mimecast reported a couple of weeks ago that a sophisticated group of attackers had obtained credentials provided to certain customers for authenticating its products via third-party Microsoft 365 services. Some experts believed at the time that the incident may be related to the SolarWinds breach, and Mimecast on Tuesday confirmed that the theft of the certificate was indeed related to the SolarWinds software compromise and carried out by the same hackers. Qualys confirmed to SecurityWeek that it found compromised Orion software on its systems, but claimed impact was “limited.” Unfortunately, we know this is likely not the end of this tale, but there’s definitely a lesson learned here. If your vendors can become compromised, so can you!

Apple drops emergency patches: This week, Apple deployed bug patches in an attempt to fix vulnerabilities in its iOS and iPad OS platforms, alongside a warning that hackers may already be exploiting three different security vulnerabilities. The patches for iOS 14.4 and iPadOS 14.4 are being pushed out to mobile users via its automatic updating mechanism which is designed to remove a hacker’s ability to elevate privileges or cause arbitrary code execution.

FedNow names pilot participants: Federal Reserve Services recently unveiled that more than 110 organizations will participate in the pilot program for their upcoming instant payments offering, the FedNow℠ Service. The pilot will support development, testing and adoption of the FedNow Service while also nurturing the development of services and use cases that may be able to leverage the FedNow functionality. Admittedly, it took years to get the freight train moving on rapid payments – but now it seems like all the participants (which were chosen to ensure diverse representation across the financial industry) in the payment cycle have a seat at the table.

Understanding HIPAA: Passed in 1996, the Health Insurance Portability and Accountability Act, aka HIPAA, transformed many of the ways in which the healthcare industry operated in the U.S. As compliance becomes an increasing issue for HIPAA and the healthcare industry, its proving even more prudent to understand the full scope of what HIPAA key components are, how its history has impacted privacy regulations and enforcement, its unique rules as well as violations and compliance standards. For those who want a deep dive into HIPAA (and really, everyone in the risk industry gig should at least be aware) this is the article for you!

Packaging giant WestRock is the most recent victim of ransomware: It seems another giant corporation is added to the list of cybersecurity victims. This time, WestRock, an American corrugated packaging company was impacted when bad actors were able to infiltrate its IT and OT systems. “Systems recovery efforts are in process and being implemented as quickly as possible, and teams are working to maintain the Company’s business operations and to minimize the impact on its customers and teammates,” WestRock stated. However, the damage has already been done: the value of WestRock stock dropped by more than 4% on Monday morning after the breach was disclosed. Just further evidence that managing cyber risk is important as it also impacts your reputation risk!

OCC enforcements offer a stern reminder: The Office of the Comptroller of the Currency (OCC) recently released its enforcement actions against national banks issued in December and the first part of January, which included a civil money penalty against USAA for Flood Act violations, another civil money penalty against the former CFO of Golden Pacific Bank for deliberately filing false call report data, a prohibition order against a former mortgage specialist at First National Bank of Omaha for initiating unauthorized internal fund transfers and a Notice of Charges against a former president, CEO and board chairman of cfsbank. We always recommend studying the enforcement actions that are generally published monthly by the major regulators (or, when there’s a particularly newsworthy one). This helps you look for practices that may be in play, even unwittingly, at your own organization, and take proactive steps to address any concerns.

European action targets crimeware: Thanks to an international effort dubbed “Operation Ladybird,” which involved authorities in the Netherlands, Germany, United States, the United Kingdom, France, Lithuania, Canada and the Ukraine, Interpol was able to seize control over Emotet, a prolific malware strain and cybercrime-as-service operation. Experts say Emotet is a pay-per-install botnet that is used by several distinct cybercrime groups to deploy secondary malware — most notably the ransomware strain Ryuk and Trickbot, a powerful banking trojan. This is a huge victory in a very long effort which many (including Microsoft and U.S. Cyber Command) have tried to ameliorate and failed. There’s still work to be done, but this was huge step in gaining control of an incredibly malignant cyber weapon.  

Pending rules may suffer a slowdown: As customary for a new administration, rulemaking will slow down a bit until the dust settles – only urgent matters will generally proceed. This is totally normal and quite expected, but can be frustrating for those expecting certain regulatory changes to go through.  Fortunately, things typically return to normal after a few months. Rules subject to statutory or judicial deadlines won't be delayed or postponed, while independent agencies such as the Fed, FDIC and OCC are generally considered not to be subject to the memorandum.  

KPMG assesses the changes upcoming for the financial services industry: KPMG always has excellent insight and is uniquely placed to opine on upcoming regulatory changes, and it seems they predict an upheaval of sorts… but not as dramatic as some would fear.  Specifically, they nod to several measures which will affect the most change, which include agency appointments, regulatory reviews, the House Financial Services Committee and the Senate Banking Committee. Certainly, the shape of financial services will be responsive to the new administration, new leadership at several of the prudential regulators as well as the new Congress.    

The fintech regulation showdown continues: Both the CFPB and the OCC have wrangled over one very important question: Who should have the authority over fintechs? Ever since the OCC made its initial claim that they had dominion, the CFPB has been taking a more aggressive posture. This is important as fintechs will need the same compliance rigor as a national bank, potentially, should the OCC win the showdown. 

 Florida is expected to pass a consumer privacy law: Florida’s traditionally pro-business state legislature is preparing to remake the state’s data privacy laws in the image of California’s CCPA. The concern here, of course, is the disparity and a specter of having numerous state agencies guiding differing privacy laws, rather than a national standard. Evidence of this push includes $100,000 in lobbying money directed at key Republicans that would be needed to move such legislation. Businesses that serve Florida consumers still have an opportunity to take notice, but time is running out– committees started hearing bills on January 11, 2021, and session officially kicks off March 2.

Recently Added Articles as of January 21

There's lot of buzz in the news this week. First, let's mention that there has been a big leadership change in the OCC and lots of new proposed rules and guidance. Meanwhile, cybersecurity and data privacy is still topping charts and has led to some pretty hefty fines, not just in the U.S., but across the pond as well. You most certainly won't want to miss out on some of the new cyberterror techniques to watch for as well as some startling new identity fraud tactics that have regulators reeling. Read on for more!

New phishing attacks detected by AI: If 2020 taught us one thing, it was that the bad guys are creative when it comes to hacking. From fear and ransomware to vishing, there doesn’t seem to be anything that’s off the table. So, what’s the latest in cyberterror technique, you ask? First, there’s “Hidden in the Snow,” which is a phishing link inside a message which appeared to send users to Vail Resorts, and then redirect them to Snow.com, the resort's legitimate partner company and booking service. However, turns out, it actually sent the victim to a phony login page. Next, there’s “Sneaking by SPF,” and “Hidden Text,” in which they put invisible characters between the letters of an email, so it doesn't trigger email defenses with phrases like "helpdesk" or "password expired. Finally, there’s “Email Gateway Spoof,” which tricks recipients into believing it’s from a familiar source. Add ‘em to the list, and beware!

New supervisory rules are adopted: The FDIC, OCC and CFPB issued final rules to clarify and codify the role of supervisory guidance. In a nutshell, the final rules provided clarification around "regulations" and "guidance," reiterating that unlike a law or regulation, supervisory guidance doesn't have the force and effect of law. The ICBA this month commended regulators for the proposal but also encouraged them to go further by defining “supervisory guidance” and clarifying the consequences of violating guidance. 

Malwarebytes joins the victim list of the recent Russian hack: Malwarebytes becomes the fourth major security firm targeted by the Russian attackers who also impacted FireEye, Microsoft and CrowdStrike. Malwarebytes did say that it does not use SolarWinds software, so it's a separate, yet parallel, attack. The security firm said the hackers breached its internal systems by exploiting a dormant email protection product within its Office 365 tenant. Malwarebytes said it learned of the compromise from the Microsoft Security Response Center (MSRC) in mid-December, which detected the suspicious activity coming from a dormant Office 365 security app. Another one bites the dust… wonder who’s next?

GDPR fines ramp up: Europe’s new privacy protection program is proving it's more than just a figurehead. It’s led to a surge in fines for violators. According to law firm DLA Piper, the EU has issued around $192 million in financial penalties, which is a 39-percent increase on the previous 20-month period. Italy, Germany and France are the top three countries most likely to slap companies with a fine and have collectively charged companies about $234 million GDPR came into force. So, watch out world, the GDPR is not playing around.

Why cybersecurity audits are critical for risk management: There are a lot of looming risks for organizations who don’t take cybersecurity seriously. Among them are an inadequate understanding of where critical data resides, inadequate monitoring as well as a lack of understanding around why cybersecurity tools provide critical support, which areas of the data infrastructure represent the greatest risk to the business and how to mitigate associated risks.

OCC fines former Wells Fargo General $3.5 million: James Strother, the former General Counsel for Wells Fargo, got slapped with a major fine for his role in the bank's systemic sales practices misconduct… a $3.5 million dollar fine to be exact. The penalty came as part of a settlement with the bank's former General Counsel that also included a personal cease and desist order. The settlement the OCC announced this week comes in addition to the settlements with six other former senior bank executives announced in January and September of last year.

OCC announces a notice of proposed rulemaking: As cybersecurity events continue to increase, the more guidance regulators are having to create. This week, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation published a notice of proposed rulemaking which will require covered entities to provide its primary federal regulator with prompt notification of any computer-security incident that rises to the level of a “notification incident,” as defined in the NPR. This proposed rule requires banks to notify the OCC as soon as possible and no later than 36 hours after the bank believes in good faith that a notification incident has occurred. It also requires the bank to notify at least two individuals at each affected bank.

CFPB and NCUA sign a memorandum of understanding: The CFPB and the NCUA signed a peace treaty of sorts to help improve the coordination between all the agencies related to the consumer protection supervision of credit unions with over $10 billion in assets. “This agreement underscores NCUA’s commitment to consumer protection by facilitating vital information sharing between the agencies for credit unions over $10 billion dollars in assets,” said NCUA Chairman Rodney E. Hood. “Improved coordination with CFPB will produce better outcomes in support of consumers and reduce burden on covered institutions.” 

California has a mini-CFPB:  While the  New York Department of Financial Service (NYDFS) is known as the most aggressive state agency, California is second in line. Over the past couple of years, the industry has seen the advent of California’s privacy regulations, and now consumer protection expansion. In particular, the state is putting teeth in some of the consumer protection regulations, most notably UDAAP, through the form of the California Department of Financial Protection (DFPI). In this month’s bulletin, the DFPI stated that, with the CCFPL now in effect, they'll begin exercising its “expanded powers to better protect consumers from unlawful, unfair, deceptive, and abusive practices.” The DFPI will review and investigate consumer complaints against previously unregulated financial services/products, will open a new Office of Financial Technology Innovation and will created a new Division of Consumer Financial Protection. Busy, busy bees!

OCC announces 2021 workshops: Each year, the Office of the Comptroller of the Currency holds a series of workshops, aimed to inform the senior management and boards of the national banks (note: participation is limited to only that audience) on hot topics related to banking. The OCC has just announced its 2021 schedule of free, virtual workshops for directors of national banks and federal savings associations. Four virtual workshops are offered, which include: Building Blocks: Keys to Success for Directors and Senior Management; Risk Governance: Improving Director Effectiveness; Credit Risk: Directors Can Make a Difference; and Operational Risk: Navigating Rapid Changes. The schedule of the workshops is an excellent opportunity to hear what is a “front of mind” concern for the OCC and registration is available on the OCC's website.

The Fed talks FI and AI: The Fed may be stepping in to oversee AI used by the financial services industry.  At issue, from their perspective, is unintentional bias, particularly in the case of lending decisions as a result of using accumulated and embedded data. This is something the industry should watch closely as, with any supervision, financial institutions should understand where the regulatory concerns are and take a proactive stance in stepping up their own monitoring as well. 

Brooks steps down as Comptroller of Currency: Brian Brooks has announced his departure from the role as Acting Comptroller of the Currency. There are two important things to note. One, for an Acting Comptroller, he accomplished a surprising amount in a relatively short time, as the article notes. Two, while we won’t cover all of the changes, remember that with a change in Presidential Administration, there are often numerous moves in the leadership of the various prudential regulators – well worth watching. Chief Operating Officer, Blake Paulson, will become Acting Comptroller of the Currency.

Recently Added Articles as of January 14

There's lots going in the news this week. We see malware fingerprinting on the recent Russian attack on Solarwinds to the death of an old standby. That's right... say goodbye to Adobe Flash. Meanwhile, the FDIC and CFPB have been busy changing up their rosters and getting into all sorts of new hobbies. Spoiler alert: fintech! You don't want to miss all the buzz. Read on for more details! 

Intel announces ransomware detection: During a virtual Consumer Electronics Show (CES) on Monday, chip manufacturer Intel announced they’ve built CPU-based ransomware detection capabilities directly into the Intel vPro platform. Thanks to Intel Threat Detection Technology (Intel TDT), Intel’s vPro platform can't only detect encryption attempts, but also filter ransomware activity from other encryption behavior. Furthermore, Intel claims the detection is immune to bypasses. Moving forward, Intel is planning to partner with vendors, such as Cybereason (which it has already announced a partnership with), to further prevent lateral movement, courtesy of capabilities such as hardware-enforced isolation of virtualized containers, secure boot, firmware security and memory protections.

The FDIC announces division changes: New year, new you seems to be the mantra for the FDIC. This week, the Federal Deposit Insurance Corporation has announced some big personnel shifts in its Division of Risk Management Supervision (RMS) and Division of Depositor and Consumer Protection (DCP). John P. Henrie has been appointed Regional Director, Atlanta Region, directing both RMS and DCP supervision programs for institutions in Florida, Georgia, Alabama, South Carolina, North Carolina, Virginia and West Virginia. Meanwhile, Rae-Ann Miller has been appointed Senior Deputy Director, Supervisory Examinations, overseeing safety and soundness examination, applications and enforcement action programs and policy for RMS. Bobby R. Bean has been appointed Deputy Director, Capital Markets and Accounting Policy, overseeing capital and accounting regulations and policy for RMS.

Kaspersky points to a Russian APT group in SolarWinds hack: Both the public and private sectors have been in freefall since the confirmation of the SolarWinds breach. The government has set up a federal task force dedicated to mitigating the fallout while at the same time of organizations have been frantically trying to determine if they too are a victim. The latest in the cybersaga is the connection between the Sunburst malware used in the SolarWinds supply chain attack and Kazuar, a backdoor that appears to have been used by the Russia-linked cyber-espionage group known as Turla. According to Kaspersky Lab, a multinational cybersecurity and antivirus provider headquartered in Moscow, Russia, reported an interesting link between the Sunburst malware delivered by the SolarWinds attackers and the Kazuar-related .NET backdoor that has been around since at least 2015. So, grab the popcorn, it seems the plot will only continue to thicken. 

The real problem with cybersecurity insurance: 2020 ushered in a whole new era of cyberterrorism, with hackers coming out of the woodworks to take advantage of any and all vulnerabilities possible. And due to the chaos of 2020, there was a feast of vulnerabilities to be had. But, here’s the real trouble, between exorbitant cyber ransoms and the cost to onboard stronger data security protocols, staff and training, the cost of protection has become too high. While many corporations have turned to cyber insurance to help lessen the blow, others just don’t feel like they can shell out the dough and see it as a luxury. Bottom line: There just isn’t enough money. And, it’s hard to tell right now if there ever will be. There are a lot of short and long-term roadblocks. And, of course both threat levels and the cyber insurance industry will undoubtedly fluctuate, but for now, the best strategy is to invest as much as possible in data protection while working with insurers to increase coverage where they can.

Ubiquiti reinforces password changes: After a recent breach, Ubiquiti, the third-party cloud provider of devices such as routers, network video recorders, security cameras and access control systems, is now urging customers to change their passwords and set up multi-factor identification. While it’s not exactly clear what was exposed, there’s a strong likelihood customer account information was leaked. Their pubic statement said, “We are not currently aware of evidence of access to any databases that host user data, but we cannot be certain that user data has not been exposed. This data may include your name, email address and the one-way encrypted password to your account.”

Federal courts investigate an “apparent” system compromise: While the U.S. court system has suspended use of the hacked SolarWinds Orion network monitoring platform, they’ve also flagged an “apparent compromise” of their electronic filing system for sensitive documents. The administrative announced it was working with the U.S. Department of Homeland Security to investigate and determine if the case management and electronic case files system (CM/ECF) suffered a compromise. For now, they're taking it back a little old school: the federal court system will only accept highly sensitive court documents either in paper form or via a thumb drive.

RIP Adobe Flash player: Cue the funeral march, because it’s official: Flash is dead. It’s the end of an era, but maybe, in the end, it’s not such a bad thing. Security professionals have long held concerns around its safety, and Flash vulnerabilities of varying severity haven't only been identified, but also exploited on a regular basis by nefarious do-no-gooders. Typically, bad actors have used scripts from third-party sites to intercept clipboard contents and grab code. Professionals estimate that over the course of its life, Flash demonstrated more than 1,000 vulnerabilities, including the ease of downloading a malware bundle instead of a legitimate update. So, what to do? Make sure to remove the Flash plugin from your browsers and avoid websites with Flash content placeholders. 

CCPA continues to evolve: As reported by JD Supra, certain aspects of the California Consumer Privacy Act continue to evolve.  Staying abreast and informed on these changes and activities shouldn’t be taken lightly. CCPA has many requirements that may be onerous, not only for companies headquartered in California but also for organizations simply doing business with consumers who reside in California. These updates – and several other articles of interest – are embedded in this link from JD Supra, along with their corresponding legal analysis.  

CFPB welcomes some new blood: The CFPB is allowing two organizations entry into the Compliance Assistance Sandbox to test products and strategies in a semi-regulated space. All under the watchful eye of the regulator of course. In a move long anticipated and even eagerly awaited, Synchrony Bank and Payactiv will have the opportunity to learn, try and revise products in the CFPB domain. Other organizations and fintech companies will be watching to see if they want to join in the sandbox as well as learn lessons from how the overall process is managed and guided from a regulatory perspective.  

Complaint management is still a focus – even for regulators: The Consumer Financial Protection Bureau and other agencies continue to make consumer complaints an area of intense focus. The regulators themselves aren’t even spared from the action.  The Office of the Comptroller of the Currency is among those most often criticized, mainly due to the controversial and mercurial nature of some of the recent guidelines it has published.  At the same time, all organizations should continue to monitor the complaints generated by their third parties in dealing with consumers.  

The CFPB is equipped to provide fintech oversight: The Consumer Financial Protection Bureau reengages in the fray that the Office of the Comptroller of the Currency (OCC) started when it announced the bank charter program several years ago. The CFPB has long maintained that they have authority to oversee third-party service providers. A recent report seems to not only bear that out but firmly assert that the CFPB is prepared to oversee fintech companies. Organizations should bear in mind that not only will their prudential regulator be expecting appropriate third-party risk management of fintechs, but the CFPB will be in the mix as well.   

Recently Added Articles as of January 7

The new year has certainly started off with a bang... and the name of the game this week seems to be "compliance." With the messy aftermath of the SolarWinds breach continuing into 2021, it seems like it may be a good thing as more and more loose ends are being uncovered. And, even a federal task force, including the FBI, has been created to clean up the mess. Read on for all the juicy details!

The CFPB's Taskforce releases a report with bureau recommendations: The Taskforce on Federal Consumer Financial Law released a report, in two volumes, with over 100 recommendations to the CFPB, Congress and state and federal regulators to strengthen consumer protection - which appears to be a major focus across the industry in 2021. Among the recommendations, we see researching consumer reporting issues further, assessing the completeness and accuracy of consumer credit reports and more. Looks like there's lots to do already in the new year!

The 2021 forecast for regulated industries: While 2020 is in the rearview, much of what happened last year will carry into 2021, leaving many to speculate what’s ahead. The pandemic is still very much a reality, but with a new administration on the horizon, there will undoubtedly be some changes. Some anticipate personnel adjustments and increased attention to consumer complaints emanating from credit card issuers, banks, mortgage lenders and debt collectors. While none of us have a crystal ball, we think it’s safe to say there will likely be some BIG changes this year. 

Cyber attacks on hospitals increase by 45%: When you think about it, it makes sense. The medical industry is a powerhouse of personal information, making them a pretty juicy target for bad actors of all kinds… and it seems data thieves everywhere have gotten the message. Researchers have reported a massive surge in healthcare targeted cyber attacks across the globe. They have documented a 45% increase in attacks specifically targeting healthcare organizations since November 2020, which effectively places the healthcare sector at the top of the hit list for cyber criminals compared to all other industries. If you haven’t already, now’s the time to shore up your cybersecurity program, use anti-ransomware solutions and educate employees about data security. 

Ten ways to incorporate the board in 2021 risk management: It’s a new year, which means it’s a great time to refresh old processes and ways of doing things. "2020 has forced companies to look at risk in a completely new way," said CEO of WomenCorporateDirectors, Susan C. Keating. “2021 will be a time for boards to really integrate risk and strategy on a long-term basis." Some of her suggestions? Create a risk committee separate from the audit committee, don't spend too much time on risks you already know and keep an eye on what can go very wrong. But, that's not all. Read on to learn all ten ways. 

2020 GDPR fines exceeded $200 million: When we’ve told you that data regulation and compliance has been ramping up, we meant it. And, by the looks of it, the numbers support the narrative. Europe’s General Data Protection Regulation (GDPR), which came into effect in 2018, issued a total of €184 million in 2020 (around $200 million in U.S. dollars). According to data collected by enforcementtracker.com, Italy paid the most fines, totaling €58 million, followed by the UK at €44 million and Germany at €37 million. The biggest offenders in terms of number of fines? Spain came in at the top with 128 fines, followed by Italy (34), Romania (26), Sweden (15), Belgium (13) and Norway (11). Moral of the story: compliance isn’t going anywhere. So, mind your p’s and q’s so you’re not in the hot seat next! 

CFPB is positioned for fintech charters: The CFPA panel appointed by the Consumer Financial Protection Bureau said Congress should consider authorizing the bureau — and potentially surprising to some, not the Office of the Comptroller of the Currency — to issue federal charters to fintech companies.  The CFPB, having just cleared a major regulatory hurdle, with the blessing of Congress and the Supreme Court, now has the jurisdiction to regulate pretty much anything. Now, they have their sights set on financial institutions, which will be critical to the expansion and the future of banking and fintech as a whole. So, what do you think — should the CFPB head this initiative up? 

Federal task force formed to handle SolarWinds breach: The National Security Council staff has outlined a task force known as the Cyber Unified Coordination Group (UCG) to deal with the disaster that stemmed from the SolarWinds incident. The implication is that this was a targeted Soviet attack with the goal of gathering high level, national information, so of course, being a matter of national security, a federal investigation is necessary. So, who are the players? So far, the task force is comprised of the FBI, CISA, ODNI and a little support from the NSA. Together, they will coordinate the investigation and remediation of this significant cyber incident involving federal government networks. The FBI is focusing on identifying victims, collecting evidence and sharing results, the CISA is heading information dissemination, the ODNI is coordinating the Intelligence Community and NSA is supporting UCG with intel and cybersecurity expertise.

Over 250 organizations breached via SolarWinds hack: While the hack happened weeks ago, the numbers keep rolling in, painting quite a disturbing picture at just how devastating the effects of just one vendor breach can be. The New York Times reported over the weekend that the SolarWinds supply chain attack is believed to have impacted as many as 250 government agencies and businesses. Just last week, Microsoft admitted that the attackers gained access to some of its source code via third-party resellers of its licenses, but the company insists they couldn’t have made any modifications to the code. So, as you can see, the SolarWinds hack has left a tangled web in its wake as consumers and related third and fourth parties now must determine whether they too are part of the cascading effects. 

Cyber thieves target the online gaming industry: It seems 2020 signaled “game on” for all the cyber criminals out there. No vulnerability too small and no target too big. So, it really shouldn’t come as a surprise that the online gaming industry is seeing an influx of bad actors as well. With everyone stuck at home, online gaming saw a major boost. The growing success of this industry garnered attention from cybercriminals scouting out new targets, and truly, what better target could cybercriminals ask for than a newly developing industry with immature security programs? You see where this is going: wide open network access, compromised accounts and leaked credentials — a cybercriminal’s dream. Third-party risk management and data management should always be a priority no matter the industry.

How to manage hidden third-party risk: While outsourcing to third parties often helps to reduce cost and leverage skills, no matter how you slice it, this increases a whole bunch of risks. Of course, using third parties can be a great way to grow your business quickly, but vendor relationships shouldn't be entered into lightly. For starters, it’s important to make a list of all your vendors who need access to sensitive customer data to provide products or services. At the same time, you should also have a comprehensive list of all vendors. Once you have this, it’s critical to take a risk-based approach and prioritize vendors with sensitive data and who would have the highest impact should a breach occur. 

SolarWinds executives hit with a class action lawsuit: Long story short, the aftermath of the SolarWinds data breach is a mess. More affected parties are coming out of the woodworks and no doubt SolarWinds (among many others) are feeling the heat… especially since some of its top executives have been hit with a class action lawsuit by stockholders. Many of these stockholders allege the company lied and misled them about security practices around the massive breach of its Orion management software that has deeply affected both the public and private sector. The lawsuit cites that some of its poor security practices included setting passwords such as “Solarwinds123” (cue a landslide of cybersecurity headshaking), and top officials were participating in a “fraudulent scheme.” So far, SolarWinds cannot be reached for comment. 

Bank risks to expect in 2021: After the unexpected, completely surprising, 2020 that we all had, it’d be nice to be able to predict what 2021 has in store for us. And, we may be in luck! ABA Banking Journal released this insightful article outlining the risks to expect in 2021. They include interest rates and economic activity, commercial real estate shifts, operational and compliance risks, security, cyber and… third-party risk!

FTC Safeguard settlement eyes vendor oversight: Just last month, the FTC announced a proposed settlement with mortgage industry analytics company Ascension Data & Analytics, LLC, related to alleged violations of the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule. To summarize, Ascension hired a company to scan sensitive documents and put them on the cloud; except the vendor, OpticsML, didn’t have proper security protocols in place and a whole lot of personal information was accessed by a whole lot of people who shouldn’t have. The settlement has three major takeaways when it comes to third-party risk management. These takeaways are that the FTC is ramping up enforcement of the Safeguards Rule (compliance!), the FTC appears to see vendor oversight as a key component of implementation of the Safeguards Rule, and finally, this settlement underscores that regulated entities need to actively operationalize written policies and procedures, particularly around third-party risk.

Sabre breach settles at $2.4 million: In attempts to resolve a data breach with Sabre Corp, dating back to 2017, the attorney generals of 27 states have entered into a $2.4 million settlement. The data breach affected the company’s hospitality booking system which ultimately compromised credit card information of 1.3 million. "Sabre first failed its customers with a susceptible security system, then failed them when it came to provide proper notifications,” said New York Attorney General, Letitia James. As a part of the settlement, Sabre will be responsible for taking additional steps to safeguard against a future breach and better protects consumers. 

Ninth circuit upholds CFPB ID ratification: This past week, the Ninth Circuit Court of Appeals issued a verdict around the CFPB stating that it wasn't required to start a brand new investigation with Seila Law, who for those who don’t know, the CFPB issued a civil investigative demand against, which California-based firm Seila Law refused to comply with. This is a follow up to the U.S. Supreme Court case in which the CFPB’s organizational structure was deemed unconstitutional and CFPB Director Kathy Kraninger then ratified the bureau’s actions post Supreme Court decision.

Do you have all the right items in order for third-party risk management? Find out what you need to have ready. Download the checklist.