Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2021 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2022
State of Third-Party Risk Management 2022

Venminder's sixth annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

January 2022 Vendor Management News

26 min read
Featured Image

Stay up-to-date on the latest vendor management news. Discover information to help improve or keep your third-party risk management program fresh. Below we've listed some notable articles to check out.

Recently Added Articles as of January 27

Cybersecurity is a hot topic this week as a new report reveals the enormous impact of last year’s third-party data breaches. IoT attacks are on the rise and a cybersecurity student is $100,500 richer thanks to his discovery of an Apple bug. Supply chain risk is a big concern for CISOs who can benefit from some helpful tips on how to address those vulnerabilities. There’s lots to learn as we close out the month, so read on for all the details!

Log4Shell attacks involves initial access broker: The Log4Shell vulnerability in unpatched VMware Horizon Servers has been linked to an initial access broker group labeled Prophet Spider. The malicious actor has been working to download a second-stage payload onto the vulnerable systems. Cryptocurrency miners, Cobalt Strike Beacons and web shells are among the payloads that have been observed. Experts warn that they’ll continue to see instances of criminals exploiting the Log4Shell vulnerability, so constant vigilance is critical.

$100,500 awarded to a student who found a hack in a webcam: A cybersecurity student is $100,500 richer after discovering four zero-day vulnerabilities in Apple macOS, which he noted in a report last year. Ryan Pickren detailed the iCloud Sharing bug which allows a user’s web camera to be accessed by malicious websites. A test bug was created that would give an attacker full access to every website visited by the user. Apple rewarded the student with the cash and the vulnerabilities have since been fixed. Just like it's important to stay cyber aware in third-party risk management, it can pay off in your personal life, too.

Lessons learned from Merck’s $1.4 billion lawsuit: The 2017 NotPetya cyberattack has resulted in a big insurance payout to pharmaceutical leader Merck. The lawsuit between Merck and its insurance companies was to determine who was responsible for paying the damages of a cyberattack. Merck’s insurance policy contained a clause that excluded war, but a New Jersey judge declared that the clause was intended for armed conflict and not cyber. In other words, a cyber conflict or war is covered under Merck’s policy. Though Merck’s policy was not cyber-specific, this case highlights the value of retaining insurance that exclusively addresses cyber risk. This specificity may ultimately increase cyber insurance premiums, forcing business leaders to make important decisions on how to spend their budget.

Serious threats emerge with an increase in IoT attacks: As attacks on Internet of Things (IoT) devices continue to rise, experts are urging organizations to ensure they have processes in place to defend against threats. The IoT marketplace is seeing two trends that are creating a significant security issue. Manufacturers are adding connected functionality to their devices while also offering additional services. This expands the attack surface area for most organizations and management hasn't been able to keep up with these features. Experts note that IoT vulnerabilities are mostly contained in the software development kits, not necessarily the smart devices themselves.

Economic sanctions and third-party risk: Anti-corruption enforcement has increased dramatically over the past 10 years, with no signs of slowing down. While the Office of Foreign Asset Control (OFAC) historically focused on financial institutions, the agency is now looking towards software, manufacturing and technology industries. OFAC has increased their enforcement actions against global organizations who are failing to ensure anti-corruption compliance with their third parties. One notable ruling was the Epsilon Electronics case, in which the Court of Appeals upheld OFAC’s interpretation of Iranian sanctions. OFAC didn’t need to prove that exported goods arrived in Iran, only that the Epsilon had reason to know their goods would be re-exported to the country. The court’s decision highlighted the importance of conducting proper third-party due diligence.

OCC highlights importance of third-party risks: According to the OCC, banks should expect to face ongoing operational and compliance risk in 2022. In particular, the regulator identifies cybersecurity, the ongoing digitization of services and utilization of critical third parties as the three interconnected risks that banks need to manage. The OCC, FDIC and Federal Reserve are especially concerned with third-party risk, as evidenced by their Proposed Interagency Guidance released in July 2021. Addressing third-party risk requires unique capabilities including a centralized repository containing contracts, documentation and risk profiles as well as proactively monitoring the supply chain. A decentralized SaaS-based application is also an effective method of managing third-party risk.

Healthcare providers targeted in 33% of data breaches: According to a recent report, the healthcare industry was the top victim of third-party data breaches in 2021. Ransomware was the most common method of attack, followed by unauthorized network access and unsecured servers and databases. Obtaining personally identifiable information (PII) was the main motivation behind these breaches, with over 1.5 billion users being impacted. The government sector was the second most targeted industry and software publishers were identified as the most at-risk vendor.

Data breaches in 2021 impacted 1.5 billion: Cybercriminals had a successful year in 2021, making off with an estimated $1.5 billion worth in PII. A recent year-end report evaluated 81 third-party breaches that were responsible for over 200 public disclosures. Software vulnerabilities were the top source of successful exploitations. The report states that organizations often trust their third-party software providers without checking for vulnerabilities. It warns against using a vendor risk management process that’s focused on compliance and checklists. A better approach is to think of security in terms of awareness with the goal of closing the gaps.

Optimizing your cybersecurity budget against threats: Like most organizations, you probably have a limited cybersecurity budget and need to figure out how to best protect against threats, while also stretching your dollars. The goal shouldn’t be to buy more tools, but instead focus on protecting your assets. You’ll first need to take a comprehensive view of your talent, processes and effective tools. It’s also important to think about cybersecurity from the perspective of an attacker. This allows you to evaluate which of your data is most attractive and vulnerable to criminals while also considering which method of attack is likely to be used. Finally, consider the value of utilizing an adaptable team and resources. Budgets may need to be reevaluated every quarter to determine if methods, tactics and tools are still effective.

How CISOs can fix supply chain vulnerabilities: Supply chain security is long overdue for a makeover and CISOs can lead the way with a data-centered approach that continuously shares information throughout the ecosystem of partners and vendors. Step one is to create an effective vendor risk management framework. Organizations should also take an approach that protects supplier resiliency and consider applying AI and machine learning in their security policies. Continuous controls monitoring should be utilized, as they perform regular security checkpoints over time and it’s important to be more active when building up their ecosystem security.

How to stand up to vendor bullying: In an ideal world, an organization would follow their technology vendor selection strategy and obtain the best solution for its needs. However, there seems to be a recurring trend where larger marketing technology companies are utilizing aggressive tactics to push ill-fitting solutions. These vendors are often not used to rejection and will show off their one-size-fits-all rankings to prove they’re an industry leader. To stand up to these large “bullies," it’s important to understand how your decisions relate to your strategic business objectives. Utilize key metrics in your decisions and recognize that sometimes the bigger vendors can carry bigger risks.

Ransomware victims in the public sector: Over 2,000 local governments, schools and healthcare providers were victims of ransomware attacks in 2021. Today’s attacks mostly result in double extortion, in which data is stolen and victims are threatened with it being released online. These types of attacks accounted for only 118 of the incidents last year. And, some experts find that to be positive. Despite the notorious 2021 attacks on Colonial Pipeline and JBS, things are moving in the right direction as the government is finally focusing more on the ransomware problem. Just this month, Russia arrested several members of the REvil gang, which may be a sign that cybercriminals need to look elsewhere for protection.  

The slow process of responding to a cyberattack: On average, organizations need nine months to identify and respond to a cyberattack. This troubling finding comes from the recent Global Cybersecurity Outlook 2022 report published by the World Economic Forum (WEF). The report also reveals some key challenges facing cyber leaders. Primarily, a big challenge is the shortage of skills that they need to respond to an incident. These leaders also don’t feel consulted on business decisions and can’t seem to obtain support from decision makers in making cybersecurity a priority. It’s also worth noting that 40% of respondents to WEF’s survey revealed that they were affected by a supply chain cybersecurity incident. 

5 tips to improve supply chain communication: As the supply chain crisis marches on, it’s worth considering ways to improve communication with your vendors. After all, they’re often the ones who can help your organization out of a challenging situation. Greater transparency and collaboration across the supply chain are key in delivering value to the end users. The first tip is to accept that the power has shifted to the suppliers and consider the other factors aside from the lowest cost. The next tip is to look at supply chain management cross-organizationally, instead of a limited silo. Create an environment of open communication so suppliers and the organization can address challenges. The third tip is to create a win-win approach with your vendors instead of focusing solely on the transaction and delivering notices of failure. Rewarding vendors for meeting key performance indicators is often a better strategy. The last two tips relate to sharing your forecasts and establishing trust. 

Recently Added Articles as of January 20

Supply chain challenges are continuing in 2022, so it’s time to establish a more holistic approach with suppliers. Community and minority based financial institutions are appealing to Congress for cybersecurity help and North Korean hackers are targeting cryptocurrency startups. Also, executives and InfoSec leaders can’t seem to agree on cybersecurity. Are you wondering why? Take a look at what’s trending this week in the news!

InfoSec and executives at odds on cybersecurity risk: Senior management and the board seem to be falling into a false sense of security when it comes to various cyber threats and vulnerabilities. A recent report states that 92% of business executives believe that cyber resilience is integrated into their risk management strategies, but only 55% of security executives agree. One reason for this discrepancy is that chief information security officers often feel that they aren’t consulted. Businesses are often reluctant to invest in cybersecurity measures until an incident occurs. Cybersecurity expert, Algirde Pipikaite, states that, "The best and most resilient company is the one that has been breached already.” One strategy to bridge the gap is to utilize tabletop exercises that practice incident response. This could bring awareness to potential issues and allows both parties to feel included in decision making.

Top 3 threats of Linux malware: Low-powered IoT devices are becoming more vulnerable to Linux malware. Most notably, distributed denial of service (DDoS) attacks. A new report named XorDDoS, Mirai and Mozi as the most prevalent malware families in 2021, which accounted for 22% of attacks. Mozi is a peer-to-peer botnet that utilizes distributed hash table (DHT) while XorDDoS attempts to guess passwords to give attackers remote control. Mirai also targets servers with weak passwords, with the most common variants being Sora, IZIH9 and Rekai.

Why third-party security needs to be a priority: Third-party security is often acknowledged as a threat, but many organizations fail to prioritize this risk. This leads to inefficient security practices, misallocated budgets and supply chain vulnerabilities. The state of third-party security is officially in crisis and needs to be addressed by organizations. Notable breaches from the past year have revealed the importance of proper access management of critical resources. Third parties that handle sensitive information require strong security measures around the governance, control and monitoring of this access. This includes restrictive third-party access policies, utilizing Zero Trust Network Access and ensuring that monitoring procedures are implemented.

Cryptocurrency startups lose millions to North Korean hackers: North Korean hacking group Lazarus, and its subgroup BlueNoroff, are responsible for a string of cyberattacks that have been targeting cryptocurrency funds. Fintech startups located in China, Hong Kong, the U.S., Russia and other countries were all targeted in the campaign, which started in 2017. The groups' efforts have been successful in stealing almost $400 million in digital assets in 2021. Lazarus is known to utilize a diverse range of malware including advanced phishing attacks. Aside from stealing funds, the primary goal of these attacks is to monitor financial transactions. Cryptocurrency transactions are especially appealing to hackers because transactions are immediate and impossible to reverse.

2020 ransomware attack on cloud vendor impacts 200,000: Details are emerging on a 2020 Netgain Technology ransomware attack that has affected almost 200,000 individuals. A January 13th breach report states that Minnesota-based Entira Family Clinics discovered an incident from their vendor which potentially exposed names, social security numbers and medical histories. The breach was discovered on December 7, 2020, raising questions on the timeliness of the notification. HIPAA’s Breach Notification Rule requires notice within 60 days if there’s a “greater than low risk of comprise to unsecured PHI”. In response to the incident, Entira stated that they performed a security audit of Netgain and is reviewing its own policies and procedures on the security of its systems.

Ongoing challenges of the supply chain: Managing supply chain disruptions in 2022 will require a holistic approach and unique plan of action. Organizations need to begin by identifying common pain points in their supply chains and ensure that control measures are in place. After identifying these points, it’s critical to establish effective and timely communication with all parties. It’s also important to identify common goals, objectives and strategies so the entire organization has a united approach. Organizations should ensure that they have a good understanding of their suppliers by asking deeper questions about their goals. For example, ask whether the supplier is open to working together on mitigating supply chain risks and growing as a good corporate citizen to address bigger issues.

Weekly cyberattacks increased 50% in 2021: New research revealed that weekly cyberattacks peaked in 2021 with an increase of 50% from the year before. Fourth quarter was especially memorable, with over 900 weekly cyberattacks per organization. Education and Research was the most vulnerable industry, followed by Government and Military. Africa saw the highest volume of attacks, with an average of 1,582 per week, and the Asia Pacific region closely followed with 1,353 per week. North America was at the bottom of the list with an average of 503 weekly attacks.

Elusive backdoor SysJoker malware discovered: Linux and macOS detection systems weren’t able to catch a new multi-platform malware named SysJoker. The backdoor was discovered after attacking a Linux-based server of an educational institution, which began in 2021. The malware is disguised as a system update and is believed to be targeting a specific list of victims. The malware is written in C++ and is tailored to its targeted OS. Researchers believe that the movement of the malware may lead to a ransomware attack in the future.

Cybersecurity threats increasingly target SMBs: If there’s one thing we should acknowledge about cybercriminals, it’s that they don’t discriminate. Small and medium-sized businesses (SMBs) are just as vulnerable to cyberattacks as larger companies and even face a few unique threats. The size and lack of infrastructure of SMBs is one of the main hurdles they face in effectively protect against exploits. SMBs often don’t have control over every component of their supply chain and many rely on single systems to support hybrid work models. Increasing regulation, like the CCPA, is also a challenge for SMBs who lack the dedicated staff to sort through the details. However, the good news is that one of the most effective measures is simple employee cybersecurity education. Penetration testing and third-party risk assessments are also effective methods of protecting against threats.   

Congress receives plea from community financial institutions: The increasing threat of cyberattacks has led community and minority banks and credit unions to ask Congress for help. Financial leaders are asking for improved regulations so they can establish better IT procedures and programs. Regulators are aware of growing cyber threats, but are still slow in fixing the issues. However, some smaller financial institutions are wary about the solution to simply increase regulation through things like required investments in tech, talent or change management. Some IT leaders are looking to new technology like “confidential computing” to increase resilience to cyberattacks.

Recently Added Articles as of January 13

Top stories of this week include a new warning on Russian hackers and a flaw that’s impacting millions of routers. Microsoft’s latest Patch Tuesday was eventful and cybercriminal groups are still working hard through a recent attack on a telecom analytics firm. NCUA clarified their new third-party guidance and we look at how ESG reporting will become more prominent in 2022. Read on for all the details!

Cybersecurity agencies issue warning on Russian hackers: The FBI, NSA and CISA recently issued a joint statement which gives guidance on detection, response and mitigation techniques to use against Russian state-sponsored cyberattacks. The list of known flaws include CVE-2020-0688 (Microsoft Exchange), CVE-2018-13379 (FortiGate VPNs) and CVE-2019-2725 (Oracle WebLogic Server), among others. The agencies also warn that the threat actors can be persistent in maintaining undetected access through legitimate credentials. Best practices to protect against these threats include mandated multi-factor authentication, enforcing network segmentation and disabling all unnecessary ports and protocols.

Almost 100 CVEs released in January Patch Tuesday: Nine critical vulnerabilities were among the 97 fixes published by Microsoft at the beginning of the year. The most critical CVEs since July 2021. Six publicly disclosed vulnerabilities include CVE-2022-21839 (denial of service) and CVE-2022-21874 (a remote code execution bug in Windows Security Center API). Oracle’s quarterly Critical Patch Update will be released next week, as system administrators continue to deal with the Log4J vulnerability.

Telecom analytics firm is victim of ransomware: Subex and its cybersecurity subsidiary, Sectrio, are apparently the latest victims of ransomware group Ragnar_Locker. The group’s site on the dark web showed an “.onion” link, which supposedly contains information about the company and its employees. Ragnar_Locker took their attack one step further and issued a message intended to mock the firm for its carelessness and responsibility in protecting client and partner data. The group is even urging customers to cancel all contracts and obligations they may have with Subex and Sectrio, stating that data will be made public if the companies don’t cooperate.

Millions of routers are impacted by KCodes NetUSB flaw: Millions of end-user devices from Netgear, TO-Link, Tenda and more may be vulnerable to a flaw in KCodes NetUSB, tracked as CVE-2021-45608. The buffer overflow vulnerability can be exploited to allow attackers to remotely execute code in the kernel. NetUSB vulnerabilities are nothing new, with several bugs dating back to 2015. Experts say that the only fix is to update the firmware of your router, if available.

Malicious USB devices used by FIN7 cybercriminals: The defense industry was the recent target of cybercriminal group FIN7, who attempted to use malicious USB devices for ransomware attacks. According to the FBI, suspicious packages were reportedly sent to transportation, insurance and defense business organization departments. Included in these packages were fake gift cards and thank you notes, along with the malicious USB devices. Several different tools, scripts and ransomware were utilized including REvil ransomware, Metasploit and PowerShell scripts. FIN7 previously used a similar campaign in 2020, sending gift certificates and stuffed animals to its victims.

Illegal debt collection practices results in CFPB lawsuit: The CFPB has accused United Holding Group (UHG) and its affiliates of knowingly using unlawful and deceptive third-party collectors, according to a recent complaint. The allegations state that UHG harmed their consumers by allowing third parties to deceive them through false and misleading statements such as threats of arrest, jail or lawsuits. Another allegation states that UHG affiliate, United Debt Holding (UDH), reviewed phone calls made by JTM Capital Management’s collection companies. Despite the discovery of major violations, UDH increased the amount of business with JTM. As a result of violating the Fair Debt Collection Practices Act, the CFPB is seeking a civil money penalty and monetary relief for customers.

Cyberattacks as the new weapon for terrorists: Cybersecurity failure is one of the top threats facing humanity, according to the Global Risk Report by the World Economic Forum. As attackers continue to target critical infrastructure, the resilience of societies continues to be at risk of collapse. Just last year, the Colonial Pipeline and JBS attacks gave us a glimpse of potential gas and food shortages, so it’s understandable that security experts are predicting an event called “Cyber 9/11”. An event like this would begin as a digital attack, but quickly expand to other parts of society and cause widespread harm. The solutions for prevention always seem to come down to the basics of strong cybersecurity practices. Zero-trust architecture, two-factor authentication and updating operating systems are all good practices to implement at both the enterprise and individual levels.

NCUA guidance on third-party activities and obligations: Federally insured credit unions (FICUs) now have some clarity regarding permitted activities and obligations with third-party digital asset providers, as stated in the National Credit Union Administration’s recent guidance. The guidance permits FICUs to partner with third-party providers of digital asset services that allow members to buy, sell and hold assets that aren’t insured. However, FICUs are expected to evaluate the legal, reputational and economic risks of these activities through proper due diligence, cybersecurity and ensuring compliance with applicable laws. NCUA also urges FICUs to review their policies and procedures to ensure that appropriate internal controls are in place.

Improving TPRM through emotional intelligence: A consultant and third-party risk manager recently developed the trust, history, improvements and process (THIP) model after recognizing the importance of emotional factors in improving risk management programs. Relationship-building is one of the core skills of a third-party risk management (TPRM) program, so it’s important to identify the key stakeholders that can ensure a program’s success. The history comes into play when organizations need to determine internal and external challenges. Often, there are some negative emotions related to third-party risk because a TPRM program doesn’t exist or needs to be improved. This leads into the improvements factor, which comes down to invention or innovation. An organization may look to build new programs (invention) or improve upon existing processes (innovation). Finally, the process component includes analysis of how an organization views, acquires and works with their third parties.

ESG reporting will take a larger role in 2022: Voluntary environmental, social and governance (ESG) reporting is set to be a thing of the past, as new regulations will make it mandatory for certain organizations to report on sustainability. In 2022, you should expect to see some significant developments in ESG reporting, beginning with the SEC’s proposed rules on areas of climate change, human capital management and board diversity. The debates on these rules are still ongoing, but the final decisions will provide more insight into future disclosure requirements. Going beyond the U.S., the Global Reporting Initiative has been cooperating with the EU on developing ESG standards. The International Financial Reporting Standards Foundation (IFRS) is also getting involved with its creation of the International Sustainability Standards Board (ISSB) which will develop mandatory ESG disclosures for corporations.

Well-known companies receive CFPB scolding: Frustrated consumers are growing increasingly weary of credit reporting companies. Between January 2020 and September 2021, the CFPB received more than 700,000 complaints about some of the top credit reporting bureaus. Most issues were related to inaccurate information on credit and consumer reports and the bureaus reported relief in less than 2% of covered complaints. The CFPB performed an analysis and discovered that there was a heavy reliance on template complaint responses and two of the bureaus neglected to provide outcomes of their investigations to the agency. Compliance and reputational risk can often go hand in hand, showing that consumers hold a lot of power in implementing change. To read more about how the CFPB may implement tougher rules, check out this additional article by American Banker.

Man in the middle phishing toolkits found on the web: As two-factor authentication becomes more widely adopted, man in the middle (MITM) phishing toolkits are increasing in popularity. This method of attack aims to spy on information as it’s transferred through the two-factor authentication process and without the victim’s knowledge. Researchers have discovered more than 1,200 phishing toolkits that use this method, with 15% of them staying online for over 20 days. Users are urged to report any issues if they see them and companies that are victims of such attacks need to proactively work to address the problem at its source.

A look back on 2021 privacy laws: Last year saw a few key developments in state privacy laws which will likely lead to continued progress for other state legislation. The fairly new California Privacy Protection Agency (CPPA) held it’s first public meeting back in June, with a focus on creating subcommittees for rulemaking, regulations, public awareness and guidance. The California Privacy Rights Act will go into effect January 2023. And, going into effect at the same time is the Virginia Consumer Data Protection Act (VCDPA), which includes requirements for data controllers to provide consumers with privacy notices and certain data subject rights. January 2023 will also be the effective date of the Colorado Privacy Act (CPA), which provides consumers with the right to access, correct and delete their data when used for the purposes of advertising, selling and profiling. A model template for state privacy legislation can be found in the Uniform Personal Data Protection Act.  

Recently Added Articles as of January 6

It’s a new year and many of the things we saw in 2021 are evidently continuing into 2022. Protecting software supply chains will continue to be a priority, as many experts predict that 2022 will be the “Year of the Breach.” The new omicron variant is affecting third-party risk management and a whistleblower revealed some concerns with a COVID-19 vaccine vendor. The FDIC will say goodbye to their leader on February 4th and the SEC finally announced some updates to their recordkeeping requirements. 2022 is off to a fast start, so read on to see what’s happening!

How to protect your critical software supply chain: Software supply chains can bring great rewards, such as productivity and lowered costs, but the risks you face can be things like destructive cyberattacks. Criminals generally use three common methods to carry out an attack. They can compromise software updates, undermine code signing or exploit open-source code. Sometimes, you'll notice they use more than one method at once. Organizations can protect their software supply chain by following a few best practices including limiting access to data and ensuring that their vendors implement effective security practices. It’s also important to implement and review effective auditing and reporting practices while also testing your own security measures. Communication and collaboration is also key in maintaining a secure supply chain.

Maryland whistleblower reveals concerns with COVID-19 vaccine vendor: Mobile vaccination sites in Maryland were apparently doling out ineffective COVID-19 vaccines to underserved and unsuspecting communities, according to whistleblower Dr. Jessicah Ray. She stated that she discovered systematic safety problems, particularly with a vendor called TrueCare24, which was hired by the state to run their mobile sites. Improper vaccine storage and inadequate record keeping are some of the claims Ray is making in her complaint. After voicing her concerns, Ray said she was demoted. Officials with Maryland’s Department of Health are reviewing the vendor’s actions. Remember, do your due diligence on your vendors to ensure their procedures are in line with your expectations. 

Five banking risks in 2022: The pandemic’s challenges will continue to live on in 2022 and many banks have realized the importance of their digital channels in retaining their customers. To start, experts are predicting that viability risk will increase as client practices change. Active engagement with customers should include complaint resolution and satisfaction surveys to provide better direction on the effectiveness of these interactions. Supply chain issues are another top issue following banks into 2022, with the risk of shortages of baseline materials. Another risk for banks is cybersecurity within third-party relationships. While the principles of third-party risk management remain consistent, it’s even more important to understand third-party activities and reviewing vendor risk profiles more frequently. Regulatory requirements related to ransomware and other cybersecurity incidents are also expected to emerge this year. The last two risks that banks should be aware of are shifting regulatory priorities and volatility around interest rates and margins. Financial institutions will need to shift focus to asset liability management and interest rate risk management.

Top cybersecurity events of 2021: Last year, we saw many high-profile incidents, with an average cost of $4 million. Recorded data breaches increased 17% from 2020 to 2021, but this number may actually be higher because of a lack of transparency on disclosures. Not a single month went by without a significant event, such as the Microsoft Exchange Server vulnerabilities in January and the infamous Colonial Pipeline cyberattack in May which caused a gas shortage panic. And, the year ended with the Log4j vulnerability, which will likely continue into 2022. Here is to hoping that organizations will be better prepared for cyberattacks in the new year!

FDIC chief resigns after her leadership is threatened: FDIC Chair, Jelena McWiliams, announced her resignation, effective February 4th. The departure comes after a partisan power struggle on the agency’s board which threatened her leadership. In December, three Democratic-appointed directors issued a request for public comment on the agency’s bank merger policy without the support of McWilliams. Now that the FDIC board will be composed of Democrats, the agency will likely shift their focus towards issues related to climate change risk, diversity in financial services and caution around fintech in banking. Former Chair Martin Gruenberg will likely lead in an acting role until a new successor is nominated.

Health apps and the changing regulatory landscape: Providers of mobile health apps, fitness devices and other related products and services are urged to keep an eye on evolving privacy and regulatory issues in the upcoming months. This past September, the FTC issued a press release on health apps and the breach notification rule. The agency has yet to issue an enforcement action under this rule, but health technology providers have begun to reassess the privacy and security guidelines for their products. California, Virginia and Colorado are just three states leading the way and implementing new regulations that may affect the makers of these devices and apps.

Data breaches will be plentiful in 2022: Cybersecurity experts are predicting that 2022 will be the “Year of the Breach.” 2021 was a record-breaking year for data breaches and the numbers will likely only rise in 2022. Email accounts boast an 80% likelihood of being exposed and phone numbers follow at seventy-four percent. Last year, over 280 million were affected by breaches that hit large corporations and bad actors will continue to go after personal and financial information. Poor password practices like embedding personal information and reusing the same passwords on different services make it easier for criminals to gain access to systems. And, with cryptocurrency gaining popularity, scams that aim to steal this blockchained money are expected to grow.

SEC finally announces updates to recordkeeping requirements: Broker-dealers will soon see updates to the SEC’s decades-old recordkeeping requirements, which many thought were long overdue. Under the proposal, electronic records can be retained instead of the write once, read many (WORM) methodology. Current requirements state that records can be retained in paper format or electronically, as long as they’re in WORM format. Many were continually faced with compliance challenges and needed to utilize two separate record systems. The amendment to SEC Rule 17a-4 would allow for broker-dealers to use a system which can recreate an original record it it’s altered, overwritten or erased. It would also shift the compliance burden in-house, by replacing a third party with a senior officer in regard to providing “emergency” access to records requested by the SEC and other regulators.

New caveat emptor prioritizes ethical supply chain: Establishing sustainable and slavery-free supply chains used to be the responsibility of national and international governments as well as human rights organizations. However, new laws and regulations are distributing that responsibility to the private sector. Environmental, social and governance (ESG) is becoming a greater point of focus with regulators requiring multinational organizations to address these issues. The U.S. has the oldest law on record that prohibits imported goods that were produced by slave labor. The Tariff Act of 1930 (the Smoot-Hawley Act) has been mostly ineffectual until 2016 because the law made an exception for forced-labor goods that filled in the gaps of U.S. domestic production. In 2021, Congress saw the introduction of more than 30 bills that addressed supply chains with more emerging worldwide. The key takeaways from these regulations are that corporate compliance should be more proactive in their programs while also understanding that merger and acquisition due diligence will be complicated by supply chain failures.

The omicron variant and third-party risk management: The latest variant of COVID-19 has brought about a new global response and the need for more complexity in third-party risk management. The challenges that were presented during the initial emergence of COVID-19 are now being amplified by new variants. Cybersecurity remains a top concern since many companies shifted to remote work. Operational disruptions and bankruptcy also threatened many companies who were heavily dependent on third parties. Rising competition is another result of the COVID-19, particularly with omicron. Companies that were late in realizing the importance of third-party risk management will likely fall behind their competitors who took the necessary precautions early. Third-party risk management provides many benefits including adaptiveness, efficient operations and the ability to get a bird’s-eye view of the entire organization’s vulnerabilities.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo