January 2023 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of January 26

Cybersecurity is at the front of our minds this week as a survey shows that cyberattacks can negatively impact patient health and a well-known airline invests over $1 billion into improving and updating technology. Meanwhile, implementing third-party risk management best practices can help manage cyber risks as well as identify risks in your supply chain. Finally, Homeland Security’s new policy aims to tackle human rights violations and the National Credit Union Association released its priorities for 2023. There’s a lot to catch up on this week, so don’t miss out!

FBI identifies North Korean criminals responsible for crypto theft: The FBI has stated that a cyberattack deployed against Harmony Horizon Bridge, a connect between cryptocurrency system, has been linked to malicious actors from North Korea. The incident resulted in the theft of $100 million in crypto assets and has been connected to a North Korean campaign to steal funds from financial institutions. 

FINRA releases 2023 Examination and Risk Monitoring Program report: The Financial Industry Regulatory Authority (FINRA) released its 2023 report on Examination and Risk Monitoring Program earlier this month which details recent oversight activities and areas for firm compliance programs to be aware of. In the report, FINRA outlines the rules, recent examination highlights, and best practices for 24 areas including cybersecurity, financial crimes, mobile apps, and manipulative trading. 

Ticketmaster sales impacted by cyberattack: When Taylor Swift tickets went on sale in November, Ticketmaster suffered from disruptions, which the company has since linked to a cyberattack. During the sale, Ticketmaster experienced a large volume of bot activity which slowed the website. The incident has generated much discussion regarding ticket sales competition, areas for future improvement, anti-trust policies, and more. As cyberattacks impact the market and consumer experiences, it’s important for organizations to understand the issues that lead to attacks and take proactive action to prevent future incidents.  

CISA discovered actively exploited vulnerability: The Cybersecurity and Infrastructure Security Agency identified a vulnerability, tracked as CVE-2022-47966, in many Zoho ManageEngine products. Since it was discovered as an active flaw exploited by malicious actors, the vulnerability has been patched. 

Homeland Security releases a new policy for reporting labor rights violations: The U.S. Department of Homeland Security recently announced the Process Enhancements for Supporting Labor Enforcement Investigations. As ESG has been an ongoing hot topic, this policy aligns with goals of improving working conditions and holding organizations accountable for labor rights violations. Under this policy, witnesses and victims of labor rights violations can report employers to Homeland Security for investigation. In addition, undocumented citizens who report an employer may receive deferred action as well as the ability to receive employment authorization. The policy shows the goals of lawmakers in eliminating unlawful practices and it’s important for all organizations to review ESG standards and assess their supply chain for compliance. 

Southwest Airlines invests over $1 billion into IT: As many companies suffered disruptions during 2022, Southwest Airlines has decided to combat technological insufficiencies by dedicating over $1 billion to maintain and improve IT systems. This decision comes after outdated technology led to recent disruptions and forced the company to cancel flights during the holiday season. With the rise of new technology and the threat of cyber criminals, it’s important for all organizations to revisit their technology and information security policies to ensure appropriate resources are allocated to constant improvements.  

NCUA releases top priorities for 2023: The National Credit Union Administration has outlined its top priorities for credit unions during 2023. With the goal of overseeing areas that pose the highest risk to union members, these areas include interest rate risk, consumer financial protection, cybersecurity, fraud detection and prevention, and credit risk. Institutions in the financial sector must keep these priorities in mind, especially when preparing for examinations and audits throughout the year.

CFPB outlines requirements for subscription services: The Consumer Financial Protection Bureau has outlined required actions for “negative option” subscription services to follow. These services include those that take a subscriber’s silence as acceptance to be charged for the service. Under these requirements, subscription services must inform customers on the terms of trial periods and that they will be charged in full if no action is taken to cancel a subscription. It must also be made easy for customers to cancel their subscriptions. Organizations that don’t comply with these guidelines may face enforcement action, so it’s important for organizations with subscription services to familiarize themselves with these requirements to ensure compliance. 

The role of third-party risk management in protecting against cyberattacks: The increased dependence on third parties over the past several years has exposed many organizations to heightened risks, which can lead to cyberattacks. Experts believe that third parties are a leading cause of successful cyberattacks and data breaches and many organizations lack sufficient processes to identify, assess, and manage third-party risks. As supply chains grow more complex and technology becomes more advanced, it’s critical for organizations to invest in and implement effective third-party risk management programs to identify cyber risks and take steps to protect against potential attacks.

World Economic Forum cautions the possibility of a disastrous cyberattack in the future: During a recent press conference, the World Economic Forum stated that global instability and growing dependence on technology may cause a catastrophic cyberattack, which could occur within the next two years. Research highlighted the growing concern, as recent events such as the Russian invasion of Ukraine and the COVID-19 pandemic have forced organizations to automate processes and implement new technology to keep up with rising demands. In many instances, these organizations aren’t cyber resilient, which can lead to disastrous operational and financial consequences if a large-scale cyberattack were to occur in the near future. 

Microsoft addresses security flaw: Experts identified a security flaw in Microsoft Azure services which allowed malicious actors to deploy malware and take control over their victim’s application. The vulnerability, called EmojiDeploy, was first discovered in October. Microsoft has since fixed the flaw, so users must ensure that their devices are updated to defend against potential cyberattacks. 

35,000 PayPal accounts exposed during credential stuffing attack: In December, PayPal identified a data breach that had taken place earlier that month. During the attack, the malicious actors used valid credentials, which were likely stolen during an attack or purchased illegally, to access approximately 35,000 customer accounts. The information exposed during the breach includes names, addresses, tax identification numbers, and social security numbers. While PayPal has stated that no financial information was accessed, users affected in the breach will need to set a new password the next time they use PayPal. 

Crypto assets face increased regulatory scrutiny: Over the past several weeks, we’ve discussed the cautious approach that regulators have taken in regard to the relationship between banks and crypto-asset organizations. With the goal of protecting consumer interests, regulators have increased their focus on crypto-asset related activities and have begun taking steps to improve industry oversight. In December, the Digital Asset Anti-Money Laundering Act was proposed which would outline requirements for transactions involving digital wallet assets, among other provisions. These regulations appear to only be the start of new laws to oversee crypto assets, so any organization tied to the industry should read up on these updates to ensure compliance and avoid potential violations. 

Ransomware threatens patient safety: The Ponemon Institute surveyed nearly 600 information security experts to learn more about the impact that ransomware has on patient care and best practices for mitigating cyber risk for healthcare organizations. The survey found that ransomware attacks increase the risk of complications during medical processes, including adverse effects on mortality rates and increasing the number of patients that are transferred to different facilities. The report also highlighted the importance of benchmarking for determining program value, guiding decision-making, and advocating for improved resources. As cyberattacks grow more severe, it’s critical for healthcare organizations to protect against cyberattacks to avoid suffering outages and disruptions which can harm their patients.

Types of cyberattacks that threaten healthcare organizations: Over the past several years, many healthcare organizations have turned their attention to improving cybersecurity to protect their operations and patients against severe disruptions. However, as hackers continue to deploy and develop new attacks, it’s important to understand several types of cyberattacks and best practices for improving security. When it comes to dealing with third-party data breaches, cloud breaches, and internet of things (IoT) attacks, healthcare organizations must begin by following best practices such as educating employees on the importance of cybersecurity, assessing both internal and third-party security policies, and performing ongoing testing to verify whether controls are effective in identifying issues and mitigating the risk of experiencing an attack. 

Best practices for managing supply chain risks: Supply chains across all industries faced many challenges over the past year. As part of a survey conducted by ISACA, a quarter of respondents indicated they experienced an incident while less than half stated that they have high confidence in their supply chain and controls. As the threat of third-party cyberattacks and data breaches continues to rise, it’s important for organizations to understand the best ways for identifying and managing supply chain risks. It’s essential for organizations to implement third-party risk management best practices for assessing vendor controls, identifying physical and cybersecurity gaps, and exercising inventory control, or face potential operational, financial, legal, and reputational damages. 

An understanding of supplier diversity: A diverse supplier is one that’s owned (over 50% ownership) by someone from an underrepresented group, such as a woman, person of color, or an individual with a disability. For some organizations, supplier diversity may feel like a “check-the-box” requirement necessary to meet initiatives. However, there are many benefits to diversifying your suppliers, such as improving your organization’s morale and building a more inclusive workplace for your employees. More than just a reporting standard, supplier diversity helps promote positive change and more accepting workplaces for all people.   

How to improve your third-party risk management program in 2023: As we enter 2023, third-party risk management importance continues, so it’s critical to ensure that your organization follows best practices for handling new and emerging risks. First, your program must assess your third parties for ESG risks and verify that your third parties comply with regulations. Second, understand the impact that your supply chain and fourth parties can have on your organization, especially when dealing with your critical third parties. Third, review and update your organization’s cybersecurity policies and conduct thorough due diligence on your third parties to verify their controls. Finally, consider outsourcing or implementing dedicated third-party risk management tools to maximize your resources. By following these suggestions, you’ll make great strides to improve your processes and protect your organization against third-party risks. 

Recently Added Articles as of January 19

This week, experts discuss how the supply chain can leave healthcare organizations vulnerable to malicious actors. Implementing third-party risk management best practices can help identify and address risks before a third-party incident occurs. Also, outdated technology can cause inefficiencies, so it’s important to innovate your tech stack. Finally, as federal agencies turn their focus to cyber policies, private organizations should prepare for new regulations. Read on for this week’s news!

CFPB releases proposed requirement for nonbanks: The Consumer Financial Protection Bureau (CFPB) recently released a proposal for a new rule which would require nonbanks to register in a public system if they use certain contract terms. Under the rule, these terms would include language that seeks to waive legal protections such as consumer rights. In a statement, the CFPB said that the proposed rule was developed with the goal of improving awareness and oversight of nonbanks. Under the rule, nonbanks who fail to register would face penalties for failing to comply. 

The importance of third-party risk management for healthcare providers: As many healthcare organizations grow increasingly dependent on third parties for a wide range of products and services, it’s more important than ever implement third-party risk management to protect sensitive organizational and patient data. Third-party data breaches can have severe impacts on healthcare organizations, causing disruptions, reputational damages, and legal action. To protect against future incidents and mitigate third-party risks, healthcare organizations must begin implementing third-party risk management best practices such as conducting thorough due diligence to vet vendors, adopting a zero-trust policy, and monitoring vendor performance. 

The future of federal cyber policy: Cybersecurity has been a hot topic for several years, as hackers have deployed more sophisticated cyberattacks and many organizations have faced an increased risk of suffering a cyber incident. With concerns still on the rise, regulators have turned their focus to ways that they can standardize cybersecurity requirements. Already, many federal agencies have started work on implementing new cyber regulations, with the goal of requiring the development and maintenance of sufficient cybersecurity practices – and this is only the start. Private organizations should expect to see new guidelines and obligations emerge over the next several years, including the way that supply chains and third-party vendors are assessed and managed.  

Hackers exploit security vulnerability in Cacti’s tools: Cacti, a fault management monitoring tool provider, has released an update to address a vulnerability in its tools that allowed hackers the ability to deploy malware. Experts have delved deeper into the vulnerabilities to identify the ways that malicious actors exploited the flaws and gain access to privileged networks or launch malware attacks on systems. 

Breaking down the Virginia Consumer Data Protection Act: Regulators have started 2023 with a splash, as the Virginia Consumer Data Protection Act went into effect earlier this month. Several of the key requirements outlined in the law include implementing privacy policies, performing data protection assessments, giving consumers the opt-out of targeting advertising, and developing sufficient security practices. Organizations that conduct business in Virginia or that offer products/services to Virginia residents must be sure to familiarize themselves with the regulations and ensure compliance. 

CircleCI suffers data breach following malware incident: CircleCI reported that a malicious actor was able deploy malware against an employee’s computer. During the incident, the hacker gained access to sensitive data including customer environment variables, keys, and tokens. While CircleCI has stated that its platform is safe for users, it also cautions its customers to stay alert for any suspicious activity. 

The importance of updating your third-party tech stack: With the constant rise of new technology, there are more solutions to meet your organization’s needs and improve your third-party risk management processes. In today’s world, failing to innovate your systems and update your technology can leave your organization vulnerable to a variety of risks. Ask yourself: do your systems help reach your organizational goals, or are there any areas where you can consolidate vendors? As older technology grows outdated, it’s critical to update your organization’s technology to push efficiencies, address gaps present in older systems, and identify the vendors that provide the best ROI. 

Best practices for securing your organization against supply chain attacks: The healthcare industry has been the target of many major data breaches and cybersecurity attacks over the past year – and many of these incidents have been linked to third-party vendors. Budget gaps, understaffing, and insufficient supply chain management programs make it increasingly difficult for healthcare organizations to keep up with supply chain risks and security threats. It's important to take proactive steps and protect your organization against supply chain risks. Best practices to improve supply chain and third-party risk management include maintaining an inventory of your third parties, assessing existing relationships for risks, and advocating for a sufficient third-party risk management budget. 

Third-party vulnerabilities expose healthcare organizations to malicious actors: It’s no secret that the healthcare industry has been a major target for cyber criminals looking to steal sensitive data over the past several years. As malicious actors seek to infiltrate private networks, experts have identified the role that third parties and the supply chain have played in leaving healthcare organizations vulnerable to cyberattacks. As several major data breaches revealed in 2022, third party security gaps can expose healthcare organizations and their sensitive data to hackers. The threat of data breaches isn’t going anywhere, so it’s critical to identify and address any third-party security gaps which may leave your organization vulnerable to attack.  

Microsoft releases security patches: In a recent release, Microsoft implemented fixes for 98 security vulnerabilities. These flaws range in criticality, so it’s imperative for users to update their systems to ensure that the patches are implemented to protect against malicious activity. 

Recently Added Articles as of January 12

New regulations made a splash this week. The California Privacy Rights Act (CPRA) went into effect and federal agencies will require sufficient risk management before banks can perform crypto-asset related activities. Last year, third-party data breaches negatively impacted organizations from all industries, so be sure to follow third-party risk management best practices to identify vulnerabilities and protect your organization. Don’t miss out on any of this week’s news!

FCC votes to update guidelines for telecommunication data breach disclosures: Last week, the Federal Communications Commission announced its decision to create changes in the way that telecommunication providers report data breaches. In place of outdated policies, the FCC has stated its goal to require operators to notify the FCC, affected customers, and law enforcement quickly after a breach is discovered. With the increased risk of cyberattacks targeting telecommunication companies, updated policies will be critical to the industry’s incident response plans. 

Hackers use AI chatbot to launch cyberattacks: Experts have identified malicious activity which exploits OpenAI’s ChatGPT, a chatbot designed to help users perform various activities, such as writing code and debugging. However, hackers have since begun exploiting the chatbot for malicious purposes, such as rewriting the program as ransomware or developing malware. As developers continue to work to create patches and develop methods to hinder hackers from exploiting AI programs, it’s important to stay aware of any suspicious activity and perform cybersecurity best practices. 

Data centers may be increasingly vulnerable to cyberattacks: The past several months have proven that no organization is safe from the threat of cyberattacks, no matter the size or industry, and data centers remain a primary target. Data centers are presented with challenges that must be overcome to protect against cyberattacks. Experts have identified several of the most prevalent challenges, including understaffed cybersecurity teams, new types of attack that target multifactor authentication and endpoint detection response tools, compliance risks, and physical security risks. These risks aren’t going anywhere, so data centers must revisit their security policies and address the gaps that could leave them vulnerable to cyberattacks. 

Hackers use malware in attempts to infiltrate Kubernetes clusters: Experts with Microsoft have identified a series of attempts to infiltrate Kubernetes, an opensource software provider. These attacks have utilized vulnerabilities in container images and other weaknesses to find entry points. 

Federal agencies require risk management for banking-crypto relationships: Regulators from the OCC, FRB, and FDIC recently released a statement which outlines how regulators intend to promote caution and safety when handling the relationships between banks and crypto-asset organizations. As part of this guidance, banks will need to provide notice to regulators as well as evidence of sufficient risk management activities before engaging in any crypto-asset activities. As regulators continue to express concerns for market security, this statement aligns with previous decisions to require oversight when handling these relationships. 

How to protect your organization from third-party data breaches: Throughout 2022, the number of third-party data breaches was alarming. Data has shown that approximately 25% of data breaches has involved a third-party vulnerability, which makes assessing your third parties for security gaps more important than ever. To protect your organization against potential third-party data breaches and the reputational, operational, legal, and financial risks that they carry, it’s imperative to follow third-party risk management best practices like assigning risk ratings to your third parties, assessing high-risk third parties for security gaps, updating your contracts to include security requirements, and using automated tools to improve processes and create efficiencies. 

FHFA releases guidelines for effective risk management: The Federal Housing Finance Agency released model risk management guidance to Freddie Mac, Fannie Mae, the Federal Home Loan Banks (FHLBanks), and the Office of Finance. These guidelines were created to supplement previously released standards from 2013 with the goal of addressing concerns and frequently asked questions.

Tips to handle third-party cybersecurity risks: Largely, it seems most industries, if not all, suffered major losses because of cyberattacks last year. However, many institutions in the financial sector remain vulnerable to cyberattacks and data breaches because of third-party security gaps. When it comes to managing the risks of third-party data breaches, updating internal security policies simply isn’t enough. Financial institutions must begin implementing third-party risk management practices for identifying, assessing, and managing risks to detect and mitigate vulnerabilities before an incident occurs. 

Cybersecurity risks threaten patient safety: Cyberattacks and third-party data breaches have caused financial, operational, reputational, and legal issues for many organizations. However, in the healthcare sector, cyberattacks can also have serious implications for patient safety. According to information security experts, if a healthcare organization’s third party suffers a disruption, it can impact sensitive data or, in other cases, the way healthcare is delivered. Experts urge healthcare organizations to make cybersecurity a top priority when onboarding a new supplier or assessing an existing relationship to promote resiliency and safety against third-party cybersecurity incidents. 

Rackspace suffers ransomware attack: Rackspace, a cloud services provider, has reported that it suffered a ransomware attack deployed by a group of malicious actors known as Play. The hackers were able to exploit a zero-day vulnerability to access customer data.

How to ensure compliance with the California Privacy Rights Act: At the start of this year, the California Privacy Rights Act went into effect requiring businesses to follow its guidelines for expanding consumer protections and data privacy. Organizations that operate in California must comply with regulation by performing tasks such as the minimization of personal data, passing deletion requests to third parties, and receiving opt-in consent for consumers under the age of 16 before being able to sell or share their data. In addition, organizations must assess their vendors to ensure their compliance and to help them avoid unnecessary regulatory risk.

New technology poses cyber risk for healthcare organizations: As healthcare organizations continue to implement new technologies, it’s critical to understand the risks that are associated with new devices and the supply chain. Whenever a third-party vendor accesses, transmits, or stores sensitive information, there are cybersecurity risks that must be identified and addressed. In these instances, third-party risk management is the solution for vetting vendors, assessing vulnerabilities in the supply chain, and protecting patients. With third-party relationships and the use of new technology, healthcare organizations must ensure that their data, patients, and operations are protected, or there may be disastrous consequences. 

User data stolen during Twitter data breach: Last month, a hacker tried to sell the stolen contact information for approximately 200 million Twitter users, including email addresses, account names, and creation dates. Since then, the information has been posted for free online, which could increase the risk of other malicious actors gaining access to this information. Users should be wary of any attempted phishing attacks or password changes for other accounts that use the same password as their Twitter account. 

Protecting your organization against sanctions compliance risk: Over the last year, the geopolitical climate has changed drastically, creating many new regulations and sanctions that require compliance from your organization as well as your third parties. Failure to comply can have serious legal, financial, operational, and reputational implications, so it’s essential to ensure that your third parties follow necessary regulations, too. Sanctions due diligence is a best practice which involves thoroughly screening potential and existing third parties to ensure that they comply or have the controls needed to comply with regulatory guidance. For some industries, consider implementing customer due diligence, limited partners (LP) due diligence, and manufacturer due diligence to verify that your supply chain adheres to guidelines and won’t pose compliance risk to your organization. 

Recently Added Articles as of January 5

As we ring in the new year, experts share their predicted trends in cybersecurity for 2023. Meanwhile, a school district suffers disruptions following a ransomware attack and experts analyze the number of reported attacks in 2022. Finally, regulators continue to make waves as the UN develops a framework to meet ESG concerns and the Investment Adviser Association comments on the SEC’s proposed Outsourcing Rule. Be sure to check it all out!

School district suffers ransomware attack: The Swansea Public Schools District announced that a ransomware attack shut down the district’s network, leading to a decision to cancel classes. The attack has created significant disruptions across the district, though an investigation is currently underway to determine the impact. We don't always think about schools being breached, but it can certainly happen in any industry, including education! 

Reported number of ransomware attacks in 2022 is similar to previous year: An analysis of reported ransomware attacks during 2022 shows that there is a similar number of reported incidents when compared to 2021. The analysis looks at ransomware attacks across the healthcare, government, and education sectors, totaling over 200 organizations that were the target of an attack. However, these numbers don’t account for any attacks that went unreported in the private sector, nor does it track the monetary loss caused by the attacks. Cybersecurity must remain a primary concern in 2023 to protect your organization from disruptions and reputational damage.  

Regulatory agencies continue to assess crypto risks on financial institutions: In a recent statement, federal agencies have outlined the risks that crypto assets pose on banking organizations and their continued caution when dealing with crypto organizations. As the relationships between financial institutions and crypto organizations, as well as the related risks, continue to evolve, federal agencies urge for safety and compliance with regulations and laws to promote consumer protection and risk mitigation.  

Increased focus on TPRM among predicted cybersecurity trends for new year: The number of cyberattacks during 2022 was staggering, and experts suggest that hackers won’t be slowing down anytime soon. As we enter the new year, cybersecurity experts have highlighted their predicted cybersecurity trends for 2023, including an increased prioritization of third-party risk management in response to supply chain attacks and third-party data breaches. Other predicted trends include the increased use of threat detection tools, zero-trust models, and outsourced cybersecurity software, as well as new regulation updates. 

The role of AI in risk management: Artificial Intelligence has changed the way that many organizations gather data and predict outcomes, and risk management is no exception. For many, AI can provide a solution for handling large amounts of data, tracking regulation updates, and replacing unreliable and outdated manual methods of managing risk. In fact, many organizations have already turned to AI to help with contract management, identifying new and emerging risks, and detecting fraud which can compromise security and data protection.  

A CFPB fine points to increased attention to compliance with banking laws: The U.S. Consumer Financial Protection Bureau recently issued a $3.7 billion fine in response to a series of banking violations, including incorrect interest and charging fees. This is the largest fine the CFPB has issued and suggests that the agency will be focusing on the enforcement of banking laws and penalizing institutions that don’t comply. As regulators continue to update policies and examine practices, it’s critical to ensure that your organization complies with necessary laws. 

How third-party risk management addresses supply chain vulnerabilities: Over the past several years, supply chain vulnerabilities have exposed organizations to a wide range of risks, including the increased threat of cyberattacks and operational disruptions. To help protect your organization, it’s critical to implement key third-party risk management processes, tools, and assessments to identify areas of concern and take steps to mitigate the risks posed to your organization. To promote supply chain resiliency and improve your security, it’s essential to educate your leadership about the importance of risk management, perform assessments on your vendors, and utilize tools that can more efficiently detect and address risks. 

Netgear users must update systems with recent firmware: Netgear has released a patch to address a vulnerability found affecting several WiFi router models. Users are urged to update their devices to secure the weakness and prevent malicious actors from exploiting the vulnerability.   

Shifting priorities may lessen income disparity for many positions which supports ESG causes: It’s no secret that the COVID-19 pandemic dramatically changed the way that people work. While many jobs shifted to remote work, other positions simply can't be done at a distance, which has resulted in cases where in-person employees may be able to negotiate better benefits and shrink wage inequalities. As the workforce continues to evolve, experts suggest that companies who support ESG causes and “put their money where their mouth is” may be more desirable compared to competitors. In response to social, geopolitical, and economic changes, it’s important to ensure that your organization’s reputation is in-tact and that proper processes are in place to navigate a risk-filled marketplace.  

CFPB proposed new rule for tracking repeat offenders: Last month, the U.S. Consumer Financial Protection Bureau released a new proposal for identifying and tracking repeat offenders. Under the proposed law, there would be a system in place for registering offenders and enforcement orders as well as requiring covered entities to have a designated individual responsible for maintaining compliance. 

Understanding the EU’s Digital Operational Resilience Act: Ahead of the new year, the EU has adopted new requirements for managing information security risks. The law, called the Digital Operational Resilience Act (DORA), was developed with the goal of creating a standard approach for handling information security risks across regulators in the EU. Most importantly, DORA will require financial institutions to adhere to set standards and implement a series of processes for managing cyber threats, reporting incidents, sharing information, testing resiliency, and handling ICT-related disruptions. Institutions must review the new requirements and begin to prepare for compliance over the next several months. 

Investment Adviser Association responds to the SEC’s Outsourcing Rule: Over the past several months, we’ve looked at the SEC’s proposed Outsourcing Rule which will require advisers to perform due diligence before outsourcing to third-party vendors. However, the Investment Adviser Association (IAA) has responded with a statement that opposes the proposal and highlights areas that are “impractical.” For example, the IAA stated that many firms lack the necessary expertise to address compliance and information security risks as detailed in the SEC’s proposal. Instead, the IAA calls for the SEC to consider alternatives to a new framework, which could meet the objectives and satisfy due diligence requirements. 

Insurers cancel war risk cover for ships in Ukraine, Russia, and Belarus: Many industries and supply chains felt the negative impact of the war in Ukraine. However, though insurers have covered many claims over the past year, protection and indemnity clubs have sent out notices that they'll be canceling war risk cover for ships in Ukraine, Russia, and Belarus. As many supply chains have faced severe disruptions since the war’s start, a lack of insurance could lead to rising costs or, in other instances, ships that go uninsured. To avoid disruptions, it’s important to assess your supply chain’s resiliency, business continuity and disaster recovery plans, which can help your organization address operational risks. 

UN develops framework for restoring biodiversity and ecosystems by 2030: At the conclusion of the United Nations Biodiversity Conference, an agreement was reached to address the loss of biodiversity and natural ecosystems, including a series of global targets to be met by 2030. As environmental concerns have been a growing priority, the UN’s developed framework aims to emphasize goals such as conservation, cutting waste, eliminating practices that harm biodiversity, and reducing the introduction of invasive species.