January 2024 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of January 25

Regulatory news dominated the headlines this week. This included the NCUA's release of their 2024 examination priorities, proposed third-party risk management regulations for the swaps market, and reminders for compliance with the Foreign Corrupt Practices Act. Be sure to check out all of this week’s important news below. 

Credit union authority releases its examination priorities for 2024: The National Credit Union Administration (NCUA) released its top supervisory priorities for credit unions in 2024. While the industry has remained mostly stable despite economic challenges, there are growing signs of financial strains. Credit risk and liquidity risk remained top examination priorities, especially in light of tough economic conditions. Consumer financial protection is also on the list, particularly with overdraft programs, fair lending, and auto lending. Cybersecurity risk continues to be a top focus as the threat landscape continues to evolve. Examiners will look at response plans and incident documentation, as well as third-party contracts. Rounding out the examination list is interest rate risk. 

Challenges and tips to managing fourth-party risks: As the third-party network becomes more interconnected, more organizations are being exposed to fourth-party and nth-party risks. Fourth parties are essentially your vendors' vendors and nth parties extend that further to the entire ecosystem of suppliers. It’s challenging to manage these risks, particularly with a lack of visibility into the entire ecosystem and the difficulty of flowing communication. To address fourth- and nth-party risks, organizations should conduct due diligence on their third parties’ third-party risk management, use a system or tools to continuously monitor the supply chain, outline risk management expectations in third-party controls, and foster a culture of transparency with all parties. 

Third-party dispatch system affected in a cyberattack: A cyberattack on a Pennsylvania county has affected its third-party 911 dispatch system. Calls for service are still being received and dispatched. However, there’s no timeframe for when the computer-aided dispatch system will come back online. The county has also been disconnected from databases like the National Crime Information Center. Tech company Versaterm supplies the dispatch system to the county. It’s critical for counties to have incident response plans and backup plans in place, especially when it comes to public safety services.

Large cybercriminal partnership is attributed to many web traffic campaigns: Threat actors belonging to multiple groups are teamed up into one partnership called VexTrio. This is being described as the largest malicious traffic broker to date. This group has likely existed since at least 2017 and has been attributed to multiple malicious campaigns. 

Banking as a service (BaaS) faces a crucial crossroads with increased scrutiny: BaaS is continuing to get intense regulatory scrutiny, forcing banks to consider whether to continue moving forward with these partnerships. Several banks have recently faced enforcement actions on fintech partnerships – this isn’t meant to be a discouragement, but rather a reminder to review compliance programs. Some banks may drop out of the space altogether, while others will focus on improving BaaS services and compliance. BaaS is going to take more investment to be compliant, and some banks may not have the resources for that. 

Third-party risk management is crucial for Foreign Corrupt Practices Act (FCPA) compliance: It's important for organizations to comply with FCPA. Particularly, its instructions on third-party risk management. After the contract, organizations should have a lifecycle that addresses business justification, questionnaires, due diligence, compliance, and oversight. They should also address why they need a third party and be sure to have third parties fill out questionnaires. Use caution if a third party refuses to fill out a questionnaire. Due diligence should be risk based and place controls in the third-party contract to mitigate risk. To remain FCPA compliant, ongoing monitoring is crucial. To help, oversight and auditing can be useful tools to manage third-party relationships after the contract. 

Compliant fintech relationships at credit unions: Credit unions may exercise some apprehension investing in fintech relationships because of the regulatory scrutiny. A third-party oversight program can help ease some of the concerns and lead to strong fintech partnerships. If a credit union partners with a fintech, they should notify their primary regulator and proactively communicate. Due diligence on fintech partners is critical, including evaluating compliance, performance, and quality. Compliance departments should be engaged in this process and during ongoing monitoring. As the regulatory landscape changes, be prepared to adapt in fintech relationships. These relationships bring a lot of benefits to credit unions.

Swedish organizations impacted by a third-party data breach: An IT software third party in Finland, Tietoevry, was the victim of a ransomware attack, causing widespread outages to organizations in Sweden. The incident was contained quickly, but healthcare, government services, retail, and a large cinema chain experienced ongoing disruptions. Tietoevry’s HR and payroll system was also disrupted. It’s used by dozens of government agencies and universities.

Health department falls victim to a phishing scheme: A phishing scheme against the Department of Health and Human Services (HHS) allowed hackers to reportedly steal more than $7 million from a grant payment system. The emails tricked payment employees into granting access to some grantees’ accounts. Government agencies must be aware of phishing schemes, especially as geopolitical tensions rise. 

Ivanti warns against pushing configurations: Administrators should stop pushing new device configurations to Ivanti appliances as it could leave them vulnerable to two zero-day vulnerabilities. The configurations are causing a web service and the applied mitigation to stop working. Until the appliance is patched, Ivanti has asked admins to pause for now. The two zero-day vulnerabilities in Ivanti aren't yet patched, although there are mitigation measures in place.

Old server versions targeted in an attack: Outdated Atlassian Confluence servers are being exploited in an execution flaw vulnerability. Fixes are only available for later versions. Organizations should ensure servers are up to date, as old servers can be more vulnerable to attacks. 

Corporate Microsoft emails are compromised in an attack: Microsoft was once again targeted by a Russian cybercrime group that stole emails and attachments from Microsoft’s senior executives. The company said only a small percentage of accounts were compromised. The attack wasn’t the result of any security vulnerability in Microsoft’s products. 

Hospital association warns of an ongoing phishing scheme: The American Hospital Association (AHA) has warned healthcare organizations of an IT social engineering scheme. Threat actors use stolen identities of revenue cycle employees and then call IT help desks to trick employees into granting access. Organizations should use extreme caution and implement measures to protect against becoming a victim. 

Questions to ask third-party AI vendors: Artificial intelligence (AI) can be a great tool to integrate into product and service offerings, and many organizations are relying on third parties to offer AI. Organizations should consider some key questions to ask third-party AI vendors. It’s important to know the source of the vendor’s AI model, as some don’t develop their own models. You should know whether organizational data will be given to a third party. It’s also important to ask AI vendors what type of training data their model uses. Privacy is a particularly important concern, especially with the growing regulatory landscape. Organizations should also understand how third-party AI systems mitigate inaccurate, biased, and underrepresented outputs. These answers can help your organization choose a third-party AI vendor. 

Swaps market regulator proposes a third-party and cybersecurity regulation: The U.S. Commodity Futures Trading Commission (CFTC) has proposed a new risk framework to address IT security, third-party providers, and business continuity and disaster recovery planning (BC/DR). This would require covered organizations to notify the CFTC within 24 hours of an incident with adverse impacts, or likely to have adverse impacts. The framework would be proportionate to each swaps entities’ business activities. As more organizations rely on third-party providers, operational risk has increased, particularly the potential for cyberattacks and technological failures. U.S. swaps entities would be required to have a risk appetite and risk tolerance for third parties and monitoring in place. Critical third parties also receive special focus in the proposed regulation, requiring heightened due diligence. The proposed regulation is under a comment period until March 2.

EU publishes first set of rules for third-party risk management of critical IT providers: The EU has published its first final draft of technical standards under the Digital Operational Resilience Act (DORA). Financial organizations will be required to have a policy on the use of critical IT third-party providers, which should be reviewed at least annually. The lifecycle for critical IT third-party relationships should encompass planning for the arrangement, monitoring and managing the relationship, and exit strategies and termination processes. The first final draft outlines in detail how financial organizations will be expected to assess, identify, and monitor critical IT third-party relationships. 

Recently Added Articles as of January 18

Are organizations and third parties ready for what 2024 will bring? This week’s headlines emphasize the importance of regulatory compliance, business continuity, and strong cybersecurity in third-party risk management. Check out this week’s news below!

Ensure third parties are prepared for the SEC cybersecurity disclosure rule: As organizations begin to comply with the SEC’s cybersecurity disclosure rule, it’s important to ensure third-party compliance as well. Meeting the four-day requirements can be incredibly challenging, especially if the third party doesn’t disclose the breach to your organization in a timely manner. Your organization should work with third parties to ensure they understand the new SEC requirements and have defined reporting timelines. This can help organizations be prepared for compliance in the event of a cyberattack.

SEC scrutiny increases with new regulations and enforcements: SEC regulations and enforcement have stepped up over the past year, with new cybersecurity disclosures and enforcement on cybersecurity CISOs for data breaches and misleading information. It’s important to keep strong documentation that explain processes well for when regulators come. And it's clear that cybersecurity and CISOs are still a necessary investment for organizations. 

Healthcare organization settles multi-million dollar lawsuit for third-party tracking tech: A healthcare organization settled a class action lawsuit for $6.6 million after improper protected health information (PHI) disclosures to a third-party tracking technology. In 2022, Novant Health notified about 1.3 million people that the use of Meta pixel code had led to the potential disclosure of PHI. Novant disabled the pixel as soon as it was aware of potential improper use. Novant denied claims in the class action lawsuit, but agreed to a settlement. Healthcare organizations must use caution with third-party tracking technology. 

Irish organizations are unprepared for DORA compliance: Irish organizations may not be ready for the Digital Operational Resilience Act (DORA), which takes affect next year, in January. A new study showed that 82% of Irish businesses don’t understand the regulation, which addresses risk and incident management and information and communication technology (ICT) third-party risk management. In the study, 63% of Irish organizations admitted they aren’t well prepared for DORA. Organizations should prioritize compliance preparation and begin to identify cybersecurity risks and third-party cybersecurity risks. 

Google is rolling out security updates to patch a Chrome vulnerability: Organizations should ensure Google Chrome is updated, as the first Chrome exploited zero-day vulnerability of 2024 was patched recently. The security update could take days, or even weeks, to reach all impacted users.

New report warns of GitHub dangers: Cybercriminals are increasingly turning to GitHub to launch attacks and IT teams are being warned to take action. A new report cited GitHub as the most popular place for threat actors as they can blend in and keep malicious activity hidden. The report urged IT teams to flag or even block GitHub services that are known to be used maliciously. Teams should also enhance monitoring of the tool. Organizations should keep a current inventory of all users that access GitHub. 

Data privacy must be top priority for PaaS providers: While platform as a service (PaaS) providers offer convenience and efficiency, it’s also important to manage and mitigate the risks. PaaS providers often hold sensitive data, like customer information and proprietary business information. It’s important to keep this secure by prioritizing data privacy compliance. PaaS providers must ensure data privacy in processes, policies, and procedures. 

Healthcare organization is victim of a data breach: More than 900,000 people had their personal information compromised after a data breach at Transformative Healthcare. The breach occurred last year after someone gained access to archived data that previously belonged to Fallon Ambulance Service. 

Vulnerabilities actively exploited in Ivanti applications: Two vulnerabilities with Ivanti’s Connect Secure VPN and Policy Secure network access control appliances are being actively exploited. Victims of the exploitation range from small businesses to large organizations. This includes governments, defense contracts, finance and banking, and aerospace firms. Ivanti hasn't yet released a patch, but administrators should apply mitigation measures provided by Ivanti. 

Laptop maker is impacted in third-party data breach after employee phishing attack: A third-party data breach impacted laptop computer maker Framework. The breach was the result of a phishing attack targeted at an employee at a third-party provider. The attack impersonated the CEO of Framework, requesting information for outstanding Framework balances. The third-party provider’s employee then responded to the email with a spreadsheet of names, emails, and some open and completed orders. Framework has requested the third party train employees on phishing and social engineering attacks, especially if they access customer information. Impacted individuals were notified by Framework.

Millions of sensitive data exposed in third-party data breach: More than 4 million sensitive school records, including active shooter emergency plans, were exposed in a third-party data breach. School software provider Raptor Technologies had web buckets exposed, which included data from 2022 to 2023. The breach also included sensitive personal data on students, parents, and staff. 

Tips for third-party risk management in higher education: Third-party risk management is a crucial practice in higher education, as many third parties handle sensitive data. To start managing third-party risks, first create an inventory of third parties. This can be difficult with shadow IT, so rely on the purchasing department to see who’s all being paid. Also, keep in mind that third-party risk management is an ongoing practice – the third parties that pose the most risk should have the most stringent continuous monitoring. Third-party risk management can be integrated into other risk management practices for a holistic approach.

Organizations must prepare for third-party business continuity disruptions: As organizations are now into the first quarter of 2024, it’s important to prioritize third-party risk management, especially as business continuity risk is expected to increase. Regulatory agencies are expected to continue to introduce regulations to ensure organizations are protected from third-party disruptions. Software escrow agreements can be a safety measure to reduce the severity and duration of third-party failures. Organizations should also continue to assess third-party security risks. 

Microsoft fixes flaws in patch update: In a patch update, Microsoft addressed 48 security flaws in its software. Two of these are critical and 46 are important in severity. There is no evidence that any of these are zero-day vulnerabilities.

FINRA releases Annual Regulatory Oversight Report: The Financial Industry Regulatory Authority (FINRA) released its Annual Regulatory Oversight Report this week, addressing concerns with artificial intelligence (AI), cybersecurity, and crypto. In cybersecurity, the report encouraged financial institutions to consider assessing cybersecurity risks of third parties, both during onboarding and on a regular basis throughout the relationship. An inventory of third-party services is crucial to have. If institutions use third-party crypto assets, they should test cybersecurity controls. 

Recently Added Articles as of January 11

Third-party risk management is an essential investment in 2024. Recaps of last year show how third-party cyberattacks can impact organizations and damage reputations. Plus, a new privacy law is in the works and a massive third-party data breach continues to spread. Check out all of this week’s news below. 

Healthcare organization is victim of a third-party data breach: SSM Health patients had sensitive information like Social Security numbers and medical information compromised after a third-party data breach. It’s unclear yet how many people were impacted in the breach. The cyberattack on third-party vendor Navvis occurred in July and SSM Health sent out data breach notification letters in late December.

Mitigating geopolitical risk and supply chain disruptions: Chief financial officers (CFOs) have a tough line to walk as geopolitical risks continue to disrupt supply chains across the globe. Assessments are crucial for CFOs to understand risks and know how to manage and mitigate them. Supply chain mapping can provide information on suppliers and other third-party partners, which enhances supply chain visibility. Technology can help offer real-time insights into supply chain data, too. 

Russia’s seafood stinks, according to the Office of Foreign Assets Control: Seafood from Russia is prohibited from being imported into the U.S., including if it’s been incorporated or transformed into another product outside of Russia. Sometimes, U.S. sanctions aren’t always obvious, so organizations should be aware of and create news alerts for this. Failure to comply with sanctions can lead to severe consequences. Sanctions were also extended to foreign financial institutions. Banking organizations should be aware of secondary sanctions risk. 

New Hampshire is likely to pass a privacy law: New Hampshire is on track to pass a comprehensive privacy law, joining a slew of other states. The state Senate must concur with the bill before it goes to the governor’s desk. The act is only enforceable by the state attorney general, and organizations have a 60-day period to fix compliance violations. The bill expands sensitive data to include racial or ethnic origin, religious beliefs, mental or physical health, sex life and orientation, and immigration status. Like other state privacy laws, there’s broad exemptions, including nonprofit organizations and higher education. If the bill passes, it would take effect on January 1, 2025.

Mortgage lender is victim of a ransomware attack: Retail mortgage lender LoanDepot revealed a ransomware breach, which has shut down systems and briefly took LoanDepot’s website offline. The mortgage industry has seen several ransomware attacks recently, including the large attack on Mr. Cooper in October. 

Flaw in Google allows hackers to access private accounts: Cybercriminals are able to access Google accounts without entering a password, exploiting third-party cookies to gain peoples' private data. Authentication cookies allow people to use their accounts without frequently re-entering a password, but hackers have retrieved these cookies. Google has said it’s taken action to secure compromised accounts and recommended people use Enhanced Safe Browsing. 

Crypto organizations must make compliance a priority: As the U.S. federal government focuses on the crypto market, compliance is becoming increasingly important. There are no industry-specific regulations or agencies for cryptocurrency, but several agencies have pursued enforcement actions and been extremely active in the crypto industry. Crypto organizations should have a risk-based approach to managing third parties and look to the financial industry’s stringent regulations on third-party relationships. Crypto organizations should have internal and external audits in place to ensure compliance, have policies that prioritize compliance as an organization, and implement a strong anti-money laundering program. 

Third-party risk management is crucial for organizations in 2024: Risks continued to grow in 2023, with global conflict, economic downturns, and natural disasters. That outlook is only expected to increase again this year, so organizations should reflect on the lessons learned. Since third parties are so closely tied to critical operational services, organizations must assess vendor relationships throughout the entire relationship. It’s important to have a full view of third-party relationships so organizations can continue to serve customers. As geopolitical risks shift supply chains, organizations must ensure business continuity regardless of location. This includes supplier diversification and avoiding locations all in one geographic region. After the banking collapses last year, organizations should seek to understand operational weak points to strengthen resiliency. 

One of the largest healthcare third-party data breaches in 2023 continues to grow: Another 500,000 people had sensitive information compromised in the Perry Johnson & Associates third-party data breach. PJ&A provides medical transcription services to healthcare organizations. This breach has impacted almost 9 million people in total. Several healthcare organizations have ended their relationship with PJ&A. 

Majority of consumers would lose trust in an organization if breached: Do data breaches really impact your reputation? According to new research, 66% of U.S. consumers wouldn’t trust an organization if their data is leaked in a breach. Forty-four percent (44%) of consumers blame an organization’s security measures for cyberattacks. Data breaches can be extremely harmful to an organization’s brand and reputation. 

Notification requirements after a business associate data breach: What should a healthcare organization do when a business associate experiences a data breach, but the vendor didn’t inform you until two weeks after they learned of the incident? HIPAA requires healthcare organizations to provide timely notice of data breaches to affected people. Business associates must notify healthcare organizations when they learn of the breach, at least within 60 days, but also when it should have learned of the breach if the business associate had exercised reasonable diligence. It’s important to check your contract with the business associate and ensure they’ve met the obligations outlined in the contract and to weigh data breach notifications carefully and make decisions based on the latest information. Healthcare organizations should also document the reasoning behind decisions. 

Majority of businesses impacted by software supply chain cyberattacks: Sixty-one percent (61%) of all U.S. businesses were directly impacted by software supply chain attacks from April 2022 to April 2023, according to new Gartner research. One of Gartner’s recommendations is third-party risk management. Organizations should evaluate attestations of secure software from any third party. If a third party chooses not to provide this information, organizations should rethink moving forward with the relationship. Gartner emphasized the importance of transparency, as third parties should be willing to provide a software bill of materials (SBOM). These recommendations can create a stronger software supply chain for your organization. 

Building relationships for effective third-party risk management: What are the most effective ways to manage and mitigate third-party risks? There’s a lot of opinions on that question and a lot of opinions over the usefulness of questionnaires. While due diligence can be extremely in-depth at the beginning of the relationship, risk continues throughout the vendor engagement and has to be monitored continuously. It’s important to build relationships with vendors and begin the relationship wanting to work together. How a vendor works with an organization to solve problems and identify risks can indicate the success of the relationship.

Recently Added Articles as of January 4

Happy New Year! It’s hard to say what 2024 will bring, but we can likely predict artificial intelligence risks, new supply chain disruptions, and cybersecurity risks in the cloud. This week’s headlines covered all of that, so check it out below. 

What to evaluate with third-party artificial intelligence (AI) providers: As AI continues to develop, it’s still a risky venture for organizations to place a large investment in. It’s important to evaluate generative AI vendors and understand the market and its risks. AI should be fair, unbiased, safe, and explainable. It’s also important for third-party AI providers to follow industry-specific regulations like Health Insurance Portability and Accountability Act (HIPAA) and payment card industry (PCI). Organizations should understand how third-party AI providers will keep data safe and private. Look for a transparent AI provider on their model training process and how they use data. 

SSH servers at risk for attack: Almost 11 million public SSH servers are vulnerable to the Terrapin attack. This manipulates sequences during the handshake process to compromise the SSH server. These attacks can have a large impact and sometimes the threat actor accesses a system and waits until the right moment to strike. If your organization has an SSH server, you can check it through a vulnerability scanner. 

Common risks of using software as a service (SaaS) tools: SaaS has many benefits for organizations, but it also comes with security concerns that require a strategy. Data breaches are the biggest SaaS threat, so it’s important to ensure the SaaS service and product is secure. Third-party integrations can be an easy entry point for cybercriminals to access sensitive data. SaaS tools should also follow industry standards and comply with international regulations. Organizations may also use more SaaS tools than they need, making it difficult to track and manage. In fact, many employees install SaaS tools without involving IT departments. Given all of this, it’s very important to have a cybersecurity strategy to manage SaaS applications and third-party integrations. 

Best practices for supply chain risk management in 2024: Organizations have faced many challenges in supply chain risks, and that’s likely to continue in the new year. To help combat this, it's important for procurement to establish itself as the main source of risk data. They should also increase visibility into supplier risks and have enough details for an informed risk assessment. This should include ongoing monitoring of suppliers as risk can change quickly. Consider establishing risk appetites and thresholds for suppliers and have action plans in the case of a disruption, too. These practices can help your organization be better prepared this year. 

Preparing for third-party risk management examiners: Third parties, particularly fintechs, have gained a lot of regulatory interest in the banking and credit union industries lately. Third-party risk management is a high priority moving into 2024. Even if a third party is at fault for a mistake, the responsibility ultimately lies with the organization using the third party. To prepare for examiners, be sure to have consistent processes for third parties, as that can show examiners a proven track record. This also creates better consistency across internal teams. Use technology that can automate tasks and free up time to focus on more important third-party issues. Workflows provides an examiner documented history to follow. Third-party documents and contracts should be stored in a centralized place makes information easily accessible for both your team and examiners. 

Cybersecurity predictions for 2024 include third-party attacks and AI exploitation: What will 2024 bring for cybersecurity professionals? As risks continue to evolve and emerge, it’s hard to predict exactly what will happen. However, there are several trends experts are expecting for this year. Cybercriminals will capitalize on AI to step up phishing attacks and deploy ransomware. Attackers will also exploit systems that have unpatched vulnerabilities to gain access to sensitive corporate networks. Cybercriminals will also continue to target third-party suppliers, so third-party cybersecurity must be a top priority for organizations. 

Healthcare organizations must make third-party risk management a priority: Cybersecurity is a critical priority for healthcare organizations, especially in 2024. One key area of focus is third-party risk management. Third parties should follow the healthcare organization’s security policies. Regular audits, demonstrated compliance, and vulnerability assessments help monitor and manage third-party cybersecurity. Contracts are an important place to set cybersecurity expectations. They should include data breach notifications, data protection requirements, and regulatory security reporting. Automated tools can help track healthcare cybersecurity on an ongoing basis as cybersecurity risk constantly changes. 

Organizations' movement to the cloud presents cybersecurity risks: More than half of enterprises host critical applications in the cloud, according to a new report. Overall spending on cloud services is expected to increase. This means cybersecurity risk rises as more organizations use the cloud to host sensitive information. Cybercriminals often target the supply chain to gain access, so it’s important to ensure safe cybersecurity practices of cloud services and applications. It’s also important to ensure third-party applications have updated cybersecurity standards, contractual language on cybersecurity standards, and an audit program for continued supply chain cybersecurity. 

Begin preparing for greenhouse gas emission disclosures – including third parties: The U.S. Securities and Exchange Commission (SEC) has delayed its greenhouse gas disclosure rule, but many organizations have already started thinking about measuring and disclosing emissions. If your organization hasn’t yet, it should begin to think about building a process. Europe and California already have emissions requirements that will take effect in 2026, so compliance may already impact your organization. To be prepared, develop workflows for processes on greenhouse gas emissions, create a process to verify the data is correct, put requirements in third-party contracts for Scope 3 emissions, and have a reporting process in place. 

Department of Defense opens comment period on cybersecurity certification program: The Department of Defense has asked for feedback on a cybersecurity certification program that would establish an assessment for defense contractors and subcontractors. The program, called the Cybersecurity Maturity Model Certification (CMMC), allows the Pentagon to verify contractors have put in the right protections and are maintaining them throughout the relationship. 

Malware gives access to Google accounts: New malware is using Google OAuth to restore expired cookies and log into accounts, even if the password has already been changed. Cybercriminals are then able to gain access to Google accounts. The status of mitigation is unclear at this time. 

Healthcare system is victim of a third-party data breach: A third-party data breach at Corewell Health has compromised the sensitive information of almost 1 million patients. Information compromised included Social Security numbers, patient account numbers, diagnoses, and health insurance data. The third-party breach, which originated with HealthEC, also impacted Beaumont ACO.

Geopolitical risks in the global supply chain: Although the supply chain has seemed to recover from the pandemic, geopolitical risks still pose a threat with natural disasters and political instability globally. The war between Russia and Ukraine contributed to shortages and forced organizations to reshuffle with suppliers. A trade war between the U.S. and China has forced organizations to identify other suppliers. Protests and labor strikes have stopped the supply chain, which can cause disruptions, even if temporarily. Organizations should use technology to gain real-time visibility into suppliers and the changing geopolitical landscape. 

Second half of 2023 saw AI-related threat landscape: AI-related malicious activity took over the threat landscape in the last half of 2023, according to a new report. Malicious domains were disguised as OpenAI services. There was also an increase in Android spyware detections as legitimate apps started to act as spyware. The MOVEit attack also continued to have consequences in the second half of 2023 as more organizations reported data breaches.