July 2021 Vendor Management News

Stay up-to-date on the latest vendor management news. Not only will you learn something, you may discover something to help your third-party risk management program. Below we've listed some notable articles to check out.

Recently Added Articles as of July 29

This week, we’re seeing a lot of regulatory news, especially related to ESG and data privacy. The U.S. government released a new supply chain business advisory and the healthcare industry is asking Congress for help in fighting ransomware attacks. Debt collectors should also expect to see some new regulatory actions. Cybersecurity is at the forefront of many headlines, with a new report detailing the cost of data breaches. We also share a couple of interesting stories on supply chain risk, with some lessons learned from the pandemic. Read on to learn more about the top stories making headlines.

New findings in annual Cost of a Data Breach Report: The Ponemon Institute’s annual Cost of a Data Breach Report revealed a 10% growth of average total cost of data breaches in 2021. Unsurprisingly, it seems remote work has made these costs even higher and increased the response time. Organizations that are more than 50% remote saw an average of 316 days to identify and contain a breach, compared to the overall average of 287 days. There’s a cost savings of nearly 30% when the breach is contained in under 200 days. Cost and breach containment may be on the rise, but the report also had some positive findings. Automation has also been increasing, with 65% of organizations implementing full or partial security AI and automation. Fully deployed security AI and automation are key when mitigating cost, along with a zero trust approach. Cloud breaches are also a hot topic in the report, which shows that the hybrid cloud model has the lowest average total cost, compared to public, private and on-premise models.

How data privacy is changing marketing strategies: With more and more states signing data privacy legislation, digital marketers are having to adapt. Organizations are now being challenged to understand their customers without relying on data collected from third parties. Customers still desire a personalized experience, requiring marketers to be more innovative in their approach to understand individual preferences. As brands reach out to customers directly and collect zero-party data, they’ll benefit from owning the data themselves instead of it going to their competitors. Email, SMS, apps and websites will need to be personalized to keep up with customers’ expectations, with direct communication being more effective than segmentation. In the end, transparency around data practices will help build trust with customers and lead to stronger relationships.

ESG and data provider risks addressed by IOSCO: The International Organization of Securities Commissions (IOSCO) has proposed 10 recommendations in a public consultation that focuses on the risks associated with ESG ratings and data providers. Some of the recommendations include due diligence, regulatory and supervisory approaches and interactions of third-party vendors themselves, with companies they assess and end-users. IOSCO states that users need to be aware of where third-party vendors obtain the information used to build ESG products and ensure that it’s current. It’s also important to identify gaps that are in estimates and the methods used to reach those estimates. The criteria used in the ESG assessment process should also be evaluated, which includes the relative weightings of the criteria and how far the assessment depended on qualitative judgements. When they have authority, regulators should consider whether the ESG ratings and data products processes are applied consistently through written policies and procedures and/or internal controls.

Zero-day flaw patched by Apple: Apple users take note! An actively exploited memory-corruption flaw that allows hackers to take over a system has been recently patched by Apple. The vulnerability was supposedly discovered by a Microsoft Security Response Center researcher back in March, but he didn’t have time to report it. Apple advises updating the following devices: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch (7th generation). Apple released three updates to patch the vulnerability which can be found here and here.

Understanding the HIPAA Enforcement Rule: An update to the HIPAA Enforcement rule has caused some confusion among auditors and compliance experts about the rule’s applicability. To put it simply, enforcement rules apply to organizations who fail to follow the HIPAA Privacy, Security and Breach Notification Rules. Details about compliance, investigation and violation penalties are included in the rules, as well as procedures and monetary fines related to imposing civil penalties on any Covered Entities that don’t adhere to HIPAA requirements. HIPAA Compliance Rules are categorized in four areas. The Privacy Rule is designed to protect and gives patients the right to examine and obtain a copy of their health records. The Security Rule protects protected health information (PHI) while it’s stored or in transit and includes both physical and electronic forms. Requirements about the response to a data breach is outlined in the Breach Notification Rule and states that breaches affecting more than 500 must be reported to the Secretary of the U.S. Health and Human Services within 60 days. Finally, the Omnibus Rule strengthens privacy and security protections of PHI data through the implementation of the Health Information Technology for Economic and Clinical Health Act (HITECH).

Update to Xinjiang Supply Chain Business Advisory urges heightened due diligence: In a real world example of ESG guidance, the U.S. government recently updated a supply chain advisory related to the Xinjiang region of China. According to the advisory, the Chinese government has continued to sponsor forced labor and human rights abuses on ethnic and religious minorities in Xinjiang. U.S. companies are advised to exit supply chains that are linked to this area or they'll otherwise be at risk of violating U.S. law. There are four primary types of risk exposure related to these human rights violations. Aside from the obvious sourcing of labor or goods from Xinjiang, U.S. companies are not to assist or invest in the development of surveillance tools for the government in this area. Supplying U.S. origin commodities to organizations engaged in forced labor practices also increases risk exposure, as does helping in the construction and operation of facilities used to detain minority groups. Due diligence efforts can be strengthened in a few notable ways. U.S. organizations should determine if the end users of their products have any relationship to Xinjiang and the Chinese government. Collaborating with industry groups and sharing information is another best practice to research potential labor abuses. It’s also important to understand that due diligence best practices may not be enough. Auditors may be pressured by the government or unable to gain true access to suppliers. It's therefore advised to consider exiting the supply chain altogether.

Looking inwardly at supply chain risk: Business leaders are beginning to crack down on supply chain sustainability within their suppliers, but they should also apply those standards to themselves. The physical and digital supply chain can no longer be separated, and the same can be said about financial, operational and cyber risks. Organizations should understand how their actions can have widespread effects. For example, a delayed or late B2B payment can inadvertently put someone out of business. It’s also important for an organization to remember its position as a partner within the supply chain. You may have a critical eye on your own third party, but you’re likely a third party to someone else and should therefore live up to the same high standards.

Cyberattack vulnerabilities and remote working: Many employees have admitted that they aren’t as thorough with their cybersecurity practices when working from home. Since they feel less scrutinized by their IT departments, some users are using personal email accounts for company data. An increase in phishing emails have added to the weakened cybersecurity environment, sometimes with catastrophic results. An Australian hedge fund was forced to close after a senior executive opened a fraudulent Zoom invitation and subsequently lost $8.7 million. Organizations are urged to carefully evaluate personal devices that have been used for remote work and retrain employees so they better understand how to navigate cybersecurity.

Nonprofit healthcare organizations see an increase in cyberattacks: A new report revealed the rise in cyberattacks that are affecting nonprofits in the healthcare industry. The large amount of sensitive data contained in healthcare facilities make them a prime target for hackers. In 2020 alone, 22 million American patients were affected by exposed data from cyber breaches. The pandemic brought about a cyber “triple threat” for hospitals which expanded the cyberattack surface, increased the number of attacks and reduced revenue and resources. Cybersecurity threats have become a top priority for healthcare facilities, but will likely remain unchanged without sustainable and strong government action. The remote working environment for nonessential staff has also been a challenge to keeping data safe. The early focus was transitioning employees to work from home, but now facilities need to be more aware of cybersecurity.

Pandemic reveals fragility of global supply chains: Many might remember the early pandemic days of toilet paper and cleaning supply hoarding, but other products like lumber, tools and household appliances were also affected by COVID-19. Unrelated events like the Suez Canal blockage and Colonial Pipeline cyberattack have revealed just how delicate our supply chains can be. These events have continued to teach business leaders valuable lessons about global supply chains and how best to secure them. Business continuity plans need to be considered early on, with risk managers and the board of directors involved in the discussions. Insurance buyers need to be aware of the differences between standard and contingent business interruptions and society as a whole needs to be aware of weak points both at the manufacturing and distribution levels.

The longevity of ransomware attacks: You might be surprised to learn that the first ransomware attack was in 1989 (the methods have just evolved since then). And, we’re far from eradicating these types of attacks altogether. There are a few reasons why ransomware attacks are commonly used by hackers. An organization’s employees and third-party vendors are often the path used by attackers. In other words, you’re only as strong as your weakest link. Ransomware attacks are also constantly evolving and the practice of paying the ransom may recover your data, but will ultimately incentivize the attackers to continue. Vulnerability scans, regularly penetration testing and utilizing threat detection tools can be helpful in protecting against ransomware attacks, but it’s important to have realistic expectations and understand that they’re not completely preventable.

Ask for these alternatives when negotiating with your cloud vendor: Your vendor will likely say no to certain things during the contract negotiation process, so consider alternatives that might get you a yes. Rather than anticipating a refund or credit on products or features that weren’t used during the contract term, ask anyway, and use this “no” as leverage to obtain swapping rights in your cloud deal. In other words, you won’t be asking to lower your spending costs, so your vendor may be more open to swap out your unused products for something else equivalent in value that you’re more likely to use. Asking for a volume discount structure will also likely be refused by your vendor. This opens the door for renewal negotiation that can set the baseline price for all units/users at a lower per unit price. Since the cloud vendor said no to a lower per unit price for the committed volume, they may be more open to this alternative. Finally, you should ask for the ability to terminate your subscription during the term without penalty. The cloud vendor probably won’t agree, citing the need for legal circumstances or service level agreement (SLA) non-conformance. When you get this “no," open the discussion and state that you want to form a partnership with a higher degree of flexibility, rather than a purely transactional relationship. By correctly predicting where your vendor stands in contract negotiations, you can use this to create an advantageous partnership.

Debt collectors to face increased federal and state scrutiny: Third-party debt collectors should prepare to see some enforcement trends that come from new leadership at the Consumer Financial Protection Bureau (CFPB), as well as a recent Eleventh Circuit decision. There’s expected to be an increase in lawsuits against debt collectors after the decision made in Hunstein v. Preferred Collection & Mgmt. Servs. Inc. which states that transmission of personal information to a third-party vendor is enough to claim a violation of the Fair Debt Collections Practices Act (FDCPA). As a result, collectors should consider bringing their outsourcing practices in house. Debt collectors in California, or conducting business in California, will be subject to the California Debt Collection Licensing Act (CDCLA), beginning January 1, 2022 which gives the California Department of Financial Protection and Innovation (DFPI) authority to take action under the Rosenthal Fair Debt Collection Practices Act and California Fair Debt Buying Act. The CFPB will also be closely examining debt collectors to identify Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) violations related to the pandemic.

World’s top oil producer reveals a data leak: Due to a third-party contractor, oil giant Saudi Aramco was the victim of a recent data breach, in which the attackers demanded a $50 million ransom. The stolen data was also offered to prospective buyers for $5 million. The hacker doesn’t appear to be associated with a ransomware gang and apparently obtained the data without using malware. A 2012 attack on Saudi Aramco was blamed on Iran and resulted in lost data on three-quarters of the company’s computers. Recent drone attacks and missile strikes on a new Jazan facility have also been blamed on Iran.

Congress called to help fight ransomware in healthcare: Witnesses recently testified before Congress in a hearing titled Stopping Digital Thieves: The Growing Threat of Ransomware, where they emphasized the need for more assistance in dealing with cyberattacks and ransomware. One physician simply stated that the healthcare industry isn’t prepared to defend or respond to ransomware threats and there’s a need to study the effects of these attacks on patients’ health. There was a recommendation for standardized metrics on the severity of cyberattacks on hospitals and to prioritize funding from the National Institutes of Health (NIH) and the National Science Foundation (NSF) to research this topic. Simply stated, ransomware attacks on healthcare facilities should be viewed as a global security threat.

Cyber Incident Notification Act establishes disclosure requirements: The recent introduction of the Cyber Incident Notification Act of 2021 aims to improve the notification of cybersecurity incidents with improved timeliness, especially for those involving state-sponsored threat groups. The U.S. doesn't currently have a federal breach notification law and organizations must instead comply with various state laws. The proposed bill requires the creation of a Cyber Intrusion Reporting Capabilities system that’s authorized to receive and store confidential information. There are a few key requirements for the types of breaches and potential breaches that would be covered. This includes state-sponsored actors, transnational criminal groups and any attack that targets or affects a federal system. The bill also covers federal contractors with some exception and details the fines that can result from violations which can be as high as one half of one percent of the company’s prior year gross revenues per day of the violation.

Complying with data deletion under CPRA an GDPR: The data retention and deletion requirements found in the California Privacy Rights Act (CPRA) are similar to those in the General Data Protection Regulation (GDPR). The basic requirement states that personal data is to be deleted when no longer necessary. The CPRA mandates that a business must inform consumers how long they intend to retain each category of personal information or provide the criteria used to determine that length of time. There are two disclosure options for this requirement. The first being that each category of personal information is identified in a pre-collection privacy notice which also discloses a retention period. The second option is broader and sees the business making a general statement in the pre-collection notice, notifying the consumer that the personal information will only be retained as long as needed to complete the business purpose. There are a few practices that organizations can implement now to prepare for the CPRA, which goes into effect January 1, 2023. You should make sure to update or create a data inventory, document compliance obligations, review your retention schedule, create an information lifecycle management policy and clearly define the data disposition process.

Wall Street sees cybersecurity as the biggest threat: The pandemic and climate change are often making headlines, but bank executives revealed that they’re most concerned with cybersecurity threats and how it might affect their companies and overall financial system. Banks like JPMorgan Chase are taking a hard stance in their cybersecurity efforts, spending $600 million every year and employing over 3,000 people to work on the issue. Security experts still say there are significant gaps in preventing an attack on Wall Street and there needs to be more focus on threats to the financial system as a whole, rather than individual threats. A single attack on a financial institution could be somewhat manageable but less so if multiple institutions were hit. The effects could be even worse if an attack occurred during an unstable period like a “triple witching” Friday when stock options, stock index futures and stock index options expire on the same day. A recent theoretical scenario was described by the New York Cyber Task Force in which North Korean hackers compromised a third-party service provider to gain access to a financial institution’s network and install a worm that wipes data. This would then extend to other banks as they communicate with the infected institution. Despite these concerns, experts are confident that individual financial institutions can withstand cybersecurity attacks, in part because they’re required to have 30-day liquidity. Overall, communication between banks and the public is key to describe the potential impact of a cybersecurity event.

Colonial Pipeline attack leads to stricter cybersecurity mandates: The recent attack on the Colonial Pipeline prompted the Department of Homeland Security to issue additional cybersecurity mandates for critical U.S. pipelines that transport natural gas and hazardous liquids. A second “security directive” was issued by the Transformation Security Administration (TSA) and requires pipelines to implement a cybersecurity contingency and recovery plan and conduct a cybersecurity architecture design review. The first directive focused more on reporting requirements, including the assigning of cybersecurity coordinator who is to be available 24/7. Since the latest directive involves sensitive information, its distribution will be limited to those who need to know.

Chinese government sponsored hackers have targeted U.S. pipelines within the last 10 years: The Biden administration revealed that Chinese hackers had attempted to breach U.S. pipeline computer systems between 2011 and 2013, with 13 successfully compromised. This revelation comes after the new security directive released by the DHS, in response to the Colonial Pipeline cyberattack. China has also been accused of establishing “an ecosystem of criminal contract hackers” that’s supported by its Ministry of State Security and has been involved in ransomware attacks intellectual property theft and other breaches. China has denied these accusations and instead accused the CIA of being responsible to several hacks on Chinese companies and the government. These claims by both parties don’t bode well for the cybersecurity pact that was implemented by the Obama administration and Chinese president Xi Jinping back in 2015. Only time will tell how effective the Biden administration is in facing cyber threats from two major world powers: China and Russia.

Congress and the SEC look towards ESG disclosures: Environmental, social and governance (ESG) disclosures are slowly coming into fruition, most recently with the passing of the Corporate Governance Improvement and Investor Protection Act. If this bill is signed into law, it would amend the Securities Exchange Act of 1934 and require public companies to make significant disclosures regarding ESG issues, while also giving the SEC power to define those factors of the disclosures. The bill also calls for the creation of a permanent SEC advisory committee that deals with sustainable finance. There are five specific disclosures detailed in the bill. The first is an evaluation of the potential financial impacts and risks posed by climate change. The second requires a description of the corporate governance processes used to identify and manage climate-related risks. The third relates to specific actions that are being taken to mitigate those risks. The fourth describes the resiliency of any strategy used for addressing climate risks. And, finally, the last requires a description of how climate risk is incorporated into a risk management strategy.

Recently Added Articles as of July 22

Regulators have been keeping busy this week with the release of new cybersecurity guidance and a new update to healthcare data breach requirements. The EU is also making progress with ESG standards. And, U.S. Congress members are feeling the pressure around artificial intelligence in healthcare. Cyberattacks continue to affect the healthcare industry and we also see the importance of shifting focus to third-party risks as we emerge from the pandemic. Take a look at some of the headlines this week to see what’s trending. 

A law firm giant waits 5 months to reveal breach: February of this year brought about a ransomware attach on law firm Campbell Conroy & O’Neil, which has notable clients such as Apple, IBM, Exxon Mobile and Boeing. A statement from the law firm revealed that sensitive data including social security numbers, passport numbers and health insurance information was exposed, but gave no explanation of the delay in notifying its clients. Third-party forensic investigators are looking into the attack and the FBI has been notified, but it’s still unclear which group is behind it. Infamous ransomware group, REvil, appears to be innocent, as its websites have been down the past week.   

MITA pushes Congress to adopt health AI: Trade group Medical Imaging & Technology Alliance (MITA) recently drafted a letter to Congress members in the hope that Centers for Medicare & Medicaid Services (CMS) policies will ensure patient access to digital health technologies like artificial intelligence. One request specifies that imaging tools that use AI should be given payment codes that are separate from other existing diagnostic services. MITA also supports better communication between CMS and the FDA when approving new technologies, as well as the inclusion of the Ensuring Patient Access to Critical Breakthrough Products Act which helps to connect the areas of regulatory approval, coding, coverage and reimbursement.

Cyberattack on Florida Heart Associates exposes PHI of 45,000 patients: The protected health information (PHI) of over 45,000 patients has been exposed after a cyberattack hit Florida Heart Associates. Social security numbers, member IDs and health insurance information may have been seen or accessed between May 9-19, but their investigation hasn’t revealed any evidence that the information was misused. As a result, the healthcare facility installed an endpoint detection and response tool to strengthen its system’s architecture and encouraged its patients to monitor their credit reports for any suspicious activity. 

Shifting focus from profits to third-party risks: Business leaders are beginning to think differently about managing third-party risk, especially as we begin to emerge from the pandemic and see those risks evolving. COVID-19 highlighted the importance of building a diverse supply chain and finding and retaining new talent. Organizations should be thinking about how to establish or expanding their Global Business Services (GBS) along with their use of third-party providers. Vulnerabilities within technology has also increased in importance as companies are now leaning heavily on technology and services to compete. IT and service functions also require change management when moving towards a more highly integrated DevOps and BizOps operating models. It’s becoming more important to consider the partnership between the organization and its vendors, especially if a lot of work is concentrated with one service provider. When shifting from a process driven world to a platform driven world, think about the service provider’s ability to help with change management and your own ability to manage the service provider’s risk.

Preparing for the EU’s ESG requirements: As Environmental, Social and Governance (ESG) measures continue to expand here in the U.S., the same is happening in the EU. Germany recently adopted the Supply Chain Act which requires large companies (3,000+ employees) to perform appropriate ESG due diligence across their own business activities and their supply chains, beginning in January 2023. The European Commission is also working on a Corporate Due Diligence and Corporate Accountability directive which would affect companies working with and in the EU. The EU Commission and the European External Action Service (EEAS) also recently released new guidance on due diligence regarding forced labor within supply chains. It’s also worth noting that the United Nations (UN) Human Rights Council and the UN High Commissioner for Human Rights are advocating for human rights violations to extend to corruption-based activities. This would allow entities who monitor human rights to also address corruption and give individuals the power to come forward as they see how corruption interferes with their human rights. Moving forward, we should expect to see a need for better cooperation between internal and external stakeholders to approach these issues.

NYDFS issues cybersecurity guidance: New York financial institutions recently received new ransomware guidance from the Department of Financial Services (DFS), which details cybersecurity requirements in routine examinations and stricter enforcement actions. This guidance comes after a flurry of recent ransomware attacks, some of which affected financial institutions. The DFS reported a 300% increase in ransomware attacks in 2020 and outlined several cybersecurity measures, including employee training, vulnerability management and password policies. Many of these requirements overlap with the recent White House executive order on cybersecurity. Compliance with Part 500’s cybersecurity requirements include risk assessments, third-party oversight and general cybersecurity governance. Failure to implement multifactor authentication or report cybersecurity events within 72 hours can result in hefty fines and the requirement of an independent consultant to audit and oversee an organization’s compliance program.

Stolen personal data can be accessed within one hour after a breach: A cybersecurity researcher recently revealed just how quickly a hacker can access personal information after a data breach. After a six-month project of planting dummy login credentials, researchers at Agari made some surprising discoveries. 40% of the credentials were accessed by criminals within six hours, and 18% within one hour. The hackers often only had to log into the compromised account a single time and could then change security settings to forward future emails to themselves. It’s simply not enough to change a password once an email address has been compromised. Users must also determine what else the hacker did while inside the account, with special attention given to any inbox rules.

Fintechs should remain hopeful during charter applications: As the saying goes, patience is a virtue, and fintechs may see their efforts pay off regarding national charter applications. The acting Comptroller of the OCC, Michael Hsu, has called for a review of the agency’s actions, but this doesn’t necessarily mean that fintechs should give up hope. Recently approved, pending and future applicants can expect other regulatory stakeholders to be considered in the OCC’s decision of whether approval conditions have been met. The OCC is receptive to fintech applicants who can prove their commitment to national regulatory standards and their ability to operate in a safe and fair manner. Fintechs can abide by these guidelines by engaging with regulatory stakeholders and educating regulators on how risk will be managed within their unique business models.

Legal liability needed for AI in radiology: Radiology can greatly benefit from artificial intelligence, but experts in the Harvard Business Review say that changing standards of care needs to be adopted for AI to be successful in imaging and other areas of medicine. When AI becomes standard in radiology, the liability risk would shift from the individual physician if he or she is in compliance with that standard of care. However, injury liability would be more difficult to manage with a possible solution being specialized tribunals which can simplify the issues and work alongside traditional liability systems. Despite the promises of new technology, a recent survey revealed that these liability issues prevent the widespread implementation of AI.

Update to CA health data breach requirements: The California Department of Public Health recently updated data breach regulations for health facilities that went into effect July 1. Regulations include implementation of Section 1280.15 of the CA Health and Safety Code which requires facilities licensed by the Department of Health to prevent unauthorized access to or disclosure of a patient’s medical information. Additionally, facilities will have to report a breach to the CDPH within 15 days and any delays in reporting are subject to administrative penalties, with the base amount of $15,000. Affected patients or their representatives also must be notified of any breaches.

Early prevention of ransomware attacks: Organizations are often taking the wrong approach to ransomware attacks which is reacting to them after they’re already happened. Prevention is a better strategy and attacks should be thought of in the same manner as natural disasters. Consider thinking of an attack in in the eyes of the criminal. What type of data loss would hurt your organization the most? Have you established an incident response plan, specifically for a ransomware event? When was it last tested? Are there any gaps between the plan and the standard operating procedures? Do you have offline and offsite backups for critical data? Overall, think about the changes you would make after a ransomware attack and implement them ahead of time to ensure optimal preparedness.

ATM “chain gang” attacks are on the rise: Organized crime seems to be behind the increase of ATM attacks in Texas in 2020, according to the Texas Bankers Association. These crimes involved the use of stolen trucks or tractors from local construction sites and attaching a heavy chain to pull out the cash boxes. The process generally took less than five minutes and was done in the early morning hours. Another strategy involves crashing into a convenience store and making off with an ATM during all the chaos. Criminals can often get away with tens or low hundreds of thousands of dollars, a much more attractive sum that the measly average of $1,797 from traditional bank robberies. As a result of this increase on ATM attacks, Texas lawmakers proposed legislation that would categorize ATM destruction as a third-degree felony. With the constant headlines of cybercrime, it’s easy to forget the more physical types of attacks that can affect organizations.

Recently Added Articles as of July 15

There’s some big news this week from banking regulators, as they released proposed guidance for third-party relationships which would provide consistency throughout the Federal Reserve Board, OCC and FDIC. A new attack has hit SolarWinds and Colorado is officially the third state to enact privacy legislation. ESG issues continue to top headlines and we see an interesting correlation between climate change and chemical disaster risks. There’s a lot to cover this week so read on for some of the big stories in third-party risk management.

Regulators ask for public comment on third-party guidance: After releasing proposed guidance on third-party relationship risks, the Federal Reserve Board of Governors, the FDIC and the OCC are asking for public comment. The guidance was created with the intention of helping banking organizations to identify and address third-party risks, while also providing better alignment throughout the three agencies. Banking organizations are responsible for complying with regulations and consumer protection laws. Regulators will accept comments within 60 days of the guidance’s publication in the Federal Register.  If you're looking for the highlights, check out our latest blog.

3 Windows zero-days in Microsoft's July patch: The July patch will cover multiple Microsoft products and services including Windows, Exchange Server, Office, SharePoint Server and Bing. Thirteen patches are critical and 103 are important. One noteworthy patch is CVE-2021-34527, which corresponds to vulnerability PrintNightmare. This vulnerability can potentially be exploited and give an attacker system-level access on systems like core-domain controllers and Active Directory admin servers. PrintNightmare has received particular attention, as CISA and Cert CC have urged users to act against it. A flaw (CVE-2021-34448) in the Windows Scripting Engine has also received some attention, which can allow an attacker to execute code on a target system by directing the user to a special website. The full guide of Microsoft updates can be found here.

Remote access trojan BIOPASS gives attackers live stream: Compromised gambling sites have allowed hackers a live view of their victims’ computer screens. The attack has targeted online gambling sites in China and was carried out by tampering with the sites’ JavaScript code. A unique feature of this remote access trojan downloads is FFmpeg which is required to record and stream audio and video. The attacker can log into the BIOPASS control panel and watch the feed in real time. Chinese Winnti hacker group is likely behind the attack.

New zero-day attack hits SolarWinds: SolarWinds is facing another vulnerability, unrelated to the infamous attack of 2020. The affected products are its Serv-U Managed File Transfer and Serv-U Secured FTP. Microsoft alerted SolarWinds of the incident which can allow an attacker to install programs and make changes to data. Serv-U users are advised to install the hotfix and the company will publish additional details about the flaw after customers upgrade. The full advisory from SolarWinds can be found here.

Magento e-commerce shoppers targeted by Magecart: A recent attack by some Magecart actors was used on an old version of Magneto that was missing several security patches. Swiped credit card files were uploaded as image files and were available to be downloaded with GET request. Magecart is a very active group in the e-commerce world and has often used innovative tactics to perform their attacks like bulletproof hosting services and different types of web skimmers. Be sure to regularly apply patches to your CMS to protect against this group.

Vendor risk management a must due to COVID-19: The pandemic has pushed many business activities online. With that comes an increase in cyberattacks through third-party relationships. Organizations should understand the importance of ongoing monitoring within a strong and well-developed TPRM platform. A remote working environment also adds another layer of risk to your vendor relationships. When choosing a TPRM program, organizations need to decide what to prioritize, whether that’s time, cost or security. An in-house DIY program might be cost effective, but will likely be time-consuming and put you at risk for human error. Alternatively, choosing a vendor risk management partner can optimize the process of dealing with third-party vendors and their associated risks. Customization and ease of use are worth considering when selecting a vendor risk management solution.

Climate change increasing chemical disaster risks: A troubling new policy brief from three environmental organizations has revealed the ways in which the risk for chemical disasters throughout the U.S. is increasing with the prevalence of natural disasters caused by climate change. Wildfires, flooding and extreme weather are just some of the events that potentially can impact the EPA’s Risk Management Program (RMP) which was created to prevent chemical disasters like leaks and spills. A highlight from the brief shows that 30% of RMP facilities are in areas that are prone to natural disasters like wildfires, floods and hurricanes. The organizations behind the brief are calling the Biden administration to take several actions to combat these risks including strengthening regulatory action and adopting RMP criteria to expand coverage to other areas at risk for natural disasters. ESG has continued to be a hot topic, so be prepared for potential guidelines coming your way.

Liabilities under Germany’s due diligence act: The recently passed German Act on Corporate Due Diligence Obligations in Supply Chains (LkSG) is yet another effort to address environmental, social and governance issues in Europe and global supply chains, specifically as it relates to human rights. The act details due diligence obligations and the administrative offenses that can result from violations. Fines of up to 2% of average worldwide annual sales and a three-year long exclusion from public procurement are two results that organizations can face if they violate these obligations. Another important point states that there is no civil liability established under the act, requiring organizations to act only if they have credible knowledge of a violation. The LkSG law goes into effect January 1, 2023. More details of the act can be found here.

The benefits of rebranding e-discovery vendors: Vendors of electronic discovery (e-discovery) are going through a transformation in the hopes of extending their expertise to data monitoring and privacy compliance. E-discovery refers to the management of electronically stored information (ESI) as it relates to legal investigations. Information governance or content management are broader terms that e-discovery vendors are looking to adopt as they shift to more comprehensive business services and holistic solutions. Ultimately, organizations may see these vendors focus on the two areas of e-discovery and information governance, a natural strategy that results from personnel who are responsible for both managing the information governance and guiding the organization’s e-discovery requirements.

The lifecycle of cybercrime payments: Enquiring minds want to know – how do cybercriminals spend their payouts? Some criminals resort to buying fancy cars, but the more conservative criminals choose to invest back into the world of crime. Ransomware group REvil infamously paid $1 million in bitcoins last year, as an advance payment for recruiting “job applicants." Other criminals may look to purchase various tools like Remote Access Trojan or Remote Code Execution that will enable them to carry out additional attacks. It’s still debatable on whether paying a ransom is worth it, especially if that seems to be the only option. But it’s very interesting to learn where all of that money goes.

Third-party due diligence is lacking during pandemic: Despite the increase in third-party risks during COVID-19, many organizations weren't checking up on their vendors. A new study showed that there was more pressure to increase revenue and profits during the pandemic. And, only 44% or respondents performed formal due diligence checks, a likely result from the focus of quickly creating third-party relationships. Remote working also added to the struggle of properly managing risks. However, the pandemic prompted a few positive organizational changes such as greater collaboration across industries and an increased focus on ESG issues. Advances in more innovative technology also helped to identify and mitigate financial crime.

An account maintenance vendor causes a Morgan Stanley data breach: The Accellion data breach affected Morgan Stanley's vendor, Guidehouse, and exposed personal data like social security numbers, client names and addresses. The vulnerability was patched within 5 days, but attackers were still able to do a decryption key on the encrypted files. There was no evidence that the data was sold online and the vendor has partnered with credit firm Experian to provide free credit monitoring for clients who may have been affected.  

SEC faces pressure to set ESG guidelines: The SEC has long supported debates and discussions around ESG topics, but investors are now looking for more action in the form of regulatory guidelines. ESG reporting in the U.S. is mostly voluntary, leading to some criticism that we’re falling behind compared to the EU. A lack of disclosure guidelines has left many business leaders and asset managers struggling to determine what information to disclose. Some organizations have resorted to building their own ESG disclosure guidelines or relying on third-party providers to make those determinations. As business leaders wait for official SEC guidelines, they can start preparing by focusing on transparency through complete and accurate information. Third-party assurance of specific metrics would also help support ESG reporting.

Due diligence considerations for healthcare lenders: As lenders perform due diligence on medical supply manufacturers, there are special factors to consider, especially with early stage devices. Developing areas like digital health need to be carefully analyzed to ensure understanding of the FDA’s role in approving and regulating the device. Established products that are already on the market still need to be assessed for issues like the inspection history or any FDA warning letters, which can have some effect on the company’s financial performance. Lenders should further inspect any warning letters to determine how the company is resolving the issues which may be related to smaller Good Manufacturing Practice (GMP) requirement failures or more widespread systemic quality problems which can have a larger impact on financials. It may be wise for lenders to implement progress milestones in the credit agreement to ensure that corrective actions have been initiated. Risk-based due diligence is especially critical in the healthcare industry and lenders should take the proper precautions when addressing these issues.

Sophisticated Kaseya ransomware attack transforms cybersecurity: Gone are the days when “zero-day” attacks were only used by nation-states looking to steal secrets. The recent Kaseya cyberattack proved that financially motivated criminals can easily wreak havoc on many organizations. These types of criminal hackers are unlikely to rival government hackers in the U.S., U.K., China or Russia, but can potentially level the playing field of smaller cyber powers like Pakistan and Brazil. Many cybersecurity experts agree that ransomware gangs like REvil could be weakened with the efforts of the Russian government. Additionally, U.S. Cyber Command faces challenges when trying to combat these gangs because the stolen domains used by hackers are closely related to non-criminal operations therefore making it difficult to shut them down legally. Cybercrime will only continue to become more profitable, so it’s up to governments and organizations to stay on top of emerging trends and risks to protect themselves from attacks.

Colorado Privacy Act is signed into law: And, then there were three. Gov. Jared Polis officially signed the Colorado Privacy Act (CPA), making it the third state to enact comprehensive privacy legislation, after California and Virginia. The CPA will apply to any controller that conducts business in Colorado or targets its products and services to Colorado residents and controls the data of over 100,000 individuals in a calendar year. The act defines a consumer as an individual or household Colorado resident and excludes those in a commercial or employment context. Consumers are given six main rights: of access, to correction, to delete, to data portability, to opt-out and to appeal. Controller obligations include concepts like duties of transparency, data minimization and purpose specification. The attorney general and district attorneys will be responsible for enforcement.

The risks of remote desktop protocol: A recent report found that 30% of exposures were the result of remote desktop protocol (RDP). RDP is often used to give IT remove access to resolve issues and has recently become popular within cloud computing as well. RDP is especially risky because an attacker can potentially gain access to the entire system. Compromising a restricted user account just means that the hacker will need to find another vulnerability to change privileges. An important strategy to limit RDP risk is to scan for vulnerabilities and ensure full visibility of all connected devices. Disabling unnecessary RDP is also an effective way to limit exposure. Simply put, IT experts should prioritize RDP configuration to protect against ransomware attackers that will inevitably target your organization.

Recently Added Articles as of July 8

This week, we’re keeping an eye on the recent Kaseya ransomware attack, which is expected to be record breaking. The healthcare industry is also suffering from ransomware incidents and compliance issues. ESG disclosures are continuing to be a priority in Washington and the OCC is making some important changes to its organizational structure. We’re also keeping track of data privacy and security laws, both at the state and international level. Read on to discover the latest news in cybersecurity, risk management and regulations.

Over 1,500 companies affected by Kaseya ransomware attack: The recent ransomware attack on international company Kaseya is shaping up to be one of the largest cybersecurity events of the year. Kaseya remotely controls programs for other companies that manage internet services for businesses, so the impacts of this incident are likely to be far reaching, possibly numbering thousands. Internationally, the attack caused the temporary closure of nearly 800 Swedish grocery stores. The ransomware group, REvil, is believed to be behind the attack, as the encryption software is similar to previous incidents. The U.S. Cybersecurity and Infrastructure Security Agency released a brief notice addressing the attack and has encouraged organizations to review the Kaseya advisory, which includes a software patch. Kaseya is urging its customers to keep virtual system/service administrator (VSA) servers offline until they can safely proceed with restoration activities.

Hacking scheme discovered by Israeli cybersecurity researchers: A global cyberattack launched from 1,300 locations was recently identified by Israeli cybersecurity company Guardicore. The attack targeted organizations across multiple industries, including healthcare, tourism, media, education and government and organizations are mostly located in the U.S., Vietnam and India. Hackers were able to breach servers using Microsoft’s SMB protocol, in which they created a backdoor that allowed them to repeatedly penetrate the servers and sell access on the dark web. The attack was intended to mine digital currency and install Trojan horses to collect information. One interesting finding showed that the hackers were able to disable malware previously placed by other hackers so they could have exclusive use of them.

Structural changes headed for the OCC: The OCC is hoping for better efficiency and effectiveness, and, will therefore be retiring the role of Chief Operating Officer, which is currently held by Blake Paulson. He will move onto the role of Senior Deputy Comptroller for Supervision Risk and Analysis. This change will result in a new structure, where agency bank supervision units and the Office of Management will now report to the head of the agency. Additionally, the Enterprise Risk Management Office and Office of Enterprise Governance and Ombudsman will merge and Senior Deputy Comptroller Larry Hattix will take on the additional role of Chief Risk Officer. These changes will likely go into effect this summer.  

Third-party risk management for manufacturers: As the world begins to recover from the pandemic, manufacturers are struggling to get back on track because of limited and expensive resources. This leads to a growing reliance on third parties which needs to be appropriately managed to ensure business continuity and recovery. Third-party vulnerabilities can ultimately affect an organization’s reputation and bottom line through compliance and contractual issues, not to mention the financial impact of data breaches. There are three key strategies that can enhance an organization’s relationship with its third parties. First, it’s crucial to carefully select third parties through proper due diligence. Included in this strategy is ongoing monitoring to assess new risks, compliance issues and potential violations. Second, organizations should increase efficiency by automated manual processes and centralizing data. The right TPRM software can be optimized to your individual needs. Finally, a TPRM program should ultimately invest in enterprise risk leadership. This strategy allows for a holistic view of risk across an entire organization, rather than segmented in different departments.

Innovation limited by health IT solutions: Health executives are voicing their concerns that current IT solutions like EHR are lacking in customization capabilities and can’t provide sufficient care coordination. Recent research discovered that very few healthcare leaders are satisfied with their current remote patient monitoring and care journey automation technology. There’s a strong desire for a customizable digital solution, but only 16% of organizations have this capability within their EHR systems. These findings come from the recent Lumeon Research Report which also suggests some ideas for improvement, such as automating and digitally sequencing care team tasks around individual patient needs. Healthcare leaders should also combine clinical and administrative teams to coordinate care over the entire organization. The message is clear and it’s now up to IT providers to fill in the gap of desired capabilities.

Data brokers face heavier scrutiny under Nevada privacy law: A new amendment to Nevada’s online privacy law, SB260, will place additional restrictions on “data brokers” and gives consumers more opt out rights. Data brokers are defined as anyone whose main business is “purchasing covered information” from Nevada residents with whom they don’t already have a direct relationship. By law, data brokers are required to establish a designated request address so Nevada consumers can opt out of sales of their covered information and will have 60 days to respond to requests. The expanded opt out rights for consumers allows for the choice to opt out when an operator or data broker makes covered information available for the exchange of money. For companies that do business in Nevada, it’s recommended that they assess whether they qualify as an operator or data broker, as well as establishing a designated request address and a process for verifying and responding to opt-out requests. The new law goes into effect October 1, 2021.

Ohio healthcare employee violates HIPAA for over 10 years: As the saying goes, better late than never! An employee of Aultman Health Foundation in Ohio was promptly terminated after a long running HIPAA violation was brought to light. Over the span of 12 years, the unnamed employee had inappropriate access to over 7,000 patient records including social security numbers and diagnosis and treatment information. There’s no evidence that the EHRs were misused or distributed and Aultman has committed to employ additional measures to protect patient information. They'll also provide free identity theft protection and credit monitoring to affected patients.

REvil ransomware group exposes Las Vegas hospital PII: The University Medical Center of Southern Nevada is the latest victim of hacker group REvil in which personally identifiable information was exposed. Images of passports, social security cards and drivers licenses were all posted online, but has so far not impacted patient care. The hospital is working with local law enforcement, the FBI and cybersecurity experts to identify the origin of the attack. The healthcare industry unfortunately has continued to see an increase in these types of attacks, with Renown Health of Nevada and Hoya Optical Labs recently experiencing incidents.

ESG disclosures takes priority in Washington: Regulation of ESG disclosures are coming soon, so organizations should start preparing. Just this year, there’s been actions from the SEC, President Biden and the House of Representatives to address ESG issues. The 2021 Examination Priorities Report and newly created Climate and ESG Task Force are the efforts made by the SEC, while President Biden released an Executive Order on Climate-Related Financial Risk. There’s also a new ESG Bill on the horizon which will require the SEC to define ESG metrics and implement disclosure requirements. If passed, the SEC will also establish the Sustainable Finance Advisory Committee which will make recommendations on ESG metrics and disclosure details.

Breaking down the basics of ransomware: Many organizations may already understand how ransomware attacks operate in which encryption is usually used to disable a system and withhold data in exchange for payment. However, it’s also important to recognize a more sophisticated attack and understand the unique strategy in responding to them. Sophisticated ransomware attacks are often executed by criminal organizations who employ “ransomware-as-a-service” who have the proper tools, training and infrastructure to carry out a larger quantity of attacks. Furthermore, the “affiliates” of these organizations have different levels of sophistication, making it difficult to gain insight on the damage done by the actors. The use of encryption during an attack can make it impossible to determine how the criminals gained access to a network. Organizations are advised to follow their incident response plans after an attack with a couple added tasks. They should determine the best way to rebuild the impacted system and manage any ongoing extortion risks which can lead to negative publicity. Notifying law enforcement has its benefits as the organization can avoid accusations of intentional concealment while also gaining assistance in recovering a ransom payment that was made. However, organizations should also be aware of the SEC’s guidance on cybersecurity disclosures and whether a ransom payment would violate OFAC sanctions.

What to know about China’s Data Security Law: Multinational organizations will need to prepare for China’s Data Security Law (DSL) which goes into effect September 1, 2021. The new law features more restrictive requirements on data localization and mandatory security level certification. Organizations will also face harsher penalties for the unauthorized foreign transfer of data. A few of the highlights from the DSL include details surrounding “important data” and “national core data." The Chinese government will publish an important data catalogue at the national level and will also create a framework of procedures to determine important data. If an organization processes important data, they will be required to designate a person responsible for managing its security and will also need to carry out periodic risk assessments. National core data is a new category introduced in the DSL and is defined as data related to national security and the national economy or related to important facets of peoples' livelihoods and public interests. Penalties for violating this management system can include severe fines, cancellations of business licenses or criminal punishments. The DSL also contains restrictions on the transfer of data to foreign authorities. Domestic organizations and individuals must obtain approval from government authorities before providing any data stored within China to foreign law enforcement agencies. Some provisions in the DSL only provide a general framework and organizations will need to be aware of implementation rules that have yet to be issued.

Colorado Privacy Act set to become law: Colorado’s legislature officially passed the Colorado Privacy Act (ColoPA) which is expected to go into law on July 8, per the governor’s signature or non-veto. The ColoPA closely mirrors California’s CCPA and CPRA, as well as the Virginia Consumer Data Protection Act and the EU’s GDPR, however there are a few key differences. For example, the ColoPA doesn't exempt non-profit organizations who meet one of its threshold criteria and doesn't create a private right of action. The threshold criteria comes in two parts: the control or process of personal data that surpasses 100,000 in a calendar year or the collection of revenue (or discount on goods and services) from the sale of personal data that surpasses 25,000 consumers. Colorado consumers will also have rights of access, correction, deletion and data portability. Another important distinction is the law’s broader definition of “sale” which isn’t limited to monetary exchange.

Complying with HIPAA Right of Access: Patients can understandably get frustrated when they can’t easily access their medical records, which can lead to practices facing complaints and HIPAA fines. To address this issue, medical practices need to stay informed of the HIPAA Patient Right of Access which stipulates that patients have a level of ownership over their records. Under this law, a patient may request a paper or electronic form of their medical record, change or add any information if something is incorrect or complete, and can request that certain information isn’t shared with other specified parties. In turn, medical practices are legally expected to provide medical and billing records that are maintained by a healthcare provider and any other records that are used by the practice to make decisions about the patient’s health. Patients also have a right to enrollment, payment claims adjudication and case or medical management record systems that are maintained by a health plan. There are some exemptions that a patient isn’t entitled to such as management records that are only used for a practice’s business decisions, psychotherapy notes and information that’s compiled to be used in civil, criminal or administrative actions.

Classified information possibly disclosed by Pentagon official: A top Pentagon official who oversaw a cybersecurity initiative was placed on leave after being suspected of disclosing information form a military intelligence agency. Katie Arrington, the chief information security officer for the Pentagon’s acquisition and sustainment office, was informed that her security clearance was suspended while the investigation was underway. A preliminary decision on the findings of the investigation could mean that she won’t be eligible to access classified information or assignments that are deemed sensitive to national security.

Microsoft breach caused by SolarWinds hackers: A recent Microsoft breach was found to be the work of the hacking group behind the SolarWinds supply chain attack. Microsoft released a statement that describes the activity performed by the Nobelium threat actor. The group used password-spraying and brute-force techniques to gain unauthorized access into a Microsoft employee’s computer. The breach disclosure was published after a reporter enquired about a notification sent to targeted or hacked customers. SolarWinds was careful to keep its distance from this latest incident by emphasizing that this recent breach had no effect on their company or customers. Few details have emerged about the attack so its unknown how long the computer was compromised and whether it was over a Microsoft network or home network.

How organizations can benefit from diverse vendors: Diversity, equity and inclusion (DEI) has been making progress within organizations’ workplaces but is often overlooked in vendor relationships. Minority owned and small or mid-sized organizations can enhance supply chain diversification and add jobs and increase revenue within the U.S. economy. Vendor diversity is one component of corporate social responsibility (CSR) which intends to keep businesses socially accountable in economic, social and environmental areas. Organizations can use local suppliers and encourage or require that their vendors create diversity programs for themselves. Economic, innovative and competitive advantages are just some of the benefits that come from a divers supply chain. However, the benefits don’t come without some challenges. Organizations may see difficulty in finding the right minority-owned vendor that fits their needs in which they can help the vendor meet the standards or partner with councils that can support them. There’s also a lack of accountability within DEI initiatives which can ultimately cause reputational harm if an organization’s actions don’t match its words. To combat this issue, the U.S. SBA has provided some rules and regulations related to governmental standards.

Leaked cloud data highlights third-party risk: Almost 1,000 Mercedes-Benz customers were affected in a recent cloud storage leak which could have been prevented through better protection of its cloud databases. Cybercriminals often have easy access to private data when it’s accidentally left available on a vendor’s cloud storage platform. Companies need to carefully monitor how their third parties manage their data with cloud platforms and ensure that they have enabled the proper security for cloud storage buckets. One solution is to utilize third-party security solutions that are specifically designed for multi-cloud environments. Preventative measures and a zero trust approach are also important, in addition to a response based assumption that your system has already been attacked. The incident with Mercedes didn’t show any evidence of maliciously misused files, but did disclose personal information like social security numbers, credit card information and birth dates.

Biden administration takes on white-collar criminals: While the Trump administration had a heavier focus on immigration, opioids, violent crime and national security, the Biden administration is expected to take a closer look at white-collar crime like Wall Street and environmental fraud. Two partners from V&E’s Government Investigations and White-Collar Defense practice recently gave an inside perspective on what to expect on potential government investigations and prosecutions. Attorney General Merrick Garland promised to pursue enforcement of the Foreign Corrupt Practices Act and other anti-corruption laws and Deputy Attorney General Lisa Monaco will prioritize the equal application and protection of the law as it relates to everything from consumer protection and fighting environmental degradation. There’s been an increase of probing requests from the DOJ, SEC, FTC and other agencies, as well as congressional investigations in the environmental and energy regulatory areas. Environmental rules and pandemic-related fraud are also expected to be a major focus of regulators. Organizations should make sure to obtain experienced counsel and implement at appropriate compliance pan to safeguard against enforcement activity.

Beware of these health app privacy risks: A recent analysis of over 20,000 mobile health apps revealed that 88% had the ability to collect user data, with most involving third-party providers. Only 47% complied with the app’s privacy polices and 28% of the apps didn’t provide a policy at all. The apps analyzed were available in the Australian Google Play store but most were also available in Europe and the U.S. Much of the data included user location, contact information and identifiers such as fingerprint ID and media access control. Health and fitness apps were more likely than medical apps to collect and share user data and the most common third parties used were Google Analytics and Google Ads. What’s most concerning about these findings is the lack of transparency within the apps’ privacy policy. Patients and clinicians should make an effort to better understand the privacy risks to protect against potential security incidents.

VHA faces compliance issues related to veterans' EHRs: The Veterans Health Administration (VHA) hasn’t been compliant with non-VA medical records, according to a recent Office of Inspector General (OIG) audit. The OIG discovered that six or seven VHA medical facilities didn’t always properly input non-VA medical records into patients’ EHRs, with errors in 44% of cases. The errors included incorrect document titles, duplicate records and indexing mistakes to the wrong care referral or patient. The VHA facilities also lacked standard operating procedures for the integration of non-VA records into EHRs. Additionally, the staff often lacked proper health IT training and all seven facilities were not abiding by VHA regulations related to quality checks of the documents they scan. Standard procedures and adequate IT training are the simple remedies for the integration issues that are facing the VHA.

Cybersecurity best practices and HIPAA compliance from CSA: A recent publication from Cloud Security Alliance (CSA) provides helpful guidelines on topics like HIPAA compliance, cybersecurity and telehealth risk management. It also includes some cybersecurity best practices for all things data including use, storage and sharing so healthcare delivery organizations (HDOs) can prioritize telehealth security. HDOs are advised to establish a governance program for telehealth management to maintain stakeholder expectations and compliance, while also improving quality of care. CSA also details an Information Governance Framework which includes strategies, policies procedures and guidelines that HDOs can use as a template for creating their own framework. The paper emphasizes the importance of data lifecycle management because of the devaluation of data over time and consistency of costs and security risks. HIPAA privacy regulations are another popular topic in the paper, which states that guidelines should incorporate the three critical roles of recipient, controller and processor. Telehealth has increased in popularity during the pandemic so organizations have a responsibility to protect personal data.

Final contractual clause addresses EU transfer of data: The final Implementing Decision on standard contractual clauses (New SCCs) has been released by the European Commission which details the guidelines of transferring EU personal data to “third countries” like the U.S. There are a few key highlights of the New SCCs which will repeal and replace the existing SCCs dated between 2001 and 2010 and will address the requirements of the GDPR. Most notable for U.S. organizations, the New SCCs will consider use by non-EU data exporters to be subject to the GDPR, specifically Article 3(2). Other details include clauses for processor-to-processor and processor-to-controller transfers the SCCs facilitation of multi-party use with an optional “docking” clause. It also includes requirements for additional transparency and notification controls that cover government access requests and a mandatory assessment of the laws of the third country to ensure that the local law doesn’t prevent compliance with the terms in the SCCs. Data importers acting as controllers will especially need to be mindful of the New SCCs, which will likely require considerable effort for those who aren’t already subject to GDPR.

Recently Added Articles as of July 1

As we head into July, ESG issues are making headlines, along with deadlines for CCPA compliance and SEC SolarWinds disclosures. The Data Protection Act gets a second chance, and a new biometric ID law goes into effect in NYC. Compliance in general is also a hot topic this week, both with third-party insurance requirements and forced labor within supply chains. Read on to discover what else is trending this week in third-party risk management.

Microsoft tricked with rootkit malware: A driver with the name Netfilter is responsible for a recent malicious rootkit. The actor appears to target gaming environments so users can play from anywhere. Microsoft named the malware Retliften, simply Netfilter in reverse and stated that the driver is capable of intercepting network traffic, adding new root certificates establishing a new proxy server and modifying internet settings without the user’s consent. It’s interesting to note that the driver was submitted for certification through the Windows Hardware Compatibility program and was built by a third party. Understandably, the account has been suspended and is now being reviewed for additional malware.

700 million LinkedIn records for sale by hackers: A hacker is potentially selling 700 million LinkedIn records that were possibly obtained by scraping public profiles. This comes after another sale of 500 million records back in April. Records include names, genders, email addresses and phone numbers. LinkedIn is investigating the incident but has claimed this wasn’t a data breach and no private LinkedIn member data was exposed. It’s common for hackers to use this type of data in phishing emails or to extort ransom. Users are advised to update their passwords and enable two-factor authentication.

Banks should start preparing for ESG reporting standards: It’s only a matter of time before the federal government implements disclosure requirements of environmental, social and governance (ESG) risks for public companies. The climate crisis has prompted investors and management to evaluate their company’s environmental impact and its ability to manage these risks. Lenders will be challenged with understanding these issues and ensuring that borrowers are accurately disclosing their own ESG risks. One big issue from ESG frameworks comes from a lack of consistency and comparability which prevents most organizations from fully understanding the strategies to mitigate these risks. Leading the way in regulation is the SEC who is considering required climate disclosures. Wise business leaders should begin voluntarily addressing ESG criteria now, before facing the pressure of regulators.

Hacking ATMS with contactless card readers: Touchless technology is often meant to make life easier and simpler but at what cost? A security researcher and consultant recently discovered a new strategy of hacking into ATMs and other point-of-sale (POS) systems without getting his hands dirty. All it took was a wave of his phone over the contactless card reader and he was in, free to collect credit card data change transactions and even lock devices. He was even able to force one brand of ATMs to dispense cash but declined to identify it publicly. Vulnerabilities have long existed on ATMs and POS systems, with inconsistent patching putting them at risk for security incidents. Here’s to hoping that these experiments will bring these issues to light.

July 1 deadline for CCPA metrics compliance: Businesses that know or “reasonably should know” that it buys, sells or shares personal information of 10 million plus CA residents per year will be required to compile and publish a set of metrics. These numbers should reflect the requests to know, delete and opt-out, as well as median or mean number of days in which the business responded to the requests. The business may choose to report the number of requests that were denied because of inability to verify or because it wasn’t made by a consumer. They can also deny the request if the information is exempt from disclosure.

How to build a strong foundation for your compliance program: The 2020 Update by the DOJ outlines a wide range of topics that should be implemented within a compliance program to ensure proper third-party management. Organizations should consider appropriate controls and how to manage its vendor relationships. This can include monitoring, auditing and incentivizing compliance. Auditing should include several components such as policies and procedures, compliance risks, regulatory issues and government interactions. It’s also important to provide consequences for failing due diligence processes and fourth parties should be monitored to ensure they meet compliance.

Compliance for Chinese cotton suppliers: Compliance issues are continuing to challenge supply chain leaders, especially when much of the world’s cotton supply comes from a single region in China. The U.S. has already banned cotton importation from the Xinjiang region of China, after concerns about Beijing’s labor policies towards minority groups. In recent years, governments have begun to address these issues through legislation such as the California Transparency in Supply Chains Act and the U.K. Modern Slavery Act which include disclosure requirements regarding how organizations are preventing forced labor in their supply chains. Importing goods produced with forced labor is prohibited under U.S. federal law and many importers have faced supply chain disruptions if the Customers and Border Protection finds reason to issue a withhold release order which investigates allegations of forced labor. Addressing these issues can cause widespread impacts, as many companies have already seen. Taking a public and opposing stance on the import of products from Xinjiang has often led to boycotts and backlash in China, but adhering to compliance programs should be the priority.

Senator pushes for Data Protection Agency: The revised Data Protection Act of 2021 has been reintroduced by Senator Gillibrand with the expectation that it will lead to the formation of the Data Protection Agency, an independent federal agency. The revisions to the bill include updated conditions that protect privacy, watch over “high-risk data practices” and assess data collection as it relates to social, ethical and economic concerns. The new agency would have three missions aimed towards providing individual control of data, fair competition and optimizing the U.S. government for the digital age. It would also be responsible for data aggregators, including their supervision and maintenance of a public list, as well as FTC reporting of mergers that involve large data aggregators.

Applying Section 1782 to the GDPR: The expanding use of Section 1782 has led many to wonder how it can be applied to the EU’s General Data Protection Regulation. US courts have already established the requirement of entities producing documents in response to a Section 1882 subpoena, regardless of whether they’re subject to the GDPR. However, there’s still some variations on whether to try to reduce the burden on the responding party, with courts making differing decisions on whether to protect the parties. It’s advised that parties who are seeking discovery should be prepared to explain if their subpoenas involve the GDPR and outline the potential financial burden on the responding party as a result of compliance.

Third-party vendors failing to comply with insurance requirements: A troubling new report from insurance verification service provider Evident revealed that 75% of third-party vendors do not comply with enterprise insurance requirements. The average company has only verified 25% of their third parties which increases the risk of losses from under or uninsured partners. These shortcomings are caused by a variety of factors including complicated processes, high cost of compliance and complex requirements. Evident’s report details a few ideas on how to address these issues.

Companies want legal protection from climate risk reporting: The SEC has received widespread support for regulating climate reporting, but many companies don’t want the legal risks that come from public exposure. Underdeveloped accounting rules and risk data should allow for safe harbor, according to some corporations and trade groups like Google, Amazon and the U.S. Chamber of Commerce. Pension funds and other institutional shareholders are pushing for climate disclosures to be included in financial filings, while asset managers and other opposers insist that this isn’t necessary because of the nature of ESG data. While a Form 10-K looks at previous data, climate change risk can be more forward thinking and speculative.

Companies try to eliminate cyber risk with limited outsourcing: A large list of outside vendors can often mean an increase in an organization’s cybersecurity risk. Some companies try to mitigate this risk by reducing the quantity of vendors in their operations but is this always the best solution? Some cyber risk experts believe that companies will ultimately look at their vendor list in terms of their bottom line, rather than the security of their system. But too much focus on the number of vendors doesn’t always equal a more secure environment. After all, a cybersecurity incident can be caused by just a single unsecure vendor. Certifications from the National Institute of Standards and Technology (NIST) can often provide some assurance in cybersecurity protection, but companies can also utilize e-discovery technology to centralize sensitive corporate data in a single safe place. This can be a better solution to sending data back and forth to multiple parties.

Next steps after authentication vendor acquisition: Vendor acquisitions aren’t uncommon but there are a few special considerations when you’re dealing with an auth vendor. Make sure to review your contract to prepare for any possible changes. You’ll also need to determine how your business solutions integrate with the auth vendor’s services. Consider things like adherence to standard auth protocols and how many apps are currently using the vendor. Connect with your account manager and try to negotiate a long-term contract which offers a level of stability. It’s also a good idea to evaluate the possibility of switching vendors and how this acquisition will affect current or planned projects.

More info on McDonald’s data breach: The recent data breach that hit McDonald’s was discovered after the company had hired consultants to investigate unauthorized activity on its internal security system. The breach some contact information about U.S. employees and franchisees, but no customer information. However, customers in Taiwan and South Korea weren’t as lucky. Emails, phone numbers and addresses were stolen in these two countries. McDonald’s has advised employees and franchisees to beware of phishing attacks as a result of this incident.

Biometric ID law to take effect in NYC: Restaurants, retail stores and entertainment facilities in NYC will soon need to comply with New York City’s Biometric Identifier Information Law, which goes into effect July 9. Under the law, there’s a broad prohibition of the sale or exchange of biometric information which includes retina or iris scans, fingerprints or voiceprints, hand or face scans, or any other identifying characteristic. Government agencies, employees and agents are exempt from the law, as are financial institutions if they don’t use analytic software on CCTV photos or images. They also cannot sell or exchange the images, outside of law enforcement. The law permits private right of action of up to $500 for violations related to notices or negligence and $5,000 for intentional violations of selling or sharing data.

SEC grants amnesty for voluntary SolarWinds disclosures: The deadline is fast approaching for organizations to provide information to the SEC related to the SolarWinds cyberattack. Apart from “extenuating circumstances”, companies must provide the information by July 1, 2021 or risk enforcement actions and heightened penalties if the SEC discovers violations related to disclosure or prevention/remediation. However, amnesty will be given to companies who voluntarily disclose how they were impacted by the cyberattack and any remedial actions that were implemented as a response.

Misinformation in critical fields: Misinformation is rampant across social media, with some platforms issuing warnings to its users. This can be particularly harmful in scientific or technical industries like cybersecurity or public safety and health. Even more concerning is the idea of artificial intelligence with the capability of creating this misinformation that can mislead experts. These AI systems are referred to as transformers and have been used by Google and other tech companies to assist with tasks like translating and improving search engines. However, this technology can easily be manipulated by those wishing to do harm. A recent experiment by University of Maryland, Baltimore county students used a phrase of a real cyberthreat sample and used AI to generate the rest of the description. This example was given to cyberthreat experts who were ultimately fooled by the generated misinformation. It’s ultimately the responsibility of each individual to practice vigilance surrounding credible information.

Understand how your third-party risk management program can enable your organization's strategies. Download the eBook.