July 2022 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of July 28

This week brings headlines in cyberattacks, updated regulations, and the importance of automation tools for vendor management. Read the articles below to stay up-to-date.

No More Ransom celebrates sixth anniversary: Originally created in a partnership of law enforcement and information technology security companies, No More Ransom has grown exponentially over the years and celebrates its sixth anniversary. It seeks to help victims of ransomware recover their files, allow easy access for people to report cybersecurity attacks, and inform people on the dangers of cyberattacks.

Experts identify cyberattacks in compromised code: Experts have identified a strategy used by hackers, in which cyber criminals have hidden harmful files in code that can be difficult to detect or decipher. In order to combat these techniques, experts have developed software that is trained to identify the harmful code.

Understanding CPPA’s goals and updated regulations: This month, the California Privacy Protection Agency began amending the regulations as part of the California Privacy Protection Rights Act. Several of the key points for the new rules would include data minimization, which requires businesses to use customers’ data in ways that are necessary to the reason it was collected, as well as requiring companies to follow a method of ensuring that customers have autonomy when giving consent for companies to use their personal data.

The importance of automation tools for healthcare organizations: Does your healthcare organization use automated vendor payment tools? If not, it may be time to take it into consideration! As vendor relationships and outsourced services have taken on more importance for healthcare organizations, automated payment tools can be helpful to ensuring that there is increased transparency, faster rates of invoice approvals, and a more seamless hybrid environment. Put together, this will continue to improve relationships with your vendors and eliminate inefficient processes.

What are the emerging GRC trends?: As cross-industry priorities have shifted to address emerging concerns regarding cybersecurity, supply chain difficulties, and financial stressors, it's important to take governance, risk, and compliance (GRC) strategies into account. A few questions to consider include: how does your organization adapt to evolving risks? Does your organization have an effective third-party risk management process? Is your organization prepared to follow ESG goals and compliance?

Cybersecurity industry grows exponentially: All the recent news of cyberattacks may scare you – but hope is not lost! Over the past several years, cybersecurity companies have continued to invest into growing the industry and creating more effective products and services that will protect your organization’s sensitive information. With the emerging develops and research underway, the providers need trained professionals to hold key positions and enhance complex systems.

NIST updates healthcare cybersecurity guidance publication: The National Institute of Standards and Technology (NIST) has issued updates to its healthcare cybersecurity publication as well as its HIPAA Security Rule, which offers guidance on how healthcare organizations can protect sensitive data. In a recent press release, NIST experts commented that the updated publication should serve as guidance for healthcare organizations to learn how to comply with HIPAA regulations and identify any weaknesses in these organizations.

Third-party risk management strategies alleviate regulatory strains: Keeping up with updated regulatory standards, from ESG goals to cybersecurity reporting compliance, can give you a massive headache. However, this article breaks down the relationship between the SEC’s recently updated rules regarding cybersecurity governance and ESG strategies. By maintaining an effective and efficient third-party risk management program, you can find more peace of mind by managing compliance and mitigating risk.

Number of cyberattacks reached new levels in 2021: Recent studies have found that while the number of CVEs declined by nearly 10% in 2021, the number of cyberattacks has gone up significantly. This data highlights how aggressive cyberattacks can be, and how important it is, even more than ever, to protect your organization from weaknesses that could leave your sensitive data vulnerable.

TSA releases requirements for oil and gas companies to improve cybersecurity: In its efforts to improve cybersecurity measures in the oil and gas industry, the TSA has announced several new regulations. These include requiring operators to create incident response plans as well as long-term assessments to measure the performance and effectiveness of cybersecurity tools. Overall, these regulations are meant to offer guidance to companies across the supply chain and ensure that cybersecurity remains an ongoing priority.

Leaked password exposes vulnerabilities: Last week, Atlassian highlighted that there are several weaknesses in its products, such as CVE-2022-26138, which resulted from a hardcoded password. Since revealing the vulnerabilities, Atlassian has provided ways for people to find out if their system may be vulnerable as well as patches to secure the systems.

Understanding Congress’ proposed privacy bill: Did you know that Congress is currently working on a new privacy bill? To highlight several key points, the American Data Privacy and Protection Act proposes several regulations that would, if passed, create clear limitations on how a company could use consumer data. Alongside its data minimization clauses, the bill also seeks to include provisions like  transparency rules and cybersecurity requirements.

Changes to CCPA offers consumers the ability to control data use: Early next year, changes will be implemented to California’s Consumer Privacy Act, which seeks to give consumers greater control over how companies use their personal information. While these protections only affect consumers based in California, many other states have also started to implement privacy laws.

National Credit Union Administration (NCUA) Board approved cybersecurity items: In a recent webinar, the NCUA Board approved a final rule that will adjust the supervisory requirements for all credit unions with assets above $10 million. In addition, the NUCA Board also approved a proposal that would require any federally issued credit union to notify the NUCA within 72 hours of a suspected cyberattack.

Experts identify new malware threat: Experts have recently identified a Linux malware which could give hackers the ability to infiltrate systems and enact a range of commands. Learn more about the malware in this article. 

New guidance for third-party risk management in healthcare organizations: Do you need some direction in how to integrate third-party risk management procedures in your healthcare organization? Well, the Cloud Security Alliance recently released a report, Third-Party Vendor Risk Management in Healthcare, which offers a deeper understanding of why third-party risk management is so important, the different types of risks that your vendors can pose, and how you can mitigate these risks.

Companies are looking to consolidate cybersecurity vendors: Recent studies have found that there is a current push in organizations who are looking to consolidate their information security vendors. This appears to be a result of the difficulties associated with managing an assortment of vendors and cybersecurity vendors who provide open standards are more likely prepared to handle this shift.

How to prepare your organization for issues in the supply chain: As the supply chain continues to face issues, such as market volatility and shipment challenges, it has become necessary to learn the best ways to prepare for potential obstacles. You should learn how to identify the ways that critical vendors affect your organization, create an effective third-party risk management program to mitigate risks associated to your vendors, and analyze how issues such as supply chain disruptions, natural disasters, or transportation delays might impact your organization.

Integrating AI into your third-party risk management: As artificial intelligence continues to become a fixture of our day-to-day lives as well as businesses, it's becoming necessary for companies to utilize AI or risk falling behind in advancements. However, it's also important to understand the risks that may be present in an AI provider by conducting cybersecurity assessments, understanding how sensitive data is used, and creating a recovery plan in case of data breaches.

Recently Added Articles as of July 21

This week is packed with important news. From cyberattacks to managing third-party risk, and fake cryptocurrency, this week has it all! Check out the articles below to stay on top of the latest in the industry.

House of Representatives passes major $840 billion defense policy bill: In a bill passed by the House of Representatives, Congress has made provisions to improve cybersecurity for key infrastructure. In response to recent events, which make the cybersecurity of critical infrastructure a priority for lawmakers, the bill seeks to protect American assets and increase overall awareness to the dangers of cyberattacks.

Cyberattacks target Macs and steal sensitive information: Researchers identified malware that has the capabilities of bypassing security software on Mac devices and gives hackers access to data and sensitive information on the device. Thankfully, however, Apple put a patch into place two years ago, which protects users from this type of breach on Macs.

Understanding risks in the supply chain: The past several years have illuminated many of the pitfalls and risks associated with the supply chain. As experts predict that there will be issues in the supply chain into the future, it's necessary to ensure that your organization is adaptable to disruptions and is monitoring your suppliers to protect against severe risks that could damage your reputation and production. Best practices include monitoring your suppliers’ compliance to regulations, their commitment to sustainability, and how often they review health and safety standards.

How to effectively manage your third-party risk: Every third-party risk management program has to start from the basics. Whether you’re just starting your program or are looking for a few tricks to making your program more effective, you need to understand the risks that your vendors pose your organization and how to mitigate the risks. By assessing inherent risk, managing your critical vendors, considering residual risk and how often to assess your vendors, and utilizing external risk ratings, you'll strengthen your third-party risk management strategy.

What you need to know about the SEC’s proposals on cybersecurity: In early 2022, the Securities and Exchange Commission (SEC) proposed several rules related to cybersecurity issues. These proposals call for public companies to increase visibility for investors to have a better understanding of cybersecurity issues. Even if your organization isn't a public company, you should still take these proposals into consideration when determining the ways you identify and determine risks as well as the roles of senior management and corporate leaders in introducing preventive measures.

Hackers create fake cryptocurrency apps to trick investors: The FBI has recently identified cyber criminals who are using fraudulent cryptocurrency programs to steal over $42.7 million from over 200 victims. As cyberattacks seem to be more common every day and target victims, it has become more evidenced than ever how important cybersecurity really is to protect your personal and company data.

Juniper Networks addresses product vulnerabilities: Juniper Networks recently released several security updates to fix vulnerabilities in its systems that could have been exploited by cyber criminals. These potential vulnerabilities have been fixed with the release of the software updates across several products.

How to mitigate supply chain risk: As technology evolves, organizations are finding that vendors and their suppliers may pose significant risk to their sensitive data. To maintain best practices, experts suggest performing internal and third-party risk management assessments and due diligence. Organizations should work with their vendors to ensure that there are cybersecurity plans in place to protect from breaches while also remaining vigilant with how data is shared and accessed.

Using third-party risk management to protect from corruption risks: In 2020, regulations established that in cases of corporate corruption your organization could be held liable for bribery conducted by your third-party vendors in favor of your organization. Just as you should be using your third-party risk management strategies to protect against data breaches, you should also safeguard your organization from corporate corruption. By creating policies against bribery, performing due diligence, and managing your significant investments, you'll effectively mitigate the risks.

Reasons to perform ongoing due diligence with your vendor: If you have been using a vendor for a long time, it might be easy to fall into a comfort zone and neglect to monitor the vendor on a regular basis. However, regardless of how long you have worked with the vendor, it's important to track the vendor’s performance and any changes which might affect the vendor’s performance or services. To receive the best value from your vendors and to maintain a healthy relationship, perform ongoing vendor due diligence.

Managing your vendors’ cybersecurity risks: With more organizations facing data breaches every week, cybersecurity should be a top priority. Third and fourth-party vendors pose hidden risks to organizations, so it's necessary to take the steps to safeguard your organization. By creating a clear plan for your best practices, setting the standards for your vendors, and performing a thorough risk assessment, you can determine where the vulnerabilities lie and how to address them.

Hackers threaten over 10,000 organizations: Microsoft announced that over 10,000 companies were at risk from a phishing attack in September of 2021 as a result of a weakness in the Office 365 authentication process. During the phishing attacks, the hackers attached malware in emails to gain access into accounts. This is yet another warning for many companies to improve cybersecurity training for employees so that staff can identify phishing attempts and protect the organization.

Recently Added Articles as of July 14

This week, the importance of vetting vendors comes to the forefront of our minds. Hackers still working relentlessly to steal personal data and ensuring your employees are aware of phishing tactics. Read the articles below to stay up-to-date.

Deciding how long  your contract with a vendor should be: When negotiating a contract with a vendor, it's difficult to determine the contract length that is right for you. With the constant evolution of tools, skills and policies, the needs of your organization and the vendors that can help you change as well. In order to receive the best value for your organization, and determine how long you should commit to a vendor, you should consider several factors including pricing, how the service is expected to keep up with innovations in the market and whether another one of your vendors might soon provide the same service.

The basics of collaborating with vendors: As a result of the many challenges to the supply chain including material shortages, the pandemic, climate change and inflation, many companies are looking for ways to improve their collaboration with suppliers. By setting realistic goals, establishing what’s most important to stakeholders, making your expectations clear and making your suppliers a key asset, you can improve your supplier collaboration and deliver better insights to the supply chain.

Understanding greenwashing lawsuits and ESG certifications: Though many companies have started to market their ESG efforts by labeling products with third-party certifications, they may have made themselves vulnerable to greenwashing lawsuits. In these lawsuits, the company will be accused of misrepresenting ESG practices or relying on a third party that doesn't properly evaluate business practices, which would fall under federal claims of false advertising, fraud and unfair trade. To ensure that you don't become a victim, you should analyze the FTC's Green Guides, vet the third party’s processes and have independent evidence that will substantiate your certification so that you don't rely solely on the third party.

Hackers impersonate cybersecurity companies: CrowdStrike, a cybersecurity company, has detailed a recent phishing campaign in which cyber criminals pose as cybersecurity companies and encourage victims to call a fake helpline. If the victim responds, the cyber criminals will hack into their network. CrowdStrike has described these attacks as “callback phishing,” and is the first identified campaign in which cyber criminals are impersonating cybersecurity companies.

How to assess a potential vendor: Choosing a new vendor or supplier is difficult. So, when evaluating whether you should pursue a relationship with a supplier, you should ask yourself the following questions: Does the supplier have a supplier or are they a single source? How much is the cost of ownership to work with other suppliers? Is the supplier invested into technology that will improve efficiency? Finally, do you share the same goals and values as the supplier? The answers to these questions are important to making your decision.

The importance of PAM (privileged access management) to protect your organization: During a recent Becker’s Hospital Review webinar, leaders across the technology, healthcare and security sectors engaged in conversations regarding the importance of cybersecurity and differentiated privileged access management (PAM). In order to combat cybersecurity threats, the experts suggest building a priority matrix and focusing on addressing security deficits to protect the organization’s important data and integrating a third-party access solution within a centralized PAM strategy.

Amazon is determined as a seller in New Jersey and held liable for third-party product: Recently, the United States District Court for the District of New Jersey found that Amazon could be held liable for damages that are caused by products sold through its website. The court case determined that Amazon can be held liable in New Jersey in instances when the third-party vendor that sold the product through Amazon’s online marketplace is not subject to jurisdiction.

Cyberattack costs company $540 million: Does your organization train its employees to identify phishing attempts? A senior engineer at Axie Infinity downloaded a fake offer document after applying to a fraudulent job. The fake document downloaded malware, which went on to breach the network and allowed the hackers to steal $540 million. As cyber criminals continue to launch campaigns to hack into personal data, let this serve as a reminder to train employees on the dangers of phishing and cyberattacks and how to identify these attacks.

How to navigate and identify deficiencies in the supply chain: How can your business navigate disruptions in the supply chain? While many consumers call for transparency in product suppliers and legislators introduce regulatory acts designed to hold brands and retailers responsible for their roles in unethically sourced products and climate change, businesses need to be agile and find alternative solutions to issues in production. By maintaining supply chain visibility, businesses can address problems before an issue arises, identify inefficiencies and maintain production.

Cyber criminals exploiting weakness: It has been announced that hackers have been able to exploit a weakness in Microsoft Office, known as CVE-2022-30190. Thankfully, Microsoft has stated that it is working to improve and has defaulted to disable the feature causing the weakness.

An overview of OFAC sanctions and investigations: In its efforts to mitigate the risks to national security, the Office of Foreign Assets (OFAC) and other regulatory authorities continue enforcing economic sanctions and overseeing global exports. However, OFAC’s sanctions have led to parties taking extra measures to use deceptive tactics to evade regulations that are more difficult to investigate. This article outlines OFAC’s various sanctions from around the world and provides best practices guidelines as well as explains the forensic perspective that play a key role in investigations.

Understanding the importance of third-party risk: What is a third party? What risks are associated with third parties? How can you secure your business from these risks? As more organizations turn to third parties for their services, understanding the basics of third-party risk management is an important step to protecting your business. An attack on your third party can have significant and long-lasting impacts on your business, so it's important to understand who your vendors are, the risks associated with your vendors and how you can safeguard your business.

Prepare your teams for external challenges: As we all know, the COVID-19 pandemic challenged many organizations to make changes to the ways they interacted with customers and suppliers, what their business offered and where their personnel could work from. With a potential economic downturn ahead, many organizations have created plans to become more proactive against external events.

Adding an additional supplier to your organization: While facing challenges in the supply chain, you may want to add an additional supplier to overcome obstacles such as supply shortages and production rates. However, when selecting a new supplier, you should consider factors such as the supplier’s financial health, supplier base, adaptability, a global presence, focus on technology and goals for sustainability.

Manage risk by vetting third parties: How do you decide which vendors and suppliers are right for your organization? By performing due diligence on your vendors, you can reduce your overall risk by identifying any weaknesses that might be present before you enter a business relationship. Be sure to look out for any security incidents, low customer satisfaction, poor financial health or unsatisfactory product quality, as your relationship with your vendor will reflect on your organization.

Recently Added Articles as of July 7

There’s a lot of news to be aware of this week. We learn about industry attacks, new methods of social engineering, data privacy concerns, vendor consolidation and more. Be sure to check out all of the newsworthy articles below.

Uncovering anonymized ransomware sites: Ransomware attackers always take various measures to obscure their true identity. One of those ways is relying on the dark web. However, cybersecurity firms are problem solving and finding ways to discover “public IP addresses hosting the same threat actor infrastructure as those on the dark web." These include TLS certificate matching and checking the favicons associated with the darknet websites compared to the public internet using web crawlers.

Malicious NPM attacks stealing data: It seems that data attacks are constant these days, and a recent software supply chain attack is another example. Per this informative article, “The coordinated attack, dubbed IconBurst by ReversingLabs, involves no fewer than two dozen NPM packages that include obfuscated JavaScript, which comes with malicious code to harvest sensitive data from forms embedded downstream mobile applications and websites.” This appears to be an aggressive approach and a list of some of the most downloaded malicious modules is included.

Chinese tech firms to ban cryptocurrencies: It was recently shared that a couple of Chinese tech firms signed an initiative to ban cryptocurrency and digital collectibles (NFTs). This supports an initiative for tech firms not to create a centralized marketplace for bidding, matching or anonymous NFT trading.

High-security zero-day vulnerability: Google announced a vulnerability in its Chrome web browser known as CVE-2022-2294. What should you do next? It’s recommended to update to version 103.0.5060.114 for Windows, macOS and Linux, and 103.0.5060.71 for Android to reduce potential threats.

Understanding the EU’s Digital Operational Resilience Act (DORA): DORA’s goal is to improve standards in the financial sector as well as standards for any companies that indirectly work with the financial sector. Organizations in the industry tend to be slow to react to cyber threats, and other similar attacks, but with DORA this should improve. Also, DORA says organizations should address “any reasonably identifiable" IT risks, meaning address cyber events without delay. Learn more about DORA and the benefits in the article.

Employee steals vulnerability reports: Are you and your vendors keeping an eye on employees and what they’re accessing? A lesson learned for one company recently when an employee stole vulnerability reports and disclosed the reports to customers, all for a personal financial gain. The company reacted quickly, remotely locking the employee’s laptop and terminating their access within 24 hours of discovering the threat.

Vendor consolidation and its advantages: If you’re like most organizations, you partner with many third-party vendors to provide products and services. That can be a lot to manage, which is why vendor consolidation is becoming increasingly important. This means working with one vendor to connect services. For example, if you have vendors who supply office products, manage your IT and provide software or service your printers, one vendor who can manage all of these services can create cost efficiencies, give you a single point of contact for requests and lead to improved organizational performance.

Stealing data through interview fraud: Social engineering is evolving in business settings, especially given the increase in remote work. It’s called deepfake employment interviews. The criminals are able to use a fake persona to steal data. They use deepfake videos and stolen personal data to misrepresent who they are in interviews for remote positions. What is a quick giveaway that the person isn’t who they’re pretending to be? If their actions or lip movements don’t completely align with their words! CISOs feel this is a valid concern and want you to be on the lookout.

Cyberattack leads to unemployment delays: A software company experienced a cyberattack which trickled down to labor and workforce agencies, causing delays in unemployment benefits and job-seeking programs’ services to be halted. Third-party specialists are researching the incident to ensure it doesn’t happen twice and are currently leaning towards it being the result of a ransomware attack. A big takeaway from this incident is the importance of third-party risk management programs within organizations. This will help you verify your third-party vendors are managing systems and data properly.

Data privacy concerns are under consideration: Shortly after the Supreme Court overthrew Roe vs. Wade, the Biden administration began reviewing patient privacy concerns. New healthcare privacy guidance would clarify the terms around a clinic’s authority to withhold a patient’s abortion information from third parties and law enforcement. While this can get tricky, the U.S. Health and Human Services (HHS) says patient privacy is a top priority! According to Kate Borten, President of Privacy and Security Consultancy at The Marblehead Group, “What is left unsaid in the guidance is that affected covered entities and business associates should now review their privacy policies and procedures to ensure compliance, and then follow up with workforce training and reminders."

Barclays fined $2.8 million: FINRA fined Barclays $2.8 million for non-compliance with customer confirmation and related supervision rules. According to FINRA, Barclays violated the rules since 2008 as it sent customers incorrect disclosures of execution capacity, customer price, market center of execution and the trade execution price. Pay attention to regulations you need to comply with. Fines can be steep!

Options Clearing Corporation (OCC) recognized as Tier 1 Third-Country Central Counterparty: The OCC is the world’s largest equity derivatives clearing organization and was recently recognized as a Tier 1 Third-Country Central Counterparty under Article 25 of the European Market Infrastructure Regulation (EMIR). The OCC shares that this recognition is a tremendous milestone.

Projects and managing the risks included: Let’s face it… while working on a project, there are risks posed every day, such as staffing issues, unforeseen vendor issues, unpredictable problems and more. A good project manager should be able to manage and tolerate those risks. There are some ways you can manage the elements of risk, one being vendor issues. For example, if the project is vendor dependent and they’re unresponsive, a way to escalate the issue to try and avoid further risk is to notify upper management. Bottom line though? Always remain calm, cool and collected as that’ll help tremendously!

Managing supplier risk and performance in today’s economy: We’re living in uncertain times and managing supplier risk and performance is more important than ever. To do so, full visibility across your suppliers is crucial. Some steps to take to accomplish this include knowing what you want to accomplish with your supplier management program, gaining executive buy-in, a plan to gather complete information on all suppliers, segmenting your suppliers into relevant groups, good communication with suppliers, proper onboarding and implementing a monitoring program.

Overview of risks highlighted in OCC Semiannual Risk Perspective report: A couple weeks ago, we shared that the OCC released their Semiannual Risk Perspective report for spring 2022 which highlights various risk concerns. Some of the risks included are BSA/AML compliance, cybersecurity and digital assets. This article gives great insight into each one and why the risk matters.