July 2023 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below. 

Recently Added Articles as of July 27

Your third parties’ cybersecurity continues to become an important risk to mitigate in all industries, even agriculture and manufacturing. Providing security training and ensuring third parties have cyber insurance can help. The cost of healthcare data breaches is rising, fintech firms need robust third-party risk management, and there’s more fallout from the MOVEit breach. Be sure to catch up on all this week’s news below!

Lower third-party cyber risk by providing security training for your third parties: You may have put firewalls and email security solutions in place to protect against third-party cyber risk, but it likely isn’t enough. Because third parties are so prevalent throughout an organization, the risk of a cyberattack due to one of your third parties' negligence is extremely high. Organizations should implement security training to combat cyberattacks through human error. That may mean offering data security tips to third parties or offering awareness training to third-party employees you work with. This can also lead to better compliance, as your third parties can be aware of the regulations you have to follow. 

Time for the healthcare industry to mitigate third-party tracking risks: A hospital organization may want to track the visitors that it receives to its website by using third-party tracking technology, but they may also be in violation of HIPAA’s privacy rule if that third-party tracker is collecting personal health information. Hospitals are allowed to use the technology, but they also need to be aware of the extreme security risks and use proper third-party oversight of the tracker’s usage. The marketing, legal, compliance, and IT departments should all communicate about the use of tracker and how the risks are being mitigated. 

OCC penalizes bank for failing to oversee a third-party relationship: American Express National Bank was handed a hefty $15 million penalty by the Office of the Comptroller of the Currency (OCC). According to the OCC, American Express failed to govern a third-party relationship and had violations of regulations on its attempts to keep small business owners safe. The bank didn’t ensure that its third party had appropriate call monitoring procedures and that it was documenting and tracking customer complaints. American Express also didn’t properly maintain and produce records to show compliance. 

Hacker claims access to millions of records from the Egyptian Ministry of Health and Population: A threat actor has claimed they have two million data records from the Egyptian Ministry of Health and Population. This includes sensitive information like diagnoses and treatment details. To support the claim, the attacker provided a sample of 1,000 peoples' data. The intent is to sell the data on the dark web. 

Take the right steps before and during a third-party crisis: Any type of unseen issue with your third-party vendor can put your organization in crisis mode and test your reputation. Anything from a union strike to a natural disaster can impact your business. Before a crisis comes, plan for what’s inevitable. Perform a risk assessment on your vendor to understand the risks and map out your business continuity plan. Be transparent with your stakeholders about any vendor crisis and take accountability for how you respond to the crisis. How are you holding your vendor accountable? What steps have you taken to resolve the issue and prevent gaps in the future? Stakeholders won’t look at your vendor, but at your organization and how you respond. Be prepared for when disaster strikes. 

Michigan State University becomes the next victim of the MOVEit breach: More victims of the MOVEit transfer breach are being revealed, and this time it’s Michigan State University. Two third-party providers that MSU uses were affected by the breach, and personal data of people connected to the university may have been exposed. Both third parties have said they will provide a list of compromised people who will then be notified. This breach has now impacted millions of people around the globe. 

The cost of healthcare data breaches continues to rise: What will a data breach cost your healthcare organization? According to a new study from IBM Security, it’ll be about $11 million. That average cost increased $1 million from last year. Healthcare has the highest data breach cost of any industry. A lot of these attacks are through phishing and stolen or compromised credentials, and these attacks can sometimes take almost a year to identify. On the bright side, many organizations reported an increase in security investments after a breach. But don’t wait until it’s too late. Now is the time to implement stronger security measures, including for your third parties. 

Have you evaluated your fintech firm’s third-party risk management?: There are many benefits to partnering with a fintech firm, but evaluating their risk management can often fall to the wayside. Many fintech firms use other parties to provide their services, which means your customers' information may be in the hands of a fourth party. You should evaluate a fintech firm’s third-party risk management fundamentals and ensure they have appropriate governance and oversight. You should also receive a list of a firms’ critical third parties and require they complete due diligence before beginning any work with a vendor. Be sure you understand a fintech firm’s third-party risk management before you partner with them. 

FDIC warns banks to correct uninsured deposit amount on financial statements: Banks are being told to fix their financial statements that reduce uninsured deposits. The Federal Deposit Insurance Corporation (FDIC) issued the warning, and it came in light of the FDIC’s planned fee for large firms that’s assessed based on their uninsured deposits. The fee is supposed to recoup the costs of Silicon Valley Bank. 

Two bills aim to aide agricultural industry with cybersecurity protections: Agriculture is yet another industry that’s vulnerable to cyberattacks as food supply chains become a top target. To address this critical infrastructure, two bills were introduced in the Senate. One would establish a hub in the National Telecommunications and Information Administration that would help agricultural producers strengthen their technology. It would also create a hotline for best cybersecurity practices. The second bill would expand a program that assesses the security of water and wastewater utilities. It would establish a grant program to help rural water systems strengthen cybersecurity. 

Understand who your suppliers are by improving third-party risk management practices: If a third-party supplier was involved in corruption, bribery, fraud, money laundering, or forced labor, would you continue to work with them? A new survey says that 42% of organizations would. But this could severely damage your reputation and subject you to regulatory fines. To avoid these risks, organizations should improve their third-party risk management by monitoring for compliance using sanctions databases and media coverage. They should also identify potential risks, put a business continuity plan in place, and assess the financial stability of international third parties. Ultimately, what your third parties do ends up as a reflection of your organization. 

To avoid cyberattacks, manufacturers should invest in third-party risk management: The manufacturing industry has become a great target for cyberattacks because of its dependency on technology and access to sensitive data. Many of these organizations aren’t prepared to address the growing threat. To mitigate the risk, manufacturers should develop a third-party risk management program to get a whole view of their supply chain, continuously monitor cyber risks, and create business continuity and disaster recovery plans. By investing in third-party risk management, manufacturers can address the growing threat and avoid the financial impact of a data breach. 

Bank becomes another potential victim of MOVEit breach: United Bank, based in West Virginia, has experienced a data breach due to a third-party software tool. An unauthorized party received access to sensitive customer information. Although MOVEit wasn’t listed in United Bank’s data breach letter, the ransomware gang responsible has listed United Bank as one of its many victims. United Bank is investigating the incident and has notified impacted customers. 

Regulators warn on the inappropriate use of online tracking at healthcare organizations: Regulators are watching how hospitals are using online tracking technology, preparing for potential violations. The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) sent a joint letter to 130 hospitals and telehealth providers issuing a warning. Tracking technology used for hospitals and telehealth websites may be gathering personal user data. Healthcare organizations must comply with HIPAA’s Privacy Rule, and even if organizations aren’t covered under HIPAA they still have to comply with the FTC’s rule on disclosures of personal health information. Violation of these regulations can lead to large fines and legal action. 

More privacy laws passed across the states: There are privacy laws everywhere! Texas has enacted its comprehensive privacy law and most of it will take effect July 1, 2024. Oregon has also passed a privacy law, and it would require controllers to give consumers a list of specific third parties their information is given to. Delaware has joined the mix and this bill doesn’t offer exemptions for HIPAA-covered entities and higher education. Connecticut’s privacy law took effect, and they’ve also adopted a bill that further expands its privacy law to include mental health and requirements around minors’ personal data. Be sure to stay on top of developing laws and regulations!

FTC withdraws antitrust policy statements for healthcare organizations: Policy statements that provided antitrust safety zones for some healthcare organizations have now been withdrawn by the FTC. This follows in the footsteps of the DOJ, which withdrew the same statements earlier this year. The policy statements have been called outdated. The statements shielded some healthcare organizations from agencies for exchanges of cost information, joint purchasing agreements, and collaborations with healthcare organizations and physician networks. Without these statements in effect, healthcare organizations will likely face increased regulatory scrutiny. 

Your cyber insurance policy should include third parties: Organizations are being held responsible more and more for third-party data breaches. Lawsuits are being filed, not just against the third party, but also the organization it contracted with. With the increased liability, it’s crucial to manage a third party’s cybersecurity risks. Your cyber insurance policy should include third-party computer networks and sufficient limits to cover a data breach. You should also ensure your third parties have their own cyber insurance and that your company is insured under it, as well as conduct regular cybersecurity audits of your third parties to make sure they have the right protections in place. 

What kind of insurance coverage do you have for third-party disruptions?: Disruptions to your supply chain can happen at any time, and you may not be prepared for it. As part of your risk management strategy, you should insure any potential losses. With your third-party coverage, ensure that you’re covered for downtime; expand your covered to direct or indirect suppliers; and consider your level of exposure to dependent properties. The right insurance coverage can help your organization during an unexpected supply chain disruption. 

Recently Added Articles as of July 20

Have you assessed the cybersecurity risk of your third parties recently? It’s a hot topic this week, as the U.S. government stepped up its efforts on addressing cybersecurity with its implementation plan and a new program for smart devices. CISOs also need to be aware of cybersecurity challenges along the supply chain. Hospitals need a solid third-party risk management program and new vulnerabilities are on the horizon as generative AI is developed for threat actors. There’s all that and more, so check it out below!

U.S. program looks to assure customers of cybersecurity safety in smart devices: The Biden-Harris administration is attempting to address cybersecurity risks with smart devices. The U.S. Cyber Trust Mark program, which is expected to be rolled out by 2024, is a voluntary certification. It gives smart devices that meet cybersecurity criteria a shield logo. Manufacturers like Google, Amazon, and Samsung have all supported the initiative. Because vulnerabilities can be discovered long after products are sold to customers, organizations will have to continuously monitor the products and conduct vulnerability assessments. The Federal Communications Commission is seeking public comment on the program.

To protect against cyberattacks, CISOs must be aware of their supply chain: As more sensitive data is exposed to hackers, your CISO should look at your cybersecurity program and risk management for the supply chain. Attackers look to the weakest point of entry to gain access. CISOs need to have visibility of every vendor along the supply chain and have policies in place to monitor them. The NIST suggested risk management framework is a helpful start. It recommends establishing a process, identifying and prioritizing vendors based on their risk, developing secure contracts, continuous monitoring, and business continuity testing. Although CISOs have a lot on their plate managing cyber risks, third-party risk management must be a priority. 

Third-party risk management is a crucial, but challenging, endeavor: It’s clear that third-party risk management is extremely important, especially as cyberattacks along the supply chain become more common, but there’s so many challenges to getting an effective program. The vendor population for organizations is increasing. Because of that, there’s less visibility on third and fourth parties. That can lead to business disruption, financial loss, reputational damage, and more, but it’s challenging to get third parties to fill out questionnaires, and there’s a lack of resources within organizations to address risks. And then there’s insufficient budgets and a lack of automated solutions within organizations. Don’t lose hope! There is a way to overcome these challenges, and we have a great tool to help you out. 

Test the security practices of third-party vendors: What are the security practices of your third parties? If you don’t understand what controls they have in place, you likely don’t have a good idea of where your risks are. Your third parties are likely using their own vendors to do business. The means it can be challenging to have full control of your third parties and the software they use. You should mitigate the risk by testing your third party’s cybersecurity practices and controls. 

Hospitals need to implement third-party risk management practices to prevent cyberattacks: It continues to be a challenge for healthcare organizations to manage third-party risks and cybersecurity. Cyberattackers have found weaknesses they can exploit through a hospital’s third parties. Hospitals need a robust third-party risk management program to continuously monitor third parties, especially those that are critical to the hospital or a patient’s life. It’s important to have business continuity and disaster recovery plans with critical third parties, which are a big target for ransomware. A solid third-party risk management plan will help lower the possibility of cyberattacks and ransomware.

Google vulnerability could cause supply chain attacks: A flaw in Google Cloud Build gave attackers almost full access to Google Artifact Registry code. Attackers could impersonate the service account for the Google Cloud Build service that runs application programming interface (API) calls. The attackers could inject malicious code, which could then result in supply chain attacks. Google implemented a partial fix to the vulnerability. Customers of the cloud build should modify their permissions and remove entitlement credentials. 

U.S. cybersecurity agency releases list of free tools to aide cyber efforts: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is sharing free tools to help cybersecurity professionals mitigate risks. The tools include the Cybersecurity Evaluation Tool (CET), SCuBAGear, Decider, Untitled Goose Tool, and Memory Forensic on Cloud. These help detect malicious activity, mitigate vulnerabilities, and assist with remediation and investigations. 

Bad actors tout criminal version of ChatGPT known as Worm GPT: A new generative artificial intelligence (AI) is garnering new buzz, but it’s not going to answer all your burning questions. WormGPT has been advertised on underground forums to generate phishing and business email compromise attacks. The author of it said the tool, “lets you do all sorts of illegal stuff.” Unfortunately, it could be as powerful as ChatGPT and Google Bard rush to up their cybersecurity protections. Use extra caution with those emails, even if it has perfect grammar. 

FTC warns of potential antitrust violations with generative AI: We know that AI has a number of third-party risks, but have you considered antitrust concerns? The Federal Trade Commission (FTC) published a blog warning against antitrust violations for organizations buying, building, or selling products with generative AI. Control over data shouldn’t be used to restrain fair competition and critical employees can’t be hindered by non-complete clauses. To process and train the large amounts of data for generative AI, computing power through specialized chips or cloud computing services is needed. The FTC is concerned that this could lead to highly concentrated markets that will then lead to antitrust violations. 

Connecticut privacy law is now in effect: Connecticut’s data privacy law took effect on July 1. It’s important to know the details of this law so that your organization can comply. Like other privacy laws, consumers have the right to access their personal data, delete it, correct inaccuracies, receive a copy of it, and opt out of the sale and processing of their personal data. The law doesn’t apply to employment data and some entities are exempt, like nonprofits, higher education institutions, financial institutions subject to the GLBA, and those subject to HIPAA. Any other business that processed the data of at least 100,000 people or 25,000 people and received 25% of revenue from the sale of personal data must comply.

Biden-Harris Administration reveals implementation plan for cybersecurity strategy: After introducing the U.S. National Cybersecurity Strategy in March, the Administration has released its implementation plan for it. The National Cybersecurity Strategy Implementation Plan covers 65 initiatives to accomplish what’s outlined in the strategy. This includes strengthening the National Cyber Investigative Joint Task Force and advancing a software bill of materials. The Cybersecurity and Infrastructure Security Agency will also lead the process to update a cyberattack response plan that will ensure the government has a coordinated response. 

U.S. government agencies fall victim to an email attack campaign: A Chinese espionage campaign targeted email accounts in the U.S. government. CISA and the FBI released a joint advisory on the incident. Microsoft identified that actors accessed Outlook data. This was due to an error in Microsoft’s Azure Active Directory source code that allowed tokens to be forged by a malicious actor. The government agency impacted wasn’t revealed, although news agencies reported that it was the State Department and that the Commerce Department was also targeted. China has denied that it was behind the incident. 

The five pillars of the EU’s new banking security regulations: The EU’s new security regulations for banks, the Digital Operational Resilience Act (DORA), is set to take effect in January 2025. It’s divided into five pillars that banks need to know. The first is risk management as banks must set up and maintain tools that monitor and mitigate risks. Third-party risk management is the second pillar. There must be consistent monitoring and contracts that address data processing. Incident reporting and information sharing are also pillars of DORA. The fifth is resilience testing, where risk management frameworks must be regularly tested. Banks should review their current procedures and ensure they align with DORA before January of 2025. 

Recently Added Articles as of July 13

A massive third-party data breach at a healthcare organization continues to emphasize the importance of third-party risk management, while a lawsuit for a similar incident shows how organizations have a shared responsibility with their vendor to mitigate risks. A couple former employees at an organization both faced charges for hacking, Delaware is joining states with privacy laws. And it’s time to prepare for the EU’s new cybersecurity regulations. There’s so much more to read this week, so be sure to check it all out below! 

Organizations and vendors have a shared responsibility to mitigate risks: Both an organization and its third-party vendors have a shared responsibility to ensure the safety and security of products and services. The MOVEit breach was yet another example of that lesson. The vendor learned of the breach after being alerted by its customers. Contracts detail this shared responsibility, therefore it's crucial for vendors to communicate quickly with their customers. Stakeholders play a large role in this as well by ensuring that risks are being assessed, both within the organization and outside of it.

Lawsuit filed against Community Health Systems for third-party data breach: A breach at Community Health Systems earlier this year, originating from its third-party vendor Fortra, impacted more than 1 million people. Now, a class-action lawsuit has been filed against the healthcare organization. It alleges that Community Health didn’t take adequate measures to protect patient data, even though healthcare organizations are a big cyber target. This was the second largest breach at Community Health, and the organization had previously agreed to implement new cybersecurity measures in 2020. Although these lawsuits don’t often go far, there will still be legal costs for Community Health to fight it. 

Healthcare organization suffers major third-party data breach: A massive healthcare data breach has impacted about 11 million people and appears to stem from a third party. HCA Healthcare discovered the breach on July 5 after personal information was posted on an online forum. According to the organization, the data was stolen from an external storage location for a software system that automates email formatting. No health information was posted, however information like names, zip codes, emails, and appointment dates were leaked. The incident was reported to authorities and is being investigated. It’s important for healthcare organizations to ensure that any vendor that has their data has appropriate security measures in place. 

New ransomware uses fake Windows updates to gain access: A new ransomware is out there, using fake Microsoft Windows updates and Word installations to trick people. The ransomware, called Big Head, encrypts files on machines in exchange for a cryptocurrency payment. Big Head also disables the task manager, so once users begin the updates, they aren’t able to stop it. This is a challenging ransomware to defend against, so security teams should be prepared. 

Cybersecurity teams must be aware of new regulations and stay up-to-date on security practices: As more regulations are released targeting third-party risk management and cybersecurity, CISOs are finding it more important to build good relationships with regulators, especially before a breach happens. It’s crucial for them to stay on top of regulatory changes and any requirements on data breach notifications. Even small third-party vendors will need to be more prepared to handle the controls required for cybersecurity. They’ll need to determine what controls are a necessity for security and ensure they align with regulatory expectations. 

Cybersecurity employee is indicted for stolen cryptocurrency: A cybersecurity employee was indicted for allegedly stealing $9 million in cryptocurrency after hacking an exchange. It’s not clear exactly where he worked, although he at one point was employed by Amazon. After stealing the crypto, the employee agreed to return most of it, keeping $1.5 million for himself, as long as the exchange didn’t report him to authorities. That didn’t quite work for him, as the U.S. Attorney’s Office of the Southern District of New York will indeed be prosecuting him. 

Delaware is set to pass a data privacy law: Delaware is well on its way to becoming the seventh state this year to pass privacy legislation. The Personal Data Privacy Act is currently sitting on the governor’s desk. It contains stronger privacy protections for consumers and requires opting-in for processing sensitive data, prohibits gaining consent through unclear means, and requires opt-out preference options. It doesn’t provide exemptions for covered entities of HIPAA and doesn’t have exemptions for nonprofits. 

CFPB releases additional guidance on small-business lending rule: The Consumer Protection Finance Bureau (CFPB) has released frequently asked questions to help financial institutions comply with its small-business lending data collection rule. The earliest compliance date is October 2024. It requires financial institutions to collect data on small-business lending and report it to the CFPB. The questions give clarity on who is covered by the rule, what types of transactions the financial institution must count when determining the threshold, what to do if multiple financial institutions are involved in the small business lending, and explains methodologies financial institutions can use. 

Rhode Island changes its data breach law: Rhode Island has changed its data breach law, making big changes to its notification requirements. All data breaches that impact more than 500 residents must be reported to the attorney general and major credit reporting agencies. For state and municipal agencies, they’re required to notify state police within 24 hours of a data breach. They’re also expected to notify people impacted as quickly as they can, but within 30 days. If an impacted person belongs to a labor union, the collective bargaining agent must also be notified. 

New EU Data Privacy Framework ensures transferred U.S. data is protected: The European Union has adopted a framework to ensure that personal data transferred between them and the U.S. remains secure. It introduces new safeguards that limit access to EU data by U.S. intelligence. A newly established Data Protection Review Court will order the deletion of data if it violates the safeguards. The U.S. enhanced its own privacy protections for the framework. This new framework replaces the EU-U.S. Privacy Shield, but just like its predecessor, these new changes could face legal challenges ahead. 

Prepare your third parties for the EU’s upcoming cybersecurity requirements: You may not have to comply with the European Union’s Digital Operational Resiliency Act (DORA) until January 2025, but it’s best to start preparing now. The act sets major cybersecurity standards for financial institutions, including any that offers information and communications technology services that are critical to Europe’s financial sector. Third parties are also required to comply. Make sure you know your third parties’ risks and ask them what they’re doing to protect your data. You may also need a multi-cloud strategy in case one network fails. Use monitoring tools that will help you stay on top of both your own compliance and your third parties’ compliance. 

Beware: SEC is targeting failure to disclose perquisites in its examinations: The SEC has been targeting perquisite disclosures in its audit over the last several years. Enforcement actions can carry steep penalties and sometimes independent reviews. A perquisite or personal benefit will have a personal direct or indirect benefit for someone and isn’t available to all employees on a non-discriminatory basis, like use of a company car, club dues, and charging personal travel to the company. To avoid fines, organizations should review policies and procedures on use of corporate-owned aircraft, tracking of personal transactions and other perquisites, and training of staff on what perquisites are. 

Former third-party employee is charged with hacking into water treatment facility: A California employee was charged for trying to delete critical software at a water treatment facility in Discovery Bay. He worked for a third-party provider between 2016 and 2020 that the town contracted with to operate the facility. He allegedly installed software that gave him access to the facility’s systems on his personal computer. After quitting in 2021, he accessed the software and gave a command to uninstall the main hub of the facility’s computer network. That action now leaves him facing up to 10 years in prison and a $250,000 fine. It’s important for organizations to check periodically who has access to their systems and remove former employees’ access. Ensure your vendors are doing the same.

Linux kernel vulnerability revealed: A new security flaw in the Linux kernel could allow users to gain elevated privileges. This is in versions 6.1 to 6.4 and it’s been addressed in released versions. Additional technical specifics should be released at the end of the month. 

NIST framework for AI risk is a valuable tool to use: Struggling to know how to address emerging artificial intelligence (AI) risks? The National Institute of Standards and Technology (NIST) has a risk management framework that can help. Organizations need to determine their risk appetite with AI and prioritize what should be addressed. Organizations should have strong governance that addresses internal practices on evaluating AI products or vendors. They’ll also need to map out the risks and benefits of AI systems and the people that will be impacted by it. It’s wise to use measurements to track AI’s trustworthiness, social impact, and quality of interactions. And of course, there should be ongoing monitoring of AI’s risks. 

Recently Added Articles as of July 6

Have you checked in on your vendor's cybersecurity program effectiveness lately? There’s been a host of third-party breaches lately, from a federal agency to a chipmaker company. New threats are on the rise, the EU continues its crackdown on GDPR violations, Microsoft denies hacking claims, and the new Threads app is facing EU hiccups. Check out all of this week’s headlines below! 

European Union has privacy concerns with Meta app Threads: Meta is launching Threads – its big response to Twitter's users’ frustrations with recent changes to the platform. However, the European Union is putting a big halt to the project in Europe. Ireland’s Data Protection Commission said there are privacy concerns with the app.  According to the App Store, user data like health and fitness, purchases, financial information, location, and search history will be collected by Threads. While Threads hasn’t been actively blocked, Meta is allegedly taking a cautious approach in the EU. 

Zero-day threats are on the rise and organizations need a strategy: Zero-day vulnerability exploitations have increased recently and organizations need a security strategy in place before they become a victim of another attack. Zero-day vulnerabilities are previously unknown software, hardware, or firmware where no patch exists. Cybercriminals can buy these, but so can governments as a part of cyberwar. Security teams should use advanced threat detection that uses cloud-based sandboxing, which can block unknown threats. Organizations need to invest in a strong patch management program to prevent these attacks on unknown vulnerabilities.  

Mozilla releases Firefox 115 to patch vulnerabilities: The release of a new Firefox version includes patches for two high-severity vulnerabilities. In an advisory, Mozilla said attackers could have triggered a use-after-free condition. Firefox 115 also includes patches for eight medium-severity vulnerabilities. 

European organizations fined for using Google Analytics: Two organizations were fined by the Swedish Authority for Privacy Protection for using Google Analytics to generate web statistics, which breached the General Data Protection Regulation (GDPR). The U.S. has been designated as a risky location for the storage of European data. Two other companies received a warning to stop using Google Analytics.  

Do your third parties have the right cybersecurity controls in place?: It’s clear that your third party’s cybersecurity practices are more important than ever. Cyberattacks have targeted the supply chain to gain access to an organization’s information. To ensure that your third parties have the right controls in place, you should include security clauses in third-party contracts, conduct third-party security assessments, and implement strict controls on third-party access to your data. Even with young TPRM programs, third-party cybersecurity safety should be a top priority to safeguard your organization.  

Software company experiences third-party data breach: A third-party data breach exposed the information of the customers of software company Datasite. The company filed notice of the breach with Massachusetts Attorney General. The MOVEit hackers claimed that Datasite was one of their victims, but that hasn’t been officially confirmed. Leaked information includes names and Social Security numbers. It’s unclear how much information was compromised.  

Federal agency pushes healthcare organizations to use multi-factor authentication: Healthcare organizations and their third parties are urged to use multi-factor authentication (MFA) to avoid cyberattacks. The Department of Health and Human Services’ Office for Civil Rights (HHS) issued a bulletin on Friday that stressed the importance of MFA as a first line of defense against attacks. The delay in implementing MFA could be because of legacy systems and the lack of money, time, and staff. HHS told healthcare organizations to use caution when choosing a MFA system and avoid using ones that require a password and PIN. An effective MFA system uses two distinct factors: something a user knows (like a password) and something they possess (like a fingerprint or ID card).  

Thousands of Fortinet firewalls are still at risk of a bug being exploited: Despite Fortinet releasing an update that would patch a critical vulnerability, 300,000 firewalls are still at risk. Fortinet has urged people to update FortiOS as the vulnerability would allow attackers to execute code remotely. If your organization or your third parties use Fortinet, ensure that the latest updates have been installed.  

Microsoft denies hackers’ claims to have millions of Microsoft account details: Microsoft is denying the claims that a hacker group stole 30 million customer credentials. Anonymous Sudan caused service disruptions and outages at Microsoft last month and they now say they have access to emails, accounts, and passwords. The group provided 100 credentials as evidence of the attack, but the origin can’t be verified. Microsoft said they have no evidence of an attack.  

Chipmaker company is victim of a third-party data breach: The largest contract chipmaker in the world has been handed a massive ransom demand after a breach with one of its third-party suppliers. Taiwan Semiconductor Manufacturing Company said the incident originated with Kinmax Technology, an IT hardware supplier. The company said customer information was not compromised and data exchange with Kinmax has ended. The LockBit gang claimed the attack and threatened to publish stolen data unless the ransom of $70 million is paid.  

Three mistakes to avoid with vendor risk assessments: You conduct hundreds, if not thousands, of vendor risk assessments. Many industries are required to perform risk assessments to make sure they select secure vendors, but how can you ensure you’re getting the most out of them? There’s three common mistake to avoid. The mistakes include neglecting to request references, overlooking fourth-party dependencies (you’ll especially want to understand your third party’s security controls with their vendors), and relying solely on security questionnaires, as you’ll also want to use audits and external assessments.  

What are the most dangerous software vulnerabilities this year?: MITRE released its list of top software weaknesses in 2023. Out-of-bounds Write topped the list for the second year in a row. Cross-Site Scripting, SQL Injection, and Use After Free also ranked high on the list. Attackers are exploiting these vulnerabilities more and more. To avoid being the victim of an attack, organizations should reduce the use of long-term credentials, implement the principle of least privilege, and regularly audit accounts and systems.  

Does your cloud vendor have too much access?: Cloud vendors bring new security challenges for organizations. They need to have access to data, logs, sensitive operations, and other information. Many times, cloud vendors are provided with too much access, posing more risk than necessary. Get a inventory of all the requested permissions before onboarding. They’ll need to explain why they need those privileges and what they’ll do with it. That allows you to identify any possible vulnerabilities before they become an issue. Continuously monitor those privileges to ensure they aren’t unnecessary.  

Department of Health and Human Services affected by MOVEit data breach: The Department of Health and Human Services (HHS) has become yet another victim of the MOVEit data breach. More than 100,000 people’s information was compromised in the attack, according to HHS’ notification to Congress. Other federal agencies and the Department of Energy were also breached in the MOVEit attack. The CLOP gang responsible has said it’s not interested in politics and would delete all government data. However, that’s no guarantee and they could still leak the data. 

Annual NCUA report shows growth in IT for credit unions: Credit unions are strengthening their cybersecurity resilience, according to the National Credit Union Association (NCUA) annual cybersecurity report. IT risk factors that required immediate attention decreased over the last four years. However, the NCUA chairman said significant risk still exists because of the NCUA’s lack of authority over third parties. Credit union organizations, like CUNA and NAFCU, have objected to more authority over third parties, as other regulators already govern that.  

Regulation governing online retail platforms and sellers takes effect: The Integrity, Notification, and Fairness in Online Retail Marketplaces for Consumers Act (INFORM Act) has taken effect. It applies to e-commerce websites that are online marketplaces, which is a platform used by third-party sellers to engage in the sale, purchase, payment, storage, shipping or delivery of consumer products in the U.S. These marketplaces are required to ensure that third-party vendors are legitimate. They’ll need to do due diligence on third-party sellers with at least 100 sales and at least $5,000 in gross one-year revenue. The FTC and State Attorneys General will have the authority to enforce the act.  

A proactive approach to third-party risk management is crucial to avoid attacks: Organizations that take a relaxed approach to third-party risk management are putting themselves at risk of cyberattacks. Third-party vendors should produce vulnerability reports and demonstrate compliance to organizations. Software vendors are becoming an easy target for attackers, and organizations must do the proper due diligence on their software vendors.