Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

July 2024 Vendor Management News

10 min read
Featured Image

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of July 11

A car dealership expects to see a financial impact from a third-party cyberattack, a global banking committee proposed principles for third-party risk management, and a federal regulator downgraded a bank’s compliance due to a third-party relationship, and so much more. Check out all of this week’s news below. 

FDIC downgrades bank’s compliance score due to a third-party relationship: Forbright Bank’s Community Reinvestment Act (CRA) compliance score was downgraded by the Federal Deposit Insurance Corporation (FDIC) due to a third-party relationship, which ended more than two years ago. An unnamed credit-building fintech allegedly charged users fees which violated the CRA. Forbright is repaying impacted users, although it didn’t charge the fee or receive revenue from them. 

Global committee proposes principles for third-party risk management: The Basel Committee of Banking Supervision has proposed 12 principles for financial institutions to manage third-party risks. Basel emphasized that a bank’s board of directors holds the ultimate responsibility for third-party oversight. The draft principles for third-party risk management are due to financial institutions’ increasing reliance on third parties. These principles would replace the existing standards on outsourcing and address newer risks, such as fintech and concentration risks. The proposal from the Basel Committee is open for comment until October 9. 

Roblox conference attendees impacted in third-party data breach: A third-party data breach impacted those who registered for the Roblox Developer Conference in 2022, 2023, and 2024. Roblox itself wasn’t affected by the breach. The vendor that manages the organization’s conference registration was breached. Information includes names, emails, and IP addresses. 

Car dealership expects material financial impact after a third-party cyberattack: A third-party cyberattack was attributed as the reason sales fell at Sonic Automotive. Software services provider CDK experienced an attack that led to outages at automotive dealerships across the U.S. Sonic said the attack is likely to have a “material impact” on its financial performance. There are still CDK systems and functions that are offline, but basic functionality was restored. 

Third-party risk management is needed for carrier companies, according to National Motor Freight Traffic Association: The National Motor Freight Traffic Association (NMFTA) emphasizes the need for third-party risk management for freight and logistics companies. The association said that if key vendors don’t have strong cybersecurity practices in place, carriers could be adversely impacted. Carriers could even be unable to operate trucks or other hardware if hackers are able to gain access to systems or sensors. It’s important for carriers to map out their third-party vulnerabilities and understand what parties are hosting and processing data. NMFTA said executive buy-in is crucial to a solid third-party risk management program and can be achieved by explaining the serious third-party risks carriers face. Carriers must address not just cybersecurity risks, but also financial and reputational risks. 

Stolen data from third-party app impacts Shopify customers: Shopify has denied any data breach at its organization, but instead said personal data was stolen from an unnamed third-party app. Shopify said the app developer would be responsible for notifying impacted customers. The data includes names, Shopify IDs, phone numbers, and SMS subscription. 

Malicious AI tools are on the rise: There’s been a rise in malware disguised as artificial intelligence (AI) tools in the first half of this year, according to a new report. Cybercriminals have used the technology to act as generative AI assistants and tried to trick people into downloading malware. 

Ghostscript vulnerability is being actively exploited: A vulnerability in the Ghostscript document conversion toolkit is being actively exploited. The tool is pre-installed on many Linux systems. Attackers would be able to bypass security on unpatched systems and perform high-risk operations. Organizations should ensure the application is updated to the latest version. 

Florida Department of Health is victim of ransomware attack: Florida’s Department of Health experienced a cyberattack that impacted the state’s ability to issue death and birth certificates. A ransomware group has claimed to have stolen data, but Florida law bans state and local governments from paying a ransomware. 

Third-party data breach compromises sensitive data: A third-party data breach impacted sensitive data at HealthEquity, according to the organization’s Securities and Exchange Commission (SEC) filing. A third party’s user account was compromised, allowing access to some HealthEquity data on a SharePoint server. The incident isn’t expected to have a material impact on the organization. 

Limitations of a third party’s SOC 2 report and other strategies to use: Many third parties use SOC 2 reports to show their security practices to organizations, but SOC reports do have limitations organizations should consider. It’s important to look at the scope of the report to ensure it covers the systems and services relevant to your organization. SOC 2 reports are also only a point in time and security practices can change quickly. Remember, vendors are also in control of the criteria for the audit, which may influence the focus of the report. While a SOC 2 report is still helpful to review and use, other strategies like security questionnaires, penetration testing assessments, and contractual agreements are useful to implement.

Cloudflare incident is due to Border Gateway Protocol hijack: Cloudflare said a recent incident impacted 300 networks, but said the overall impact was low. Cloudflare identified the issue and resolved it in about two hours. 

Recently Added Articles as of July 4

A third-party data breach led to data being posted on the dark web, vendor risk assessments are an essential tool for mitigating risk, and a former employee at a third party copied sensitive records in a security incident. Read all of this week’s news below. 

Fintech companies are impacted in a bank’s ransomware attack: Evolve Bank & Trust confirmed it was the victim of a ransomware attack, which impacted some of its former and current fintech partnerships. These fintech companies include Wise and Affirm, both of which confirmed some information was compromised. Customer data was released on the dark web and the ransomware gang has asked for a ransom. Evolve is working with law enforcement. The attack comes after a regulatory order for the bank in June to strengthen its fintech relationships. 

How fintechs can prioritize compliance: It’s become increasingly important for fintech companies to follow the same compliance and regulatory expectations as banks have. However, especially for fintechs with small teams, this can be challenging to do. A proactive approach to compliance anticipates potential regulatory challenges and implements solutions. Technology that includes automated transaction monitoring and data analytics can also be helpful. Fintech companies should perform regular risk assessments, conduct ongoing monitoring, and create a culture of compliance. 

Bank required to make third-party risk management improvements: Thread Bank was required to address its banking as a service (BaaS) third-party risk management in a consent order with the Federal Deposit Insurance Corporation (FDIC). The bank must implement documented risk assessments on fintech partners and ensure its third-party risk management program addresses the level of risk of fintech partners. This includes setting risk tolerance thresholds that are approved by the board. The bank has said it will make the required improvements.

Implement security controls to ensure secure SaaS relationships: Software as a service (SaaS) is an extremely useful tool for organizations to improve efficiency and operations. However, like with many other vendor relationships, threat actors can often target SaaS tools in supply chain attacks. This can occur through credential exploitation (particularly if organizations lack security measures like multi-factor authentication) and bypassing multi-factor authentication. Best practices like data encryption, account access control, and data backups are crucial for both organizations and their SaaS providers to have. 

The importance of secure generative AI: Generative AI is a new attack vector that organizations should be aware of, according to experts. As many rush to adopt the technology and provide new offerings to their customers, cybersecurity and safe practices can easily slip to the background. When building AI technology, organizations should be aware of the risks and prioritize protecting privacy and personally identifiable information (PII). 

Cybercriminals using fake IT sites to inject malware: Fake IT sites are pushing malicious “fixes” for Windows errors. Cybercriminals are using the sites to infect devices with malware. Cybercriminals have even started using videos to give false instructions to victims. The malware can steal credentials, credit cards, cookies, and browsing history. Remember to only download software and error code fixes from trusted websites.

How to ensure effective vendor risk assessments: Vendor risk assessments are an essential tool in the third-party risk management toolbox as they help organizations vet potential vendors before signing a contract. For these assessments to be effective, organizations should have internal standards for evaluating vendors. Organizations need to know how to measure and compare vendor risks to ensure consistency. Standards should also align with regulatory requirements and best practices. Because vendors pose different levels and types of risk, a one-size-fits-all approach is unwise for vendor risk assessments. Instead, assessments should be tailored to the vendor. Be sure to verify what the vendor reports by checking references and analyzing financial health, too. 

Thousands of websites were compromised in a third-party library attack: The domain Polyfill.io was compromised in a supply chain attack that infected more than 110,000 websites with malicious code. Websites that use JavaScript code from Polyfill should remove it immediately. It’s important to perform due diligence even on third-party libraries by evaluating a Software Bill of Materials (SBOM) and assessing the libraries’ security posture. 

EU and UK regulatory compliance for critical third parties: Critical third parties in financial services have moved under the microscope of regulatory agencies, particularly with the EU’s Digital Operational Resilience Act (DORA) and with proposed regulations in the UK. Although there is some overlap, there are also key differences. For example, while the EU mostly focuses on critical technology providers, the UK has focused on all critical third parties. Some of the key similarities for critical third parties in the two regulations include governance, risk management, supply chain risk management, and resilience testing. Critical third parties should begin preparing for compliance now and collaborate with their financial services clients.

Former third-party employee accesses sensitive records, causing a security incident: Millions of records were potentially compromised at a healthcare organization due to a third-party security incident. A former employee at the third party accessed records after they were fired and made copies. After discovering the incident, the third party permanently disconnected the former employee’s access. Although sensitive data was stolen, it didn’t include insurance information, credit card or bank account numbers, or Social Security numbers. This is at least the second similar incident the third party has experienced where a former employee accessed records.

Navigating third-party sanctions: It's essential to ensure a third party you plan on doing business with isn’t sanctioned. However, that process can be difficult. As a start, a risk-based approach is helpful to include. Although it can be useful to do a basic check on low-risk vendors, organizations should focus on higher-risk vendors. To verify if you have the correct entity or person, it’s helpful to have secondary identifiers, such as business address. If a third party has been sanctioned before, but is no longer on the list, your organization should be aware of those risks, such as operational and reputational. 

AMD is impacted by third-party data breach: A third-party data breach caused internal data at an organization, AMD, to be posted on a hacking forum. It’s unclear what the extent of the breach was, although AMD said it didn’t expect material business impact. In a statement, AMD pointed to an unnamed third-party vendor as the cause and said a limited amount of information was stolen, mostly focusing on production materials. 

Failed prepaid card vendor monitoring found in Georgia audit: An audit found that Georgia’s Department of Human Services and Department of Labor need to improve prepaid card vendor monitoring. According to the audit, neither department ensured the vendors’ performance met contractual expectations. Data that was used to monitor the vendors also sometimes failed to align with what was stated in the contract. 

Regulatory agency proposes revised recovery planning guidelines: The Office of the Comptroller of the Currency (OCC) has proposed changes for its recovery planning guidelines for large banks. This includes extending the definition of large banks to include those with at least $100 billion in assets, incorporating a recovery plan testing standard and clarifying the role of non-financial risks in recovery planning. In the proposal, the OCC also states that recovery plans should describe interdependencies on critical third parties.

Mitigating third-party AI risks: As artificial intelligence (AI) regulations have continued to evolve, it’s important not to overlook third parties. Organizations should expect to be held responsible for how their third parties use AI. To mitigate the risks, identify which third parties use AI and how they use it. Consider which third parties use sensitive data for AI and their level of transparency. Organizations should implement continuous monitoring strategies for AI usage. 

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo