June 2021 Vendor Management News

Reading up on latest vendor management news can only help your third-party risk management program. We're here to make it easier than ever! Below we've listed articles that we recommend checking out. 

Recently Added Articles as of June 24

The SEC has been keeping busy as they continue to deal with the SolarWinds data breach. There’s also an important warning about a Wi-Fi network that iPhone users won’t want to miss. And, this week brings new headlines on healthcare specific data breaches and Colorado is closer to enacting privacy legislation. We learn that supply chain leaders should be aware of potential regulatory changes and we see an interesting article on how social media and misinformation are becoming a national security concern. Read on to discover what made headlines this week.

SEC takes focus on SolarWinds disclosures: The effects of the SolarWinds breach are far from over as the SEC is now investigating whether some companies failed to disclose that they've been victims of the attack. They’re also looking at the victims’ roles in the attack and whether it was caused by internal control issues. The SEC will be assessing policies at certain companies to determine if they’re designed to protect customer data. There are currently laws in place regarding cyber breach disclosures, but disclosure failures are still a new enforcement area for the SEC. It’s suggested that the SEC will create future policies regarding cybersecurity issues and the impact on markets and investors.

An Ohio Medicaid third-party data manager suffers a breach: Ohio Medicaid is just one of the latest victims of data breaches aimed towards healthcare providers. They reported that its third-party data manager, Maximus, recently discovered a cybersecurity incident that may have exposed the personally identifiable information of providers, such as social security numbers and addresses. Medicaid participants weren’t affected by the breach and there wasn’t any sign that the data was misused. Maximus stated that providers who were affected will receive two years of credit monitoring services. Other recent healthcare data breaches affected CaptureRX and a Georgia fertility clinic.

This wireless network will disable your iPhone’s WiFi: iPhone users are being warned not to connect to a Wi-Fi network that goes by the name %p%s%s%s%s%n. This unusually named network will permanently disable an iPhone’s Wi-Fi capabilities, even after rebooting and changing the network’s name. Bad actors can potentially exploit this bug by creating fraudulent Wi-Fi hotspots in order to break into a device’s wireless network features. The issue doesn’t apply to Android devices, and affected iPhone users will need to reset their iOS network settings by taking the following steps: Settings > General > Reset > Reset Network Settings and confirm the action.

CVS Health data breach exposes 1 billion records: An unnamed third-party vendor was responsible for accidentally posting over 1 billion CVS Health search records online. An independent cybersecurity researcher discovered the breach and quickly notified CVS who was able to remove the database the same day. The records contained search results from CVS.com and CVSHealth.com. Luckily, most of the data didn’t contain customer information, except for some email addresses. The database wasn’t protected with a password and the configuration settings could have potentially been used for phishing attacks. It’s unknown exactly how many customers were impacted since the researcher didn’t download the entire database.

FBI uses a private encryption key to recover Colonial Pipeline ransom: The Department of Justice may have successfully recovered most of the bitcoins involved in the Colonial Pipeline ransomware attacks, but many are wondering how this impressive feat was done. It’s unlikely that the FBI will provide the details of how it obtained the private encryption key for the bitcoin address. However, there are a few theories. It’s possible that the FBI was tipped off by someone involved in the attack or it could’ve simply been the result of carelessness by the attackers. The FBI stated that they had been investigating the hacking group, DarkSide, since last year, so they may have gained access to their communications. Another theory is that the FBI received assistance from the cryptocurrency exchange where the bitcoin was active. Or, maybe the FBI simply hacked the key on their own. It’s likely that the hackers were careless, too, to the relief of the DOJ and FBI who can likely use this knowledge and experience in other cases.

A comparison between Colorado and Virginia’s privacy acts: Colorado may soon join California and Virginia in approving a comprehensive data privacy act. The Colorado Privacy Act (CPA) will likely be signed by Governor Polis and businesses are now determining how this will affect their privacy programs. The CPA closely mirrors the Virginia Consumer Data Protection Act (VCDPA), except for a few areas regarding consent and data collection. Data minimization under the VCDPA only extends to collection and the CPA may only collect the minimum data necessary. Also, the VCDPA requires consent for special category processing, but no express right to withdraw consent regarding sensitive information. The CPA doesn’t specify this condition.

Regulatory changes for supply chain leaders: This year has seen executive orders on U.S. supply chains, climate change and the pandemic, which will likely lead to an increase in financial and compliance disclosures. Supply chain risk leaders can prepare for new regulations by understanding some of the weaknesses that were exposed because of the pandemic and understanding the new administration’s priorities. COVID-19 showed that traditional periodic risk assessments and a narrow focus on financial health and contract compliance are no longer sufficient for a rapidly changing risk environment. The pandemic also revealed that most companies lacked visibility into their supply chain. Biden’s executive order on U.S. supply chains prioritizes resiliency, diversity and security. Climate-related risks has also been a high priority, as outlined in the Executive Order on Climate Change. Policymaking, budget process, contracting and procurement will all see climate change initiatives and will apply across every sector. Supply chain professionals should begin environmental initiatives within their organizations to get a head start on new regulations that will increase financial statement disclosure requirements. Visibility and continuous risk management will be vital to prepare for these changes.

SEC reaches a settlement with a mortgage lender over a cybersecurity breach: Mortgage lender First American Financial Corp. has agreed to pay a $487,616 fine stemming from a 2019 data breach that exposed a whopping 800 million document images dating back to 2003. The SEC issued a press release detailing the ways in which First American failed to properly respond to the breach, despite releasing a public statement on the same day it was notified of the event. The company’s senior management wasn’t notified of a vulnerability that was identified several months prior to the breach and they failed to maintain adequate disclosure controls. This settlement should serve as an important reminder that data breach disclosures and vulnerabilities need to be extended to senior management and investors.

Carnival Cruise Line suffers a data breach: The world may be opening back up, to the delight of many travelers, but cruise lovers should take extra precaution after Carnival Corp. discovered a data breach that exposed social security and passport numbers. An independent investigation found that the breach was caused by third-party access to its IT systems, but there is a “low likelihood” that the data is being misused. In addition to this data breach, Carnival was the victim of two ransomware attacks in August and December of 2020.

Social media and fake news elevates reputational risk: As we’ve seen this past year, misinformation from social media has extended beyond political campaigns and has affected more important issues like public health. Some are even urging the Biden Administration to create a task force dedicated to disinformation, calling it a national security concern. Social media can especially be problematic when spreading misinformation because many individuals use it as their primary source of information. This can evolve into reputational risk for many organizations when social media users are quick to share information that may not be true. While it’s not possible to control the actions of outside users, organizations can do their part in mitigating this risk by implementing a strong social media use policy for their employees and educating them on the vulnerabilities of disinformation.

Hacking attempt on California water supply: A water treatment plant in San Francisco narrowly escaped a hacking attempt that would’ve tampered with the safety of its drinking water. The username and password of a former employee were accessed via a TeamViewer account which allows remote access. The hacker logged into the system and deleted several programs that are used to treat drinking water. While this incident isn’t exactly an attempted poisoning, a similar event occurred in Florida where a hacker tried to add dangerous levels of sodium hydroxide to a water treatment plant. Luckily, both treatment facilities emphasized the difficulty of tampering with an area’s water supply, to the point of harming the population.

The basics of third-party data breaches: Third-party data breaches have affected 51% of businesses, according to a report by Ponemon Institute. The consequences from these incidents can cause financial losses, legal battles, damaged reputations and of course the exposure of sensitive data like customer information or intellectual property. There are a few best practices that organizations should take to help protect against these threats. First, make sure to thoroughly analyze your vendor’s cybersecurity risk prior to onboarding. Another important step is to limit the vendor’s access to data, giving them the least amount of access necessary. Ongoing monitoring of your vendor’s cybersecurity practices will also ensure that they’re taking the proper precautions against new hacking techniques. And, don’t forget to train your employees with cybersecurity awareness so they understand the consequences of sharing sensitive data with outsiders.  

EU legislation puts iPhone security at risk, says Apple: The EU’s proposed Digital Markets Act (DMA) would allow iPhone users to download apps by themselves, much to Apple’s annoyance. This method of “sideloading” would essentially destroy an iPhone’s security, according to Apple, although it should also be mentioned that they would be potentially missing out on the 30% cut from App Store purchases if this legislation were to pass. Apple has repeatedly stated that its method of keeping data local is effective at protecting privacy and there’s little need for an alternative method that doesn’t require an Apple ID.

How to make remote access less appealing to hackers: Remote working is likely here to stay for many workers, so it’s important to stay informed of some best practices to protect yourself against hackers. Keep in mind that credentials are essentially the most valuable tool for attackers. Obtaining legitimate user access allows them to move around a corporate network without being detected and therefore disguises any risky activities. Implementing a centralized system for visibility and control allows you to see who’s accessing your data and the level of sensitivity. Multi-factor authentication is another good practice to have in place, and it's surprisingly not yet widely adopted. Having standard security policies for both your organization and its third parties is another way to protect against cyberattacks. Role-based access ensures that users don’t have any more access than absolutely necessary and post-connect threat monitoring will allow you to identify an attacker based on their activities and objectives.

“Anom” messaging platform catches over 800 criminals: More details are emerging in the Anom sting carried out by the FBI and other international law enforcement agencies. The encrypted chat service was active for over three years and resulted in a wealth of activity by law enforcement including hundreds of arrests and seizures of firearms, worldwide currencies and literal tons of drugs. The operation was particularly impressive as it targeted the entire underworld of criminals rather than a small group of individuals. However, cybercriminals will eventually find an alternative and may be led to legitimate encrypted chat services where they can work side by side along innocent users.

Recently Added Articles as of June 17

This week’s headlines cover a variety of topics including climate change reporting, a Fannie Mae announcement for third-party vendors and cyberattacks on McDonalds and Volkswagen. Big tech is also facing international compliance issues in India. Read on to discover what else is making news in cybersecurity, risk management and healthcare.

Debate continues around mandatory environmental reporting: The SEC’s efforts to pursue mandatory climate disclosures is drawing a lot of feedback from both sides of the political spectrum. Republican lawmakers want to shift the focus to climate change legislation, instead of regulation while Democratic lawmakers are in favor of mandatory rules regarding greenhouse gas emissions disclosures. However, a big request on these mandatory rules is to keep the climate reporting separate from earnings and other disclosures. The climate disclosure has been a priority for SEC Chairman, Gary Gensler, and will likely move on to rulemaking in the second half of this year.

Data supply chain contains ethical risks: Many organizations may already be familiar with the ethical risks they need to monitor within their physical supply chains. Things like forced labor, environmental impact and fraud are just some of the risks found in physical supply chains. But, what about data supply chains? These are often overlooked, but it’s important to apply the same standards for both physical and data supply chains. There are four components to consider within a data supply chain: collection, management and use, sharing and retention and disposal. Neglecting these factors can put you at legal, reputational and market loss risk. An example of data supply chain risk can include merging data that was sourced both ethically and unethically, for use in a marketing strategy. It’s recommended that businesses employ a strong and constantly improving framework to manage these ethical risks within their data supply chain.

Vulnerability in VMware software prompts warning from OCR: Cybercriminals are attempting to exploit a critical vulnerability in VMware software and the Cybersecurity and Infrastructure Security Agency has urged organizations to implement the necessary patches as soon as possible to protect sensitive health information from ransomware attacks. The U.S. Department of Health and Human Services had previously released a factsheet that outlines HIPAA guidance. There are several ways organizations can mitigate the risk of ransomware attacks. Conducting a risk analysis, implementing procedures to detect malicious software, proper training on software protection and limiting access to electronic protected health information (ePHI) are just a few of the best practices listed in this article. Healthcare professionals should also be informed of the HIPAA Security Rule and take the appropriate preventative actions.

Criminals fooled by FBI privacy app: An app that promised privacy and encryption was actually a platform controlled by the FBI to infiltrate organized crime. Anom was created by the FBI and sold on the black market with high profile criminals giving it their approval. Rival communication networks like EncroChat and Sky Global were being shut down by law enforcement, so criminals were moving over to Anom to continue their illicit messaging. So, lesson learned: if you rely on advanced security technology, it may just be the work of the FBI.

Security vendor COO arrested on cyberattack charges: In a surprising twist, the COO for the network security company, Securolytics, has been accused of being involved in the 2018 cyberattack on Gwinnett Medical Center. Vikas Singla was charged with 17 counts of “intentional damage to a protected computer” for his own financial gain. If the attack had succeeded, at least one individual would’ve received compromised care. Targeting critical infrastructure like healthcare can have serious consequences.

Support for Windows 10 to be sunsetted in October 2025: After a 10-year lifecycle, Windows 10 will no longer receive support after October 14, 2025. This announcement comes just a few weeks before Microsoft is set to unveil a new generation of Windows at a virtual event on June 25th.

Business email compromise campaign disrupted by Microsoft: The Microsoft 365 Defender Research team was able to put a stop to a large scale business email compromise (BEC) campaign that was stealing sensitive financial data and could potentially bypass multi-factor authentication credentials. The cloud-based infrastructure was also being used to automate operations to find the most valuable victims. BEC methods may be unsophisticated, but they’ve succeeded in record breaking losses since 2018.

5 billion records exposed by a cybersecurity analytics firm: Cyber analytics firm, Cognyte, may want to take a look at their own cybersecurity processes after their database was found to be unsecured. The database is ironically used to cross-check personal information with known data breaches and was secured by Cognyte three days after they were notified by a security researcher at Comparitech. The report from Coparitech on the data breach can be found here.

Data breach caused by a Volkswagen vendor: A data breach has affected more than 3.3 million customers, according to a notice released by Volkswagen. The customer data went unprotected over a two-year period between August 2019 and May 2021 and included information like names, email addresses and phone numbers. More than 90,000 customers also had more sensitive data exposed such as loan eligibility information which included drivers license numbers, birthdates and social security numbers. The vendor wasn’t identified and the information was apparently collected for sales and marketing purposes. Volkswagen stated that they were working with external cybersecurity experts to respond to the incident.

CUNA files a letter regarding Model Risk Management Guidance: The Credit Union National Association (CUNA) addressed some concerns about Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance in a recent letter to the Financial Crimes Enforcement Network (FinCEN). Part of their statement included comments about their third-party systems’ compliance requirements, despite credit unions not being directly governed by the Model Risk Management Guidance (MRMG). CUNA stated that the agencies’ expectations should be correlated to the individual risk of the institution, which will help to avoid inflated costs.

“Digital colonialism” causes rift between India and tech companies: Indian politicians and technology professionals are growing increasingly weary of “Silicon Valley bros” who are delaying their compliance efforts. Twitter is facing some criticism after asking for another three-month extension to comply with India’s new IT rules that went into effect on May 25th. However, many tech companies have turned the focus to the apparent censorship that occurs under India’s laws, with Facebook owned WhatsApp going so far as to sue the Indian government. India’s IT minister, Ravi Shankar Prasad, has accused tech companies of having a double standard when complying with their regulations, as opposed to laws in Australia, Canada and England. The reality is, if tech companies want to capitalize on the massive market in India, they’ll need to find a way to comply with their regulations.

Hackers target EA games through Slack: Hackers were able to steal data from game publishing company Electronic Arts by tricking an employee over the communication platform Slack. A representative for the hacking group was quite forthcoming in explaining how it all went down. The hackers had purchased stolen cookies that were being sold online for $10 and used them to gain access to an EA Slack channel. Once they were inside the chat, they messaged IT Support and said that they lost their phone at a party and requested a multi-factor authentication (MFA) token to gain access into the corporate network. MFA is an important component of a cybersecurity program, as long as it’s used correctly!

Hackers target McDonalds in U.S., South Korea and Taiwan: It seems as though cybercriminals will attack anything and everything these days. McDonald’s external consultants investigated the unauthorized activity and discovered that there had been a data breach affecting three separate markets. U.S. restaurant information like square footage was included in the breach, while South Korea and Taiwan were a little unluckier with the exposure of some customer and employee data.

Mortgage lenders are now free to verify income using third-party vendors: Mortgage servicers are breathing a sigh of relief thanks to Fannie Mae’s recent decision to allow the use of third-party digital vendors to verify income information. The announcement was made on June 9th saying mortgage servicers can implement the changes right away. Servicers need to obtain legal authorization to use a third-party vendor and will be responsible for the security of the information they receive. As mortgages begin to come out of forbearance after the pandemic, servicers have had a backlog of borrower requests so this new flexibility with third-party vendors is expected to be a welcome relief. Firms that provide digital verification services have noted that this method can drastically cut down the process from weeks to less than 30 minutes.

Second attempt for Small Business Credit Protection Act: Four senators have reintroduced the Small Business Credit Protection Act which aims to provide more transparency around credit bureau data breaches. The legislation would give credit bureaus 30 days to notify small businesses of a nonpublic personal information data breach, while also prohibiting them from charging the small businesses for a credit report following a breach. As a result of the 2017 Equifax data breach, the Fair Credit Reporting Act was amended to enhance federal credit protections for “consumers” but didn’t include business credit in this definition. A one-page summary of the bill can be found here.

Complaint alleges misleading ESG claims by Coca-Cola: Non-profit environmental organization Earth Island Institute is claiming that Coca-Cola has misled the public about their sustainability efforts. Coke is apparently the world leader in plastic waste and has failed to create an effective recycling strategy. The complaint doesn’t accuse Coke of any environmental violations and instead takes aim at their actions under the Consumer Protection Procedures Act. It’ll be interesting to see how this example of environmental social and governance (ESG) regulation plays out.

A different strategy to avoid ransomware: Organizations may be taking the wrong approach to preventing ransomware attacks, according to Gartner senior director research analyst Barika L. Pace. She suggests that the real issue is within the system itself and the Original Equipment Manufacturer (OEM) device manufacturers. In the rush to produce digital products, many OEM providers failed to create security products. There are a few suggestions that organizations can take when it comes to their OEM relationships. First, it’s important to understand the OEM providers strategy to secure product management throughout its lifecycle. There should also be a focus on integrating digital security across IT, data, product and operations technology. It’s also important to look at supplier risk and update old vendor risk policies that are no longer appropriate for OEMs that have become more digital. Organizations should also be more proactive in their security efforts, rather than static or reactive.

Comparing the leading EHR vendors: Health IT will continue to grow and transform within the healthcare industry so it’s worth looking at how the top four EHR vendors compare to each other. The following four vendors were outlined by the new KLAS reports. Epic Systems tops the list with an overall loyalty grade of A. Customers were satisfied with its EHR implementation and interoperability with health IT. Some of the downslides include high up-front cost and little built-in expertise of cardiology, oncology, behavioral health and cogito solutions. A more affordable option is Meditech, which comes in at number two. However, the lack of proof points for non-core functionality is a drawback for some. Cerner comes in at number three, which is often chosen by smaller organizations due to its scalable clinical system, and Allscripts is the number four choice, whose platform offers fully integrated and highly customizable solutions.

Insurance companies promote health apps over ER: As we emerge into a post-pandemic world, ER visits will steadily rise, but many payers are beginning to recommend alternatives, such as mHealth and Telehealth. Payers have also been trying to develop standards and methods for determining what does and doesn’t qualify as an emergency to avoid unnecessary and costly ER visits. This effort has traditionally been met with scrutiny and even lawsuits, as medical professionals are concerned it will delay or hinder patients in getting timely medical attention when needed.

Texas breach notifications are now available to the public: Texas lawmakers have amended its breach notification law which will now require the Attorney General’s office to publicly display a webpage that details every data breach it received over the past year. House Bill 3746 also requires that the notice discloses the number of affected residents that were notified of the breach. The attorney general must update the listing no later than 30 days after they were made aware of the breach.

Strong security needs more than MFA: Attackers are adapting to multi-factor authentication (MFA) requirements, making them less effective when used alone. Organizations must ensure that their MFA infrastructure doesn’t have the same weaknesses that were exploited in notable attacks like SolarWinds. Another flaw is the use of MFA with SSO portals and a lack of zero trust architecture. Onboarding new users can also be a weakness when done in an insecure way with only a four digit pin being used for protection. It’s recommended that organizations audit their MFA infrastructure which will help identify potential vulnerabilities.

Colonial Pipeline hackers used a single password: More details have emerged in the aftermath of the Colonial Pipeline cyberattack. CEO Joseph Blount told U.S. senators that hackers were able to gain access through a legacy VPN that only required one password, or single-factor authentication. He did, however, emphasize that this was a “complicated password” rather than an easy to guess “Colonial123-type password." The senate hearing also revealed that Colonial didn’t have a plan to prevent a ransomware attack, but had invested over $200 million over the last five years to its IT systems which includes cybersecurity. The Justice Department has so far recovered about 60 of the 75 bitcoin that was paid to the hackers.

Brazil’s privacy law makes progress: The Brazilian Data Protection Law (LGPD) seems to be making progress six months after it became effective. The LGPD prompted the creation of a national data protection agency (ANPD) which is meant to regulate some parts of the law. Earlier this year, the ANPD revealed its biannual regulatory agenda which outlines ten priority topics including internal regulations, strategic planning, data and privacy protection and rights of data subjects. Companies will now be limited in their ability to transfer personal data outside of Brazil, under the LGPD, and the law will also require compliance by most companies located out of Brazil who have customers or employees in the country. The LGPD also contains details of breach incident reporting, which is to be the responsibility of the “Controller," a role that can be given to the HQ.

Patients with chronic disease and cancer to be helped by AI: The University of Pittsburgh Schools of the Health Sciences (UPMC) recently launched Realyze Intelligence which will use natural language processing and artificial intelligence to determine optimal treatment plans for patients living with cancer or chronic diseases. The platform will use EHR data to select patients with specific conditions who are at higher risk for negative outcomes, which will allow doctors to prioritize those individuals who need more urgent care. Natural language processing is especially useful to process and streamline unstructured data.

Recently Added Articles as of June 10

There’s no shortage of interesting articles for you to read this week. The Department of Justice scored a win against the DarkSide attackers, but ransomware continues to be a growing concern, with the White House issuing an open letter to business leaders. The lessons learned from supply chain attacks also continue to make headlines and compliance professionals will be interested to learn about a proposed framework for regulatory action. Read on to see what’s trending this week in the world of third-party risk management.

Lawsuit filed against Humana and its vendor, Cotiviti, after a breach: Humana and its vendor, Cotiviti, are now facing a lawsuit after a 2020 incident which released personal data that included patient names, dates of birth, social security numbers, insurance identification numbers, medical records numbers, medical images and treatments. Cotiviti provides data verification and reporting services to Humana but the cause of the breach was caused by a Cotiviti subcontractor called Visionary Medical Records (VMR) who is used to review and collect records. A VMR employee posted the information during a faulty training incident, which highlights the importance of fourth-party vendor standards and due diligence.

Six zero-days in recent Microsoft Patch Tuesday: This week’s Patch Tuesday saw Microsoft deploying patches for 50 vulnerabilities that included vulnerabilities in Windows, Office, Edge and SharePoint Server. Some of the notable patches were critical zero-day CVE-2021-33742, a remote code extension bug, and CVE-2021-31199 and CVE-2021-31201, two other zero-days affecting the Microsoft Enhanced Cryptographic Provider. Full list can be found here.  

Colonial Pipeline attack was caused by a legacy VPN account: Colonial Pipeline's CEO revealed that the ransomware attack was caused by a stolen password from an old VPN account which had single factor authentication. He stated that they’re still trying to discover how the attackers were able to access the VPN account. As a result, the legacy VPN profile has been shut down and they have implemented additional layers of protection.

DoJ recovers most of Colonial ransom from DarkSide: It was revealed that the Colonial Pipeline CEO authorized a payment of $4.3 million (approximately 75 bitcoins) shortly after the attack. Now, 63.7 bitcoins have been recovered so far. The incident prompted a mandate from the Department of Homeland Security which will require pipeline companies to report a cyberattack within hours after discovery.

AWS and Google Cloud attacked by TeamTNT: Hacking group TeamTNT has reportedly been using compromised AWS credentials to attack AWS apps and Google Cloud. Identity and access management (IAM) permissions and elastic computer cloud instances are just a couple of the items that the threat actors can identify. This attack again highlights the importance of adequate cloud security, as this was the first time hackers targeted IAM credentials on cloud servers outside of AWS. In other words, offloading storage to a cloud provider doesn’t mean that you’re offloading the security too.

Weekly update of state privacy legislation: Lawmakers continue to write, vote and pass (or fail) CCPA-like legislation, with bills in 26 states. This 2021 State Privacy Law Tracker is a great resource to keep updated with the everchanging landscape of privacy legislation. Two of the newest updates include Nevada’s SB260, which passed on June 2 and will extend opt-out rights, and Colorado’s Privacy Act, which was passed in the Colorado House on June 7 and will now return to the senate .

Compliance professionals see proposed framework for enforcement actions: The New York City Bar Association recently revealed a proposed framework that aims to provide guidance for regulators to pursue actions against financial compliance officers. There’s been an increase in the importance of personal responsibility within enforcement duties and the proposed framework would ask regulators to evaluate 12 affirmative factors and 3 mitigating factors to determine whether to charge an officer. The questions range from good-faith efforts to whether the action was an active participation in fraud or obstruction.

Contract compliance needed to prevent “quasi-new agreement”: Georgia landlords will now need to be a little more strict with collecting rent on time. A recent decision from the Georgia Court of Appeals sided with a subtenant who was being sued for unpaid rent over a 16-month period. The Hatchett Firm, P.C. argued that Atlanta Life Financial Group, Inc. had accepted partial rent payments over 10 months, and no rent at all for the past six months, which effectively created a “quasi-new agreement” that overruled the original sublease. In this case, the sublessor neglected to give reasonable notice to the subtenant, which should have clearly stated the agreement requirements after the late payment was accepted. This should serve as a reminder to continually monitor and audit your contracts, or you may be giving your vendors or customers a free pass to operate under a new agreement.

Lessons learned from the meatpacker cyberattack: The Memorial Day attack on meatpacker JBS may have instilled some fear over meat shortages, but luckily their systems are back up and running. The U.S. meat supply seems to be safe for now, but it still raises some concerns on the government’s ability to protect multi-national companies. While JBS is based in Brazil, the U.S. has some jurisdiction over domestic operations. There are some basic cybersecurity principles that any organization can apply to help protect against cyberattacks such as using a “Zero Trust Design” and monitoring network endpoints to identify unauthorized changes or access to the network.

The Fed strays from making a climate change policy: Despite joining the Network for Greening the Financial System, the Federal Reserve isn't responsible for a climate change policy, according to chairman Jerome Powell. His recent statements made it clear that climate change isn't a consideration when they’re making monetary policy and should instead be the responsibility of elected officials. The Fed had recently faced criticism from Congressional Republicans that climate issues are outside of their mandates of maximizing employment and stabilizing prices, so these remarks may have been intended to confirm the Fed’s limited involvement.

Developers warn against third-party code reviews: The cybersecurity Executive Order continues to be scrutinized for potential issues. The possibility for third-party testing code requirements for government contractors is facing some pushback from developers who say it would be overly intrusive and wouldn’t provide much benefit. Source code testing is essentially a “snapshot in time” and isn’t a very effective approach to ensure software security. There’s also the concern that if the U.S. sets this type of mandate, other countries could follow with some governments using it for more harm than good. Security experts believe that other sections in the Executive Order will have more of an impact on safeguarding against cybersecurity issues. Automated remediation tooling, secure software development environments and vulnerability disclosure requirements are likely better strategies for cybersecurity.

Cyber insurers face growing concern: Credit rating agency, AM Best, had some troubling words for the cyber insurance industry, because of a risk environment that only continues to get worse. They issued a strong recommendation to “reassess all aspects of their cyber risk” so that they can continue to partner with organizations who want to protect against cyberattacks. A report from AM Best revealed some troubling statistics, most notably an increase in loss ratio for cyber insurance which jumped to 67.8% in 2020. The cyber insurance industry also faces challenges which include limitations around data availability after an event and the lack of organizations’ awareness of cybersecurity risks. The report also noted a shift in hacking methods from stolen identities (a third-party loss) to ransomware (a first-party risk).

Ransomware challenges are compared to 9/11 by a FBI director: In a somewhat alarming statement, FBI director Christopher Wray described the parallels of ransomware attacks and the 9/11 terrorist attacks. He sees the similarities in the disruption, prevention and shared responsibility among the government and private sector. The Biden Administration is gradually taking the same outlook with the belief that ransomware attacks are some of the most severe threats to national security. The recent attacks on JBS and Colonial Pipeline demonstrated our inability to prevent them and how they can affect the average American. The Justice Department will be using anti-terrorism protocols for ransomware attacks and the White House released an open letter for business leaders which advises how to protect against protect against these types of threats.

Critical infrastructure becomes new target for hackers: 2021 has already seen an alarming 102% increase in ransomware attacks compared to the first half of 2020. The US government is increasing its efforts against these attacks, but experts warn that they also need the cooperation and investment from the private sector. As many of us have seen, attacks on critical infrastructure, like Colonial Pipeline, can have a huge impact on every day life. Many of the industries that are considered critical, such as energy, water, food and agriculture, aren't considered tech companies, so their systems are often less sophisticated and therefore more prone to attack. The consensus is that organizations need to update their software and identify any gaps within their systems. Utilizing patches and keeping vital functions offline are also easy strategies.

Strategy and visibility are key for supply chain resiliency: The supply chain issues stemming from the pandemic and cyberattacks have highlighted the importance of the corporate role of procurement which has expanded into other areas like risk management, corporate citizenship, ESG and innovation. Organizations who had a more diverse and sophisticated supply chain strategy were able to more easily pivot when disruptions arose. Cloud-based platforms have also been important to enable transparency and reinforce better communication between departments.

Harbor Regional Health data breach is caused by a compliance vendor: Compliance vendor, CaptureRX, notified Harbor Regional Health (HRH) of a data breach which resulted in unauthorized access and acquisition of patient files. Fortunately, CaptureRx had security practices in place to detect the incident and set out to assist HRH with the appropriate patient notifications. HRH also confirmed they'll review their own safety protocols to protect personal information within their system.

Contractors now defined in the CPRA: The details are still being ironed out in the California Privacy Rights Act (CPRA) which goes into effect January 1, 2023. The term “contractors” has been added to the list of entities who may be entrusted with consumer data. Within the CPRA, a contractor refers to a person who is made available to receive a consumer’s personal information for a business purpose and because of a written contract. The definition is similar to the CCPA’s classification of a person who isn’t considered a third party. A contractor will still be required to verify their understanding and compliance with contractual restrictions. One key difference is that the CPRA clarifies that a contractor isn’t the recipient of a “sale” or “sharing” of personal information.

Effective controls can help manage sanction related risks: The April 29th settlement between MoneyGram and the Office of Foreign Assets Control (OFAC) prompted an enforcement release which reminded financial service providers of the importance of understanding sanctions risk. MoneyGram was able to settle for $34,328.78 after their voluntary self-disclosure of violations between March 2013 to April 2016 in which they processed transactions on behalf of persons listed on the Specially Designated Nationals and Blocked Persons (SDN List). These violations were caused by both technological failures and human errors. As a result, MoneyGram implemented key remediation controls including additional employee training, a stronger screening system and appointing a new Chief Compliance Officer.

Don’t let budgets be the downfall of your compliance strategy: Despite the increasing risk of third-party issues like data breaches or corrupt practices, few organizations are adequately budgeting to protect against them. Mid-size firms may be growing their third-party environment, but their compliance practices are stagnant. Hastily prepared compliance budgets could mean crucial gaps in the program which are costly to repair. For example, you may include the right to audit in your vendor contract but lack the budget to perform those audits. This could land you in hot water with enforcement agencies. The key concept to remember is that your budget needs to be allocated to both the setup and maintenance of compliance including training, ongoing monitoring, due diligence, auditing and investigations. This article includes some guidelines on how to budget for these areas but it will ultimately vary by organization and industry.

CyberWire briefing covers patch notification delays and third-party risk: Notable articles in this brief include the delay of Accellion FTA patch notifications caused by a vendor and a write up of the two police departments who were victims of ransomware attacks in California and Pennsylvania. The Swedish Public Health Agency was also attacked by hackers, as was a hospital in Massachusetts.

White House memo provides ransomware guidelines: The White House issued a memo to corporate executives and business leaders, with recommendations to protect against ransomware attacks. It states that all organizations are vulnerable to ransomware, regardless of their size or location. The memo refers back to the five best practices outlined in the Executive Order and provides additional guidelines such as backing up data, updating patch systems, testing your incident response plan, using a third-party penetration tester and segmenting your networks. With the increase of ransomware attacks, this memo is definitely worth a read.

United States takes control of malware domains: The Department of Justice has successfully seized control of two domains that were most notable used in the SolarWinds attack, but warned about the possibility for backdoor access which may have been implemented before the seizure. The two domains are identified as theyardservice[.]com and worldhomeoutlet[.]com. A recent campaign used Constant Contact to send phishing emails to approximately 3,000 users which used an embedded hyperlink to gain access to the user’s machine. The attackers also used a method of changing tactics several times which highlights the risk posed against government agencies, private businesses and individuals.

Top 5 cybersecurity trends in 2021: There are 5 particular trends within security incident and event management (SIEM) technology, as noted by the Gartner Magic Quadrant. The first trend is a focus on risk-based alerts. SIEMs will need to improve on detection and response to targeted attacks to avoid false positives and “alert fatigue.” The second trend prioritization on cloud security, with out-of-the-box monitoring content for easier detection of threats across multiple environments. The next trend follows cloud security in out-of-the-box compliance monitoring. This will allow organizations to pass audits quickly. The next trend is a variety of deployment methods which can accommodate existing infrastructure. Physical, virtual and private or public cloud deployments may all be used. The last trend involves the visibility of threats visibility from code-to-cloud.

Recently Added Articles as of June 3

As we begin a new month, we see another headline on a significant supply chain attack and some insight on why these types of cyberattacks will continue to rise. There’s also a bit of independent regulatory news from the non-profit regulator, NFA, and some guidance on third-party remote access risks. Take a look to see what’s trending this week in third-party risk.

David Ye appointed new OCC Chief Risk Officer: The OCC is welcoming a new Chief Risk Officer after the resignation of John “J.J.” Fennell who leaves on July 2nd. David Ye brings over 20 years of leadership experience to this role, in which he’ll be responsible for implementing the OCC’s risk management strategy. Other duties will likely include overseeing the OCC's Model Validation and Enterprise Risk Management departments, Business Continuity and Disaster Recovery and Vendor Risk Management.

Third-party risk management requires diversified efforts: Supply chain issues over the past year have proven the importance of a more diversified third-party risk management program. No longer is it sufficient to simply focus on vendor IT risks, a mistake that many organizations make. Supply chain resilience and environmental and social governance policies are also important considerations. Organizations should take a more holistic approach among different departments that interact with vendors in their own ways. It’s also crucial that organizations are more proactive in their ongoing monitoring of their vendors. A common mistake is to assess risk at the beginning of the relationship and forgo any concern for emerging risks. Procure-to-pay risk management and one-time data collection is no longer sufficient in today’s business environment.

Meat supplier faces ransomware attack: The latest attack on meat processor JBS USA Holdings proves once again that no industry is immune to the devious actions of cybercriminals. The FBI has even gotten involved to investigate the ransom demand that likely came out of Russia. The company’s Australian operations were shut down after the attack on its servers that support its IT systems. Cyber risk experts note that the U.S. doesn’t have any cybersecurity requirements for companies outside of the electric, nuclear and banking industries. While regulation can help, companies should use it as a starting point on how to manage their risk. The White House is still assessing the impact on the country’s meat supply, so we’ll have to wait and see if this prompts another panic buying situation like the Colonial Pipeline incident.

Parking app reveals March data breach: Maryland users of the parking app ParkMobile were notified of a data breach that compromised their encrypted passwords in March. Russian hackers also obtained email addresses, phone numbers, license plate numbers and mailing addresses, but no credit card information. ParkMobile has been used by SP+, which manages parking meters and garages in the Annapolis area. The incident was linked to a vulnerability in a third-party software they use. This should serve as a reminder about the importance of assessing and correcting third-party software vulnerabilities prior to implementation.

Remote access third-party risks to consider: Multiple remote access connections put organizations at a greater risk for data breaches. A recent Ponemon Institute report revealed some concerning stats about third-party risk, most notably that 74% of organizations that suffered a third-party data breach admitted that it was caused by allowing them too much access. Mitigating this type of risk can be narrowed down to a few practical tips. First, you should be aware of which third-party vendors have access to your network and at what level. Second, make sure that your vendors only have the minimal amount of access to perform their jobs. This is part of the “zero trust principle." Third, it’s important to have visibility of your third parties’ level of access to be able to identify who or what is responsible for an incident.

Intro to supply chain attacks: Data and software have long been vulnerable to attacks and breaches, but supply chains are becoming more at risk. Some of the most notorious data breaches in the past several months have been directed towards supply chains, including SolarWinds, Colonial Pipeline and the most recent attack on meat producer JBS Foods. So, how exactly do these supply chain attacks occur? Cybercriminals target a weaker element of the supply chain, with the intent of interfering with the manufacturing process to ultimately control a supplier’s customer networks. This is often done using a rootkit or other type of hardware spying tool. Experts believe that cybercriminals are turning their attention to supply chains because more common areas of attack are becoming better protected. It’s suggested that companies should focus more on the organizational aspect of supply chain attacks, rather than technological ones. In other words, vet your suppliers and make sure they adhere to certain standards.

Ransomware attack targeted California police department: The Azusa Police Department recently revealed that it was a victim of a ransomware attack this past winter. The attack was apparently carried out by hacking group, DoppelPaymer, in which they gained access to critical data like criminal case files and payroll data. Individuals who provided sensitive information to the police department were also advised to contact credit agencies. Some are accusing the department of downplaying the significance of the attack, which revealed highly sensitive data like surveillance videos and gang activity reports and confidential informants. The investigation is still ongoing, so there are few details about the origins of the attack.

What everyone can learn from the cybersecurity Executive Order: The recent Executive Order might have been drafted to protect the federal government, but all organizations should consider its impact because it will soon be adopted by any regulator. It outlines certain best practices which any organization should view as a baseline for cybersecurity. Establishing an effective third-party risk management program is one of the highlights that needs to be addressed by all organizations. Included in this practice is standardizing vendor requirements around cybersecurity, identifying reporting requirements and the collaboration needed from a vendor in the event of an incident. Organizations should also be proactive in searching for threats and use “zero trust principles” which focus on the factors of account access entitlement.

COVID-19 causes third-party risk incidents in half of organizations: There are some concerning results in Deloitte’s new survey, which received 1,170 responses from 30 countries. Fifty-one percent of responding organizations said they faced one or more third-party risk incidents in response to COVID-19, with 13% of those incidents considered “high impact," which severely compromised financial performance and profitability and in some cases caused regulation breaches. The survey also found that inadequate investment in third-party risk management prior to COVID-19 caused a higher probability of high impact incidents for 27% of organizations.

Climate risk increases expansion to other risk areas: Credit, market and operational risks are still the leading components of the regulatory realm, but secondary risk types are getting more intensive in their nature. Climate risk especially has been receiving more attention, as it’s a constant topic among global economics, as well as political, social and financial areas. The impact of climate risk extends across both physical and transitional risks as well. There’s the direct effect of climate change (physical risk) and the complexities of making existing infrastructure more green (transitional risk). It’s very likely that climate risk will affect other secondary risk types including political and legal risk, reputational risk and third-party risk. It’s suggested that banks will need to give more attention to their third-party risk management framework to identify vulnerabilities that can impact their business continuity.

New requirements and effective dates from NFA: Members of the National Futures Association (NFA) received two notices regarding effective dates for new regulatory and operational requirements. June 30, 2021, is the effective date for the “CPO Adverse Event Reporting Requirement” which pertains to the notification of market events that can affect a pool’s obligations to participants or result in a pool’s unplanned liquidation. Three months later on September 30th is the effective date for the “Supervision of Outsourcing Regulatory Functions.” These rules involve the requirement of a written supervisory framework that includes details about third-party service providers and their related risks.

Ensure your third-party risk management program is running efficiently. Download the eBook.