June 2022 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of June 30

While most of us are ready for relaxation and to get into “summer” mode, there’s no slowing down in the third-party risk management industry. This week, the OCC published their Semiannual Risk Perspective report, the SEC’s proposed cyber rules are explained further, we learn about a hacker who stole $100 million - which impacted many vendors - and more.

Reasons for professional indemnity insurance: Professional indemnity insurance (PII) is coverage for when a third party claims financial loss, typically due to professional negligence. If an organization is regulated by the Financial Conduct Authority, they’re most likely required to hold PII. Even without a regulatory obligation, if you’re an organization providing advice or services to a third party, PII is a smart business move. There are some ways you can get the best deal on PII, such as considering what is best for your business first. Curious what the other ways are?

Canada’s approach to third-party risk management: Many countries are implementing their own regulatory frameworks, and Canada is the latest with new third-party risk management expectations for the financial industry. Per the new expectations, institutions like banks and insurance firms will be required to have stronger governance and risk management programs. Public comments on the revised guidelines are invited until July 27, 2022.

Understanding the proposed SEC cyber rules: Earlier this year, in February, the Securities and Exchange Commission (SEC) proposed a series of new cybersecurity risk management, reporting and recordkeeping requirements. It’s broken down into two main categories: cybersecurity risk management and incident reporting and disclosure. Looking for a better understanding of the rules? This article breaks it down for you!

Google discovers ISPs are assisting attackers in spreading spyware: Think your iOS or Android device is safe? Might want to think again. Google’s Threat Analysis Group (TAG) discovered a spyware operation is using internet service providers (ISPs) to trick people into downloading malicious apps by making them look like trusted sources. If you fall victim to the scheme, the spyware gains access to your pictures, text messages, location and more. It’s time to stay on high alert! Be careful what you’re downloading.

Mitel VoIP device leveraged in a ransomware attack: An alleged ransomware intrusion attempt, against a target that remains unnamed, leveraged a Mitel VoIP device to gain access. The attack is known as CVE-2022-29499. Per the article, "Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via 'one hop' from the compromised device."

Hackers steal $100 million: $100 million in cryptocurrency has been stolen in the latest major heist. The hacker stole the funds from Horizon, a blockchain bridge. Details are still emerging, but the FBI and multiple security firms are investigating. One investor did say there may have been some security concerns with the Horizon bridge as far back as April of 2022.

OCC publishes Semiannual Risk Perspective Report: The Spring 2022 report was just released! Within the report, the Office of the Comptroller of the Currency (OCC) shares key risk themes. Highlighted are operational, compliance, interest rates and credit risks, to name a few. This article shares more highlights from the report to be aware of and Compliance Week shares more insight into why geopolitical tensions have caused elevated operational risks.

Many industrial control system (ICS) vendors impacted by vulnerabilities: 56 vulnerabilities, known as OT:Icefall, impacts vendors. This spans across 10 operational technology (OT) systems companies. How did this happen? Unsecure engineering protocols, weak authentication schemes, unsecure firmware update mechanisms and other information security related issues. Impacted vendors have begun notifying customers and CISA has published advisories to help make everyone aware.

Business continuity management strategies to implement: The Great Resignation isn’t slowing down. And, it’s not only the U.S. that is affected. Countries like the UK, Australia and France are too. This is why you need a plan in place to address it! Currently, we’re seeing a shift in the job market with more job seekers. Loss of staffing or personnel is considered a staffing crisis. When there is a staffing crisis, business continuity management comes into play and strategies must be implemented as soon as possible.

Managing supply chain risk will result in ESG benefits: Environmental, social and governance (ESG) monitoring and reporting as part of your supply chain management can lead to improved organizational resilience and accountability. According to Deloitte’s 2020 Extended Enterprise Risk Management (EERM) survey, “Organizations are investing in key third-party risk domains, including climate risk (74 percent), environmental risk associated with air pollution and water waste (57 percent), and labor and modern slavery risk (54 percent).” It’s apparent that ESG helps you take control of your supply chain. A great example is provided in the article: being able to track and verify all of your sourced material, such as timber or metals, come from sustainable resources is in turn a product differentiator regarding a social and environmental aspect. Full transparency into a supply chain decreases risk and improves quality.

Why vendor risk assessment templates are essential: To comply with regulations and follow ethical practices, organization must assess vendor risk, making vendor risk assessments incredibly important. There are several areas of vendor risk to consider, such as strategic, financial, operational and more. To accomplish this, templates can help and so can risk assessment tools.

Recently Added Articles as of June 23

Cybersecurity and third-party risk management continue to be top of mind for businesses as data attacks increase and supply chains continue to be impacted daily. Third-party data breaches can have a ripple effect on your own organization, which we see this week in a developing story regarding a third-party breach that impacted many eye care companies. And, IT security teams are working out the known kinks in managing software supply chain. Read on for more!

Third-party risk management is a top business priority: The Department of Justice (DOJ) has made it clear that sanctions enforcement is a priority for the agency. In a time of heightened risk, especially given the current business environment, this means third-party risk management should be a focus for businesses. And, critical third parties should be undergoing extra due diligence. Not only should you be managing your third-party risk, but your fourth-party risk and beyond, too.

Third-party transactions and cybersecurity risk: According to Gartner, by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements. Also, the study found only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure. Gartner’s prediction? Organizations will begin to require cybersecurity risk be a significant determinant when using a third party for products or services.

CFO opinions needed regarding challenges like cybersecurity and data privacy: This year, the Securities and Exchange Commission (SEC) proposed amendments to its rules on cybersecurity risk management, strategy, governance and incident reporting. With these changes, the expertise from CFOs is more invaluable than ever. Some areas where their input will help are ransomware, cyber insurance, regulatory compliance, internal collaboration, third-party risk management and budgets.

CISA creating guidelines for managing cyber supply chain risks: The Cybersecurity and Infrastructure Security Agency (CISA) is working diligently to create a guide to help agencies manage cyber supply chain risks. The new guide will help them overcome common cyber challenges. Curious what one of the most common challenges is? Securing software provided and managed by vendors.

Third party’s data breach affects many eye care companies: Precision Eye Care is one of the many companies impacted by a data breach that disclosed patients’ names, addresses, birthdates, social security numbers and more. The breach happened as a result of a data breach on the company’s third-party vendor, Eye Care Lenders. Last December, an unauthorized party gained access to Eye Care Lender’s network which led to the breach that had a ripple effect. Precision Eye Care has started sending out data breach letters to affected patients. Another reminder why thorough third-party due diligence is so important!

Mitigating ransomware in a remote environment: With the increase in remote work, ransomware has become even more challenging for organizations to avoid as there is a lack of visibility and control. However, there are ways to protect your organization from ransomware. First, have proper data controls in place to protect users. Second, apply the principle of Zero Trust and implement dynamic access controls. Finally, modernize on-premises applications and update cloud access policies.

OneDrive and SharePoint are susceptible to ransomware: Researchers warn that Microsoft Office 365 is vulnerable to ransomware attacks. Essentially, the attack chain can compromise an Office 365 user’s account credentials which leads to gaining account access. Eventually, a data breach occurs as data is accessible. Some ways to make this less likely are to turn on the auto save feature and configure how many versions of a file can be saved in OneDrive and SharePoint. Encrypting previous file versions decreases the chances of successful ransomware. Microsoft’s step-by-step recommendations are further outlined in the article.

Overview of data breach methods: Do you know the various methods of a data breach? There’s hacking, malware, social engineering and more. While there are many methods to be aware of, remember, they all have one thing in common. Each data breach method’s goal is to disrupt an organization’s operations and ability to serve its customers.

Understanding the challenges of securing a software supply chain: Software security has become a national priority. With the increased use of third-party platforms and services, IT security teams are determining how to best address the challenges posed. They do know security must consider physical supply chains, software supply chains and outsourcing contracts. Learn more about the issues and challenges in this article.

Understanding ransomware insurance: It’s a common goal of organizations to protect themselves from business impacting events, such as a ransomware attack, that could affect operations and customers as well as ultimately cost them their reputation. Ransomware may cover the damages resulting from an attack; however, the exact terms are in the “fine print” in the policy document. Usually in the fine print, there’s a requirement for an organization to ensure minimum efforts and measures are taken to protect the business from ransomware. Another exclusion frequently seen is war-related which can become quite complex. While ransomware insurance may be a good option for an organization, given the complexities involved, this is a reminder that the best insurance is implementing a strong cybersecurity posture.

Healthcare breaches continue to rise: In recent months, healthcare beaches have increased tremendously. Between January 1 to May 31, 244 electronic data beaches have been reported. Last year, in the same date range, it was 137. And, while breaches continue to rise, the attack forms continue to advance, too. Stay on your toes!

Cybersecurity legislation to protect critical infrastructure introduced: Last week, Bill C-26, An Act Respecting Cyber Security (ARCS), was introduced. The Act’s intent is to strengthen cybersecurity in critical infrastructures like telecommunication services, nuclear energy systems, banking systems and others, requiring federally regulated industries to protect their cyber infrastructure.

Takeaways from 2022 CefPro Vendor & Third-Party Risk USA conference: Did you attend the recent 7th annual CefPro Vendor & Third-Party Risk USA conference? If not, you’re in luck. We’re relaying the key third-party risk management takeaways learned from the event. These takeaways are: yearly due diligence of third parties no longer suffices for critical relationships, outsourcing third-party risk can allow you to focus on managing risk without managing a process, ESG risk is currently associated with reputation risk, you should be performing concentration risk assessments on third and fourth parties and to be a successful third-party risk management professional, build relationships across the business to influence without authority.

Federal cybersecurity act in Canada proposed: A proposed act in Canada, would give the government more control over cybersecurity and a company’s response to attacks in the finance, telecommunications, energy and transportation industries. If they don’t strengthen cybersecurity practices, a hefty price could be paid. Per the proposed legislation, the governor-in-council may "direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system." In essence, this will mean these organization must report cyber incidents and give the government the right to run audits to ensure they’re in compliance.

Recently Added Articles as of June 16

This week, learn why IT risks, third-party risk management and enterprise risk management are all important, but should be grouped separately. There continues to be a focus on data vulnerabilities and evolving ransomware. And, we receive a quarterly update on U.S. data privacy laws. But that's certainly not all… Read below for the latest and greatest.

Recent vulnerability in Citrix Application Delivery Management (ADM): This week, Citrix shares a recent vulnerability in Citrix ADM known as CVE-2022-27511. The resolved vulnerability was a concern as it could allow a hacker to gain access to a system and corrupt it.

Complying with regulation of forced labor in supply chains: The International Labor Organization, the Organization for Economic Cooperation and Development and the United Nations have all been ahead of the game when it comes to human rights regulations and efforts as they’ve implemented standards around environmental, social and governance (ESG) metrics. Recently, additional countries (e.g., Germany and France) have proposed or passed legislation requiring organizations to properly assess human rights exposure, report on the assessments and remediate violations. The United States is following closely behind and working diligently to increase legislation. The range of organizations subject to these laws varies, but the regulations will likely apply to your organization in some manner. Brush up on what you need to know, as noncompliance penalties could be steep!

Nearly 70,000 medical records exposed: A data breach on a healthcare company exposes medical records of nearly 70,000 patients. The hackers gained access to an employee’s emails which contained protected health information. The healthcare company is receiving criticism for uncertainty if data was stolen or not. Security professionals feel this may mean they had a lack of sufficient incident response and showcases why it’s important to have robust auditing controls in place to identify quickly what data a hacker accessed.

HelloXD ransomware is evolving: New variants of HelloXD ransomware have a stronger encryption algorithm, more payloads and better obfuscation. Of course, all of this means it’s also more dangerous. Educate yourself on the differences and how to keep your organization safe.

Smartphones and WiFi information leaks: Have you ever connected your smartphone to a public Wi-Fi? Chances are, you did so without a second thought. Researchers at the University of Hamburg in Germany conducted a Wi-Fi probing experiment in a busy pedestrian area to determine what data is transmitted without a smartphone user realizing. In just 3 hours of the experiment, they had 58,489 SSIDs and many leaked passwords. This insight is reminder why smartphone users need to take precautions to bolster their privacy. And, if your organization’s employees or your vendors’ employees have access to sensitive data on their own smartphones, there certainly need to be protocols in place.

How to assess and manage tangible risks: Often, organizations tend to focus heavily on theoretical risks, but what about the tangible risk factors? When focusing on tangible risk, there are some considerations to be aware of: sanctions specific risk assessments, properly identifying sanctions applicable to designated parties, a consistent approach to dealing with sanctioned parties and investing in compliance resources. By taking these steps, organizations affected by the recent Russian sanction activities will be better suited to deal with the latest geopolitical crisis.

Critical third parties in the UK are subject to regulation: If you’re a critical third party in the UK who partners with a financial institution, soon you’ll likely face new regulatory requirements. A recent policy statement provides more insight into the regulatory requirements proposed. In the proposal, it says the HM Treasury will designate who is considered a critical third-party subject to the regulation as well as shares more details around statutory powers. You can learn more in this article, too.

Quarterly update on U.S. data privacy laws: With the absence of federal data privacy legislation, it’s even more challenging to keep up with what is mandated. However, it’s nonetheless important. The landscape is constantly changing and evolving. Learn the latest on the Utah Consumer Privacy Act, the Uniform Personal Data Protection Act and pending legislation.

An overview of who could be impacted by the FTC Telemarketing Sales Rule: Proposals are moving forward regarding the Federal Trade Commission’s (FTC) Telemarketing Sales Rule. The rule could add more record-keeping requirements and other compliance changes. Some may think the scope of those covered under this rule is telemarketing only, but it’s much broader. If an organization engages with a consumer over the telephone, they should determine if the proposed rule will impact them. And, this does extend to your third parties! If an organization uses a vendor to make sales calls, that vendor is covered by the rule which means there are now additional compliance expectations.

Protecting your organization from a supply chain attack: It’s no secret that organizations are becoming more and more vulnerable to cybersecurity attacks. For this reason, it’s more important than ever for cybersecurity experts to anticipate security risks and data breaches before they happen. However, the real tricky part is identifying an issue with third parties. This means security experts must get creative. According to Annie Priljeva, Head of Cybersecurity Third-Party Risk Management at Siemens Energy, “Threat actors are becoming more sophisticated and craftier when planning and executing their attacks and often target the third parties providing services to the target organization. For that reason, it is imperative for Siemens Energy to assess the third-party supplier’s security posture, identify cyber risks which could affect our products or jeopardize the security of our business-critical data.” To do this, she and her team have assessments in place to determine if third parties have implemented necessary controls as well as participate in on-site visits.

Understanding collaboration between IT risk, third-party risk and enterprise risk management: The question remains: should IT risk, third-party risk management (TPRM) and enterprise risk management (ERM) all be grouped in the same category or should they be separate? Regarding third-party risk management, there’s a strong element of operations. If you group TPRM and ERM together, it could create obstacles to overcome. Remember, TPRM focuses on consistent processes and individual vendor management. By focusing on the enterprise and strategy, you can’t manage individual vendors well. This article covers even more commonly asked industry questions.

Learn how hackers choose their victims: Ransomware is getting speedier! Conti, a ransomware-as-a-service program, has unmatched speed to access a victim’s system as compared to other ransomware programs. With hacks on the rise, organization and its vendors would benefit from knowing what motivates a hacker to attack. Money, hacktivism, insider threats and the revenge game are just a few reasons. Learn more about their motives, and remember, sophisticated cybersecurity mechanisms in place will serve to help protect your organization.

Third-party risk continues to be important in 2022: COVID-19, the Russia-Ukraine war, increasing scrutiny on companies and data breaches… What do all of these things have in common? They’re all reasons why third-party risk management continues to be incredibly important! Check out this article to learn third-party risk management best practices to implement in your program today.

Recently Added Articles as of June 9

There’s a lot to take in this week as we get closer to Federal Data Privacy legislation and Congress is looking at medical device cybersecurity. We also have a helpful article that explains SOC 2 Type II reports and some tips to mitigate supply chain risks. Russian sanctions have resulted in LockBit ransomware and criminals are selling higher education credentials. Read on to find out more!

Netflix password sharing hints at bigger problem: Are you one of the millions of Netflix users across the U.S. who is mooching off of someone else’s account? Be prepared to start paying for yourself, as Netflix recently announced it would crack down on shared passwords. Some security experts warn that this common trend of password sharing for streaming services might indicate a larger issue, especially when it occurs in the workplace. Recent studies found that up to 28% of end-users share their passwords while 21% didn’t even know with whom their passwords were shared. To prevent password sharing, organizations can take a few key steps such as implementing multifactor authentication, using a shared vault and performing routine password audits. And, don’t forget to ensure that your vendors are taking the same precautions!

Russian sanctions lead to LockBit ransomware: According to a threat intelligence firm, the Russia-based cybercrime group, Evil Corp, is now turning to a well-known ransomware-as-a-service known as LockBit. Threat cluster UNC2165 obtains access to networks by stolen credentials and malware known as FakeUpdates. Some of the activities in the attack lifecycle include privilege escalation, lateral movement and maintaining long-term remote access. Sanctions are increasingly being used to fight ransomware attacks, leading cybercriminals to rebrand themselves in the hopes that their victims will pay. While maintaining compliance with sanctions has long been an issue in the legitimate business world, it’s interesting to see how this is also impacting criminals.

Cyber control challenges aren’t improving: Many organizations continue to struggle with their digital attack surface, calling it “out of control” and “constantly evolving and messy." Cloud environments are posing the most challenges with visibility while complex supply chains and remote working are also areas of concern. New research found that respondents have just 62% of visibility of their attack surface and 65% are challenged by the scale of their operations. Experts agree that gaining visibility of the attack surface is an important first step in mitigating risk.

Conflict minerals found in Shopify’s third party: A recent SEC filing from Canadian-based e-commerce company Shopify has revealed the presence of conflict minerals in some of their operating components. Their chip and swipe reader, retail kit and tap and chip reader are all manufactured by third parties and contain minerals originating from the Democratic Republic of Congo or surrounding countries. Canada currently doesn’t have regulations related to conflict mineral reporting, but Shopify is listed on the New York Stock Exchange and is therefore subject to SEC guidelines. In response to these findings, Shopify has stated that they exercised due diligence on the source of the minerals, though it should be noted that they’re not obligated to find new suppliers.

Watch for these 10 trends in banking regulations: If you’re in the banking industry, it’s important to prepare for new laws and regulations in several key areas. Climate, cyber and operational resiliency and digital assets are just three areas that should be gaining more awareness within your organization. Governance and core risk management, consumers and consumer protection as well as capital and liquidity are also important to consider. And, don't forget data infrastructure and regulatory perimeter. Compliance, anti-money laundering and third-party risk management (TPRM) round out the top 10 trends to watch. TPRM in particular is seen as a "cornerstone of non-financial risk” considering that the ecosystem for banks is expanding. Banks are operating their TPRM programs through agility and responsiveness, consolidation and expansion.

The true meaning of SOC 2 Type II: Most of us have now realized the severity of cybersecurity risks that stem from third-party vendors. A common term you might be seeing a lot in cybersecurity audits is SOC 2 Type II, but what exactly does this mean? For starters, SOC is an acronym for System and Organization Controls. A SOC acts as both an audit procedure and a set of criteria for third-party service providers. A SOC 2 Type II covers controls that are tested by AICPA guidelines including privacy, security, availability, processing integrity and confidentiality. More specifically, a Type II report assesses how well these controls perform over a period of time. If your vendor handles your organization or customer’s data, it’s essential to ensure that they put in a lot of effort to protect it.

Congress addresses medical device cybersecurity: After years of warnings from cybersecurity experts on medical devices, Congress is prepared to act. A new bill titled Strengthening Cybersecurity for Medical Devices Act was proposed this week, in which if passed the FDA would be required to issue cybersecurity guidelines every two years. The bill comes after a cybersecurity expert testified before the Senate about medical device vulnerabilities. As of now, there’s no requirements on the frequency of which the FDA must release security recommendations. Experts still warn of the enormous gaps in security found within healthcare and medical devices, which is especially troubling considering the direct impact they can have on individuals’ health and lives. As new regulatory guidance emerges, it’s more important than ever to ensure suppliers remain compliant.

Federal data privacy law is almost here: After the release of a bipartisan draft bill, we’re one step closer to the passing of the American Data Privacy and Protection Act. If the bill is passed, organizations will finally have a national standard on the type of data that can be collected and how it can be used. A national privacy law has been struggling to pass since the 1970s, during which a number of states and specific industries have released their own laws. The bill includes an agreement which states that federal law will preempt state laws by default with exemptions for California and Illinois. The law would prohibit the transfer of sensitive data to third parties without “express affirmative consent”. It’s unclear whether we’ll see a federal privacy bill pass before the end of the year, but we’ll make sure to keep an eye on the progress!

Follina vulnerability allows Windows Support exploitation: Microsoft products have another serious vulnerability known as CVE-2022-30190 which may allow attackers to execute arbitrary code. The bug is being actively exploited and there’s no current fix which makes it even more troubling. The vulnerability can be exploited through an MS Office document in which the attacker uses social engineering to get the victim to open it. Until there’s a patch, Microsoft is recommending disabling the MSDT URL protocol and exercising even more caution when dealing with emails from unknown senders. All devices that connect to the internet should also be equipped with strong security solutions.

Higher education credentials for sale by criminals: A new FBI Private Industry Notification is warning about higher education credentials being sold on the dark web. Russian cybercriminal forums have been selling the credentials for thousands of dollars and experts are warning that the exposure to sensitive information can lead to cyberattacks against individuals. Credential harvesting is often caused by spear-phishing or ransomware and the FBI is urging higher education institutions to establish strong relationships with the FBI Field Office in their regions. They also suggest keeping all systems updated, implementing user training programs and strong password hygiene practices.

Tips to mitigate supply chain risks: Supply chain issues aren’t going away anytime soon, so it’s important to identify and mitigate the risks that are present within these partners. Business leaders should be able to identify the various supply chain risks they’re facing, whether they’re economic, environmental, ethical or political. Cybersecurity is also a significant risk for organizations that rely on technology for their business activities. A good strategy for risk mitigation begins with supply chain mapping and weighted ranking for risk factors. It’s also recommended to diversify your supplier base and modify your inventory planning to increase resilience. Overall, it’s a best practice to think of your suppliers as strategic partners rather than just someone who just sells you products.

Recently Added Articles as of June 2 

We begin the month of June with lots of cybersecurity headlines including an airline data breach and a guide to cyber risk in the supply chain. Third and fourth-party website code is also found to be risky and UK organizations can read up on third-party risk management compliance. Read on for all the details!  

Strengthening cyber risk resilience across the enterprise: There’s a lot to understand about cyber risk, including trends, how much it costs and how to mitigate it for your organization. It’s important to realize that the responsibility for managing cyber risk should be shared among different enterprise leaders. Broad-based communication is at the foundation of this approach. Risk managers, the finance team, IT professionals, the board and CEO should all be involved in this strategy. Developing a shared view of cyber risk management requires several components like the alignment of specific goals and the implementation of more cybersecurity controls. It’s also essential to assess and monitor new technologies continuously to evaluate for emerging vulnerabilities.

Misconfigured AWS bucket leads to airline data leak: Turkey-based Pegasus Airlines is to blame for a recent leak of 23 million files. Information on flight crews and flight data was accidentally exposed due to a misconfigured AWS bucket. Flight charts, insurance documents and signatures were just some of the items in the leak, though there’s no indication that malicious actor had access to the data. Personally identifiable information (PII) continues to be a high-value target for cybercriminals, so this serves as a good reminder to implement effective security measures within your organization and your third parties.

Microsoft guidance released for zero-day flaw: A recently discovered zero-day security flaw known as CVE-2022-30190 is getting treated by Microsoft, who released additional guidance for customers. Office 2013, 2016, 2019, 2021 and Professional Plus editions have been impacted by the flaw. Microsoft stated that if the vulnerability is exploited, an attacker can install programs or view, change and delete data. A member of the Shadow Chaser Group is being credited for reporting the flaw back on April 12. Cybersecurity vulnerabilities are always on the loose, so remember to stay on top of updated guidance and workarounds.

Infraud Organization criminal sentenced to four years: Another member from the infamous Infraud Organization will be paying the price for selling and using stolen credit cards. Between October of 2010 and February of 2018, the criminal group was responsible for stealing more than half a billion dollars from victims. The underground forum was popular among criminals who sold and distributed personally identifiable data, counterfeit documents and computer malware. John Telusma of New York is one of 36 individuals that have been indicted for their involvement in Infraud. Telusma was particularly active on the forum, providing other members with “drop” and “cashout” services. We all know that cybercrime can be a lucrative activity… until you get caught!

Why organizations need to prioritize cybersecurity: Technology is a necessity in today’s business world, but the risk of data breaches, malware attacks and other threats can’t be ignored. Chief Information Security Officers need to stay aware of these threats, especially when they concern third parties. A 2020 study revealed that 51% of data breaches were caused by third parties and the majority of those were the result of giving them too much privileged access. Using third-party software also opens the door for supply chain attacks, where threat actors use malicious code to quickly scale the attack surface. End-to-end encryption, zero-trust strategies and regular data backups are all essential components of a well-rounded cybersecurity program.

The basics of supply chain cyber risk: Chief Information Security Officers have a lot on their plates these days. Extensive supply chains, telecommuting and multiple connections can bring complexity to an organization’s environment, but the answers often lie in basic security measures. Managing third-party risk begins with evaluating the vendor’s reputation and risk related to the product itself. The next step is conducting a tailored vendor questionnaire and then implementing a periodic assessment and review schedule. External and internal environmental risks should also be considered such as a high turnover of managers or country risk found within a war-torn area.

The risks of third and fourth-party website code: According to a recent study, modern and dynamic websites are usually more appealing to users, but they can also contain risky code. Websites will often have their own third-party supply chain, with functions related to site performance, tracking and improving conversion rates. The website code from these third and fourth parties may introduce certain security and compliance risks related to data privacy laws and other exploitable vulnerabilities. The study further revealed that there was an average of 12 third-party and 3 fourth-party scripts on the websites they evaluated. The healthcare industry is particularly likely to have a higher average number of scripts on their sites. Researchers emphasized that these results highlighted the need of managing inherent risk found in third and fourth-party scripts. It’s recommended to educate management about these risks and categorize and consolidate those scripts.

FAQs on Russia sanctions and third-party compliance: The ongoing Russia-Ukraine war is continuing to highlight the issue of third-party compliance, as it relates to sanctions. Compliance experts have many recommendations regarding end user certifications, conducting due diligence and screening investors to ensure that they don’t violate Russian sanctions. OFAC and the DOJ are expected to aggressively enforce these sanctions, so it's critical to stay informed of recent guidelines. While much attention is often given to cybersecurity risk, third-party compliance risk is just as critical and shouldn’t be neglected.

A guide to third-party risk management for UK organizations: Compliance teams in the UK have long been challenged with third-party risk management, as they often search for effective ways to identify and address risk. Enforcement activity and evolving legislative developments have proven that third-party compliance needs to be a priority for risk professionals. Performing due diligence, continuous monitoring and conducting third-party reviews are all topics covered in this practical guide for UK organizations.