June 2023 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of June 29

This week, there are best practices with edtech vendors, new possible cybersecurity requirements for federal agencies, a data breach on a state teacher retirement system, and that there's an increased focus on privacy compliance. Read all of that and more below! 

Healthcare organizations need to do their due diligence with generative AI: Generative AI is taking over industries, and healthcare is no exception, but this introduces a lot of risks that healthcare organizations need to be aware of. Third-party vendors will begin saying they use AI, but what does that mean for your patients' data? Healthcare organizations need to determine what AI is learning about their patient data and if it’s being used to train other models. Many generative AI models are public, and the healthcare industry has a responsibility to protect patient data. They should use caution with generative AI and perform due diligence on vendors that use AI. Ask vendors if they’re using any form of AI, how it’s being used, and whether your organization’s data is being used with AI.  

Third-party data breach impacts a teacher retirement system: Confidential information of the members of the California State Teachers Retirement System (CalSTRS) was leaked in a third-party data breach. It stemmed from PBI Research Services, a software company that CalSTRS uses. It’s possible that this breach is the latest casualty of the MOVEit file transfer tool mass breach. CalSTRS requested all the impacted files and launched an investigation into the incident.  

Requirements for edtech vendors in school districts and best practices to follow them: Schools are an increasingly attractive target for cybercriminals, and they’re looking at your edtech third-party vendors. Thirty-four states require that schools implement security controls; require the return and destruction of student personally identifiable information (PII); forbid the sale of student PII; establish training for vendor employees that have access to student data; and have a plan to inform the school of a data breach. To follow these requirements, school districts should use third-party risk management best practices, like risk assessment questionnaires, due diligence throughout the relationship, and proper onboarding procedures. 

Bankers be warned! New malware targeting mobile bank applications: New malware in Androids is targeting banking customers in the U.S., U.K., Germany, Austria, and Switzerland. The cybercriminals are stealing credentials to get into mobile banking apps. They use apps in the Google Play Store. There’s been over 30,000 installations of the app.  

Cybercriminals are putting out fake job postings to gain personal information: Are you looking for a new job? Use caution! In a recent study, nearly one-third of those surveyed said they’d been tricked into filling out a fake application. Cybercriminals put out job postings and even conduct phony interviews to gain personal information. They may ask you to pay for a credit check, or once you’ve “made it to the next round,” they’ll ask for personal information.  

Senators want the Department of Defense to consider adding Cyber Force: Will cybersecurity be the newest military force to be added? The Senate annual defense bill, which passed out of committee, would require the Department of Defense to study the possibility of a Cyber Force. The National Academy of Public Administration would conduct the six-month study. Department of Defense employees would be banned from interfering with the study. There is a Cyber Command, which relies on personnel from all the military branches, but the Department of Defense has resisted the idea of adding a Cyber Force. The study requirement in the bill will need to survive the House first.  

Proposed cyber requirement would tighten third-party security standards for federal agencies: The federal government wants to tighten its cybersecurity requirements for government contractors. The proposed Federal Acquisition Regulation would bring its cybersecurity standards closer to the National Institute of Standards and Technology (NIST). Department of Defense contractors are already required to meet that. These enhanced security requirements could be tough for all federal agencies to meet, but it marks a continued priority for cybersecurity in the government.  

How the construction industry can limit cybersecurity risks: There’s growing cybersecurity concerns in the construction industry, as cybercriminals are targeting projects and payment systems. To mitigate risks, construction companies need to manage third-party risks by implementing cybersecurity requirements in contracts; have a security strategy for the Internet of Things; use multi-factor authentication to secure sensitive systems; and monitor who has access to data and implement data security measures like access controls. 

Privacy is becoming a top concern for legal departments: A new study showed that legal departments are becoming increasingly more concerned about privacy compliance, particularly with the new privacy regulations being passed across the states. Privacy spans across all areas, including in the use of AI, the threat of data breaches and ransomware, and third-party access to critical data. Organizations should use assessments, strong contract language, and do ongoing monitoring to maintain the privacy of customer data.  

Healthcare software firm sued after third-party data breach: Plaintiffs are alleging the software firm Intellihartx didn’t handle third-party risk correctly after a data breach impacted almost 490,000 people. The breach stemmed from a hack on file transfer vendor Fortra, which is linked to ransomware gang Clop and the MOVEit breach. The lawsuit alleges that Intellihartx didn’t supervise third parties that had access to patient information. It says that the firm could’ve prevented the breach if it had checked on the third party’s security controls. There’s a question of whether this lawsuit can even be in federal court. But HIPAA-covered organizations should still perform due diligence both during onboarding and then continuously after that.  

Fintech companies should study final guidance on third-party relationships from federal agencies: Fintech companies should be taking note of the final Interagency Guidance on Third-Party Relationships: Risk Management from three federal agencies. Partnerships between fintechs and banks fall under the guidance. It marks greater scrutiny of the partnerships and small banks may have difficulty navigating the requirements. There are stricter risk-based due diligence requirements, especially as fintechs often offer new technological advances. Fintech companies should also expect more ongoing monitoring from banks. Banking organizations may also be taking a closer look at contracts with fintech companies.  

The need for consistent monitoring in third-party risk management: Despite the continued proven need for organizations to monitor their vendors and suppliers, many organizations neglect to manage them. It leads to reputational damage, regulatory fines, and hefty legal fees. Organizations need strong third-party risk management practices. They should screen vendors for compliance by looking at media coverage and global enforcement lists. Organizations should also develop business continuity plans, so they can avoid disruptions like factory shutdowns. And it’s important to monitor the financial stability of international vendors as events like worker disputes can impact the ability to fulfill production orders.  

Recently Added Articles as of June 22

This week brought us reminders of good third-party risk management practices, news on the continued fallout with the MOVEit breach, ChatGPT account information up for sale, a new legal minefield for the crypto industry, and a greenwashing lawsuit that may set a trend for what’s next for ESG. Check out all of this week’s headlines below!  

Five tips for healthcare organizations to keep patient data safe and secure: According to a new report from the Office of Civil Rights, the number of HIPAA violations and data breaches keeps rising year after year. Many incidents involved electronic personal health information (ePHI) as keeping it safe is still difficult for healthcare organizations. To manage this risk, healthcare organizations should regularly review and update security protocols, perform regular risk assessments, invest in cybersecurity protections, use access controls, and conduct security training with staff. Safeguarding your patient data, whether it’s with you or your third parties, is daunting, but extremely vital!  

Stolen ChatGPT account details go out for sale on the dark web: More than 100,000 ChatGPT accounts have been released on the dark web and made available for sale. The Asia-Pacific region has had the most credentials offered for sale over the year. Countries such as the U.S. and France are also included. Since organizations have integrated ChatGPT into their workflow, information like proprietary code is at risk of being stolen, especially since ChatGPT keeps all conversations. Users should follow good password practices and use two-factor authentication.  

MOVEit breach ramifications continue to unfold: The consequences of the MOVEit breach are continuing to reach far and wide. John Hopkins University reported a possible breach of health and financial information. Georgia’s statewide university system is still investigating the affects of the breach. And, other organizations are joining the list of victims. The hackers exploited a zero-day vulnerability that exposed the data organizations were transferring with MOVEit. This is a solemn reminder for organizations of how sophisticated these attacks are becoming. A proactive approach to third-party and cybersecurity risks are necessary to protect customers, finances, and your reputation.  

Crypto is a new landscape for terrorism, leaving the industry vulnerable to legal and financial risks: Cryptocurrency organizations should beef up their due diligence practices, as terrorists are turning to crypto to evade the law. Under the Antiterrorism Act, cryptocurrency organizations are held responsible, even if they only indirectly support terrorism. Crypto has a more complex money trail, making it attractive to people that want to avoid U.S. sanctions. The government has taken note of this and will crack down on the crypto industry, leaving organizations vulnerable to civil and criminal liability. As far as what you can do, conduct risk assessments to understand how criminals can exploit the system; review policies, procedures, and practices to ensure compliance; and implement due diligence on any new and existing customers.   

Distributed denial-of-service attack to blame for Microsoft outages: Service outages at Outlook, OneDrive, and Azure were the source of a cyberattack, Microsoft said. The attack relies on access to virtual private servers. As of now, no customer data has been accessed or compromised, but the platforms were temporarily unavailable because of the attack.  

DOJ offers a large reward for information on the CLoP ransomware group: The Department of Justice is searching for information on the CLoP ransomware group behind the MOVEit breach. The department has offered a hefty $10 million reward for any information that would link CLoP to a foreign government. There’s been reports that numerous federal agencies were also victims of the MOVEit breach. The CLoP group has said any data from governments was deleted, as they’re only out for money, not politics, but since these groups aren’t exactly known as trustworthy, the DOJ is under the assumption that stolen data could be misused. 

DNA testing company is accused by the FTC of lying to customers about data protections: DNA testing company 1Health.io is in hot water with the FTC for allegedly failing to protect customer privacy. The FTC has charged the company for lying to customers about deleting their data, leaving data unsecured, and changing their privacy policy without telling customers. Although no data was compromised, the FTC said it was at risk. The company received several warnings over the last two years. 

Exposed data from 3CX breach discovered: Data from a 3CX breach earlier this year was left exposed, according to new research, including encoded database strings and license strings. North Korean hackers attacked 3CX earlier this year. The company said it would implement multiple security measures, but the exposed data went unnoticed. The data was managed by a third-party vendor, but there was a back and forth about which vendor the exposed data belonged to. Have you checked your third-party inventory recently? You don’t want a breach where you can’t figure out which vendor is responsible! 

Delta faces greenwashing lawsuit, which is leaving lessons on carbon neutrality claims: A lawsuit against Delta Airlines, with claims of carbon neutrality, alleges an unreliable carbon offset market which makes Delta’s environmentally friendly representation false or misleading. There’s been no ruling yet, but it shows a willingness from customers to challenge the ESG assertions organizations make. When marketing your organization’s climate and carbon emissions, make sure these can be substantiated to avoid the legal risks. Independently verify the claims, provide limiting liability language, and engage ESG counsel to evaluate whether you should make carbon reduction claims.  

Third parties increase your vulnerability to data breaches: Did you know that 62% of all data breaches came from an organization’s business partner? That number, from Verizon’s 2022 Data Breach Investigations Report, may be even higher. Many third parties aren’t tracked, leaving organizations vulnerable to data breaches. Massive supply chains are also difficult to track and monitor for risk. It’s important to identify all third parties and know their level of access to your data. You should also look at products and services to see where there are potential vulnerabilities. 

How to protect your third-party APIs: Organizations may not recognize the risks that can come from third-party APIs, like social media platforms, navigation apps, and digital payment processors. According to a State of API Security Q1 2023 report, 94% of companies have had a security issue with their APIs in the past year. Keep an inventory of all your APIs, do your due diligence on third-party vendors, test their security controls, scan the APIs yourself for vulnerabilities, and rotate API keys. Don’t leave these key third parties unprotected!  

Four tips to find and manage the risks with third parties: Organizations need third parties to do business, but we also know that comes with a lot of risks... and hackers know this, too! To manage the risks, start at the very beginning. Define who is responsible for third-party risk within your organization. Identify everyone you have a contract with, establish a workflow for onboarding, continuously monitor policies and controls for your third parties, and be sure to include compliance. Hey, there’s a great third-party risk management lifecycle out there that can help you figure out your workflow as well!  

Recently Added Articles as of June 15

Artificial intelligence is becoming a central focus, as evidenced by this week’s news. The European Union has passed new legislation for AI, the CFPB has a warning for financial institutions, and AI may also pose an internal risk to your organization. Cybercriminals are imitating domains to fool third parties, healthcare and energy industries are becoming hot targets, and don’t forget to look at your fourth parties. Check out all of this and more in the headlines!  

European Union takes aim at AI usage in its new legislation: The European Union passed the Artificial Intelligence Act which regulates AI and attempts to mitigate its risks. The legislation introduces a tiered model – low and minimal risk, limited risk, high risk, and unacceptable risk. The lowest risk won’t be regulated and limited risk will only require transparency. It’s high-risk AI usage that the EU targeted. A database of high-risk AI systems will be required in the EU to show where, when, and how AI is being used. Unacceptable risk is banned. Noncompliance from organizations will incur large fines.  

Should you be using tools like ChatGPT at your organization? Consider the risks: Tools like ChatGPT offer opportunities for organizations to reduce time and costs, but can also pose substantial risk. Your prompts aren’t confidential – think of it like the information you give to a third party that you don’t have a contract with. The answers aren’t unique, so the Copyright Office won’t cover it. Using AI to code could lead to bugs and security risks. You’re not the only one who’s discovered AI – hackers have too. It can also give incorrect or discriminatory answers and it’s still an area of active litigation. Of course there are innovative opportunities to using AI, too, but be sure to mitigate the internal risks, have clear policies on the use of generative AI (and check on your third parties, too!), always do your homework on the answers, have a record of how your organization uses AI, and be transparent about whether you use it. 

DOJ charges two Russian men for laundering bitcoin in 2014: Two Russian nationals were charged by the Department of Justice (DOJ) for a 2014 cryptocurrency heist. The two men are accused of stealing about thousands in bitcoins from the now-defunct Mt. Gox. They gained unauthorized access to a server that held crypto wallets. The two face a maximum penalty of 20 years in prison if they’re convicted.  

A phishing campaign impersonates clothing and footwear websites: More than 100 clothing and footwear brands were impersonated in a massive phishing campaign that tricked people into giving their account details and financial information to fake websites. It started in June 2022, but saw an increase in activity in January and February of this year. The domain names used a brand name with a city or country to dupe customers. The sites went so long without being reported that they’re likely to rank higher in Google search.  

A healthcare vendor joins list of victims in data breach: Another healthcare vendor reported a data breach because of a vulnerability in Fortra’s GoAnywhere file transfer system. With this added vendor, the health information of about 4.4 million people was compromised. Intellihartz, which is a revenue cycle software vendor, reported the breach on June 8. It impacted about 490,000 people. They have all been offered one year of complimentary credit and identity monitoring.  

Cybercriminals are making the energy industry a new target: The energy industry is increasingly vulnerable to cyberattacks, especially as it becomes a war strategy. The consequences of these attacks can be deadly and costly. Utility companies must make cybersecurity a priority and invest more time and resources into it, as cybercriminals are becoming increasingly clever as they seek to create chaos in energy grids. As the energy industry shifts to digital, utility companies should monitor and mitigate their cyber risks.   

CFPB issues warning on using AI chatbots to communicate with customers: The Consumer Financial Protection Bureau (CFPB) is alerting financial institutions about the dangers of AI chatbots. They highlighted three possible risks: chatbot responses could be in noncompliance with federal consumer financial laws, unhelpful responses could damage an institution’s reputation with customers, and inaccurate information on financial products or services could harm the customer. Chatbots can also be difficult for people with limited English proficiency. Financial institutions should use caution with chatbots and prepare for questions from examiners.  

Microsoft warns of a new email attack aimed at banks: A new phishing and email attack is targeting financial organizations. Microsoft warned of the vulnerability, which originated from a compromised trusted vendor. Phishing pages can be tailored to targets and attackers then carry out session cookie attacks. These threats are aimed at the trusted relationships with vendors. Be aware of any email that may seem out of place and ask your vendor if they’ve sent it before clicking any links.   

Supply chain risk management for human rights violations is a critical regulated practice: More and more laws and regulations are addressing imported goods made with forced labor. It’s also becoming a larger customer concern. Organizations that source abroad need to look down their supply chain and complete comprehensive due diligence. The Office of Foreign Assets Control (OFAC) considers supply chain risk management to be a critical and mandatory function. Organizations are held responsible for any human rights violations that occur in the supply chain. Be sure to understand who’s in your supply chain, even your fourth parties, and do the appropriate due diligence before you’re faced with costly fines and litigation.  

New study shows how cybercriminals use domains to trick employees and third parties: Cybercriminals are using domains to imitate marketing companies to gain access to personal information and organizations’ systems. WhoisXML researchers did a study that identified thousands of domain names that are suspicious or malicious. Many of these sites begin with “us," followed by a number and a dash. This technique, called cybersquatting, can be targeted toward employees or the third parties of marketing companies.  

The risks behind going green and how to mitigate them: There’s been a recent shift to green energy, but there are also corruption and human rights risks with this sector. Organizations should complete risk assessments at each stage in the process of going green. Each step of risk management should be followed, including controls, due diligence, and active third-party monitoring.  

A recent vendor software breach shows the necessity of monitoring fourth parties: The recent exploitation of a vulnerability in the MOVEit file transfer software is a reminder of the importance of assessing cybersecurity risk through the entire supply chain. Thousands of organizations were impacted by the breach. Trusting your third party’s due diligence on their third parties (your fourth parties) may not be enough. Organizations should look into doing their own due diligence on fourth parties as these supply chain vulnerabilities become more common.  

The GDPR compliance risks with using AI in your organization: Are you considering AI for your organization? It’s important to be aware of the international risks. The General Data Protection Regulation (GDPR) includes individuals’ rights for automated decision making, which requires transparency from organizations on how AI makes decisions (which can be difficult to explain!). Data protection impact analysis is also mandatory if there’s a high risk to people’s rights. Organizations should also be wary of using personal information to train AI systems. If AI is provided by a third party, organizations will need to perform due diligence to ensure it complies with the GDPR.  

Tips for healthcare organizations to have secure cybersecurity practices: Did you know that healthcare is one of the most targeted industries for cyberattacks? Healthcare organizations will need to strengthen their systems, especially if it’s a legacy operating system. Follow the HIPAA security requirements, manage ongoing risks and vulnerabilities, and perform due diligence on any third parties. Third parties are responsible for up to 15% of all ransomware attacks! Have a documented plan for how you’ll mitigate cyber risks. 

Recently Added Articles as of June 8

It’s been a busy week of news in the third-party risk management world! Final interagency guidance on TPRM was issued by federal regulators, new guidance on automated valuation was proposed, cyberattacks and the cost of them are on the rise, the EU will be imposing a new fee for carbon emissions, Amazon and Microsoft are both facing large fines, and AI is changing the threat landscape. There’s so much more to read about, so check out all the headlines below: 

Final federal interagency guidance issued on third-party risk management: Are you ready for new third-party risk management guidance? Two years after it was first proposed, the OCC, Federal Reserve, and FDIC, collectively "the agencies," have released their final guidance on TPRM for banking organizations. It replaces each agency’s existing guidance on TPRM and emphasizes a risk-based approach. There’s so much to go over, so be sure to read our blog that covers the important details and how your TPRM program can comply!  

A new study finds that exploitation of vulnerabilities grew in 2022: Vulnerability exploitation more than doubled in 2022 compared to 2021, according to a new study from Palo Alto Networks. ChatGPT scams saw a 910% increase, likely due to the booming popularity of the AI tool. Financial services are still a main target for cyberattacks, while the manufacturing, utilities, and energy industries have all seen an increase in malware activity. Organizations should continue to identify and mitigate cyber risks, especially as they continue to shift operations to the cloud and other third-party vendors.  

New ChatGPT attack looks to deceive users with malicious code: Given the popularity of the AI tool, ChatGPT, it’s no surprise that it’s a new target for cyberattacks. Attackers are now leveraging the code generation capability of ChatGPT to distribute malicious packages. They simply ask ChatGPT to solve a coding problem and receive recommendations that aren’t published in legitimate repositories. After replacing the non-existent packages with their own malicious ones, attackers can deceive ChatGPT users into using malicious code. Be careful if you’re using the AI tool to generate code for you! 

New report shows that ransomware costs have doubled over last year: According to Verizon’s 2023 Data Breach Investigations Report, not only is ransomware increasing, but it’s also becoming more expensive. Twenty-four percent (24%) of breaches involve ransomware and the median cost per breach has doubled from last year. Ninety-five (95%) of ransomware incidents cost between $1 million and $2.25 million. In other data breach news, business email compromise attacks doubled over the past year. That increase is a big reason why the human element is more and more common in breaches, especially for senior leadership. 

EU adopts legislation to impose carbon emissions fee on imported products: In a first of its kind legislation, the European Union will begin implementing a fee for carbon emissions in imported products. That mostly covers cement, fertilizers, iron, steel, electricity, aluminum, and hydrogen. The fee will be phased in from 2026 to 2034. The legislation also requires detailed reporting. Organizations will have to review their vendors along the supply chain as they prepare for a new cost of imports.  

Federal agencies look to regulate automated valuation at mortgage companies: Six federal agencies have proposed a new regulation on automated valuation models (AVMs). This would impact any computerized model that mortgage companies use to make a credit decision or covered securitization determination. As AI continues to revolutionize industries, this regulation would ensure that mortgage companies and their third parties adopt policies and controls that protect against the manipulation of data and comply with discrimination laws. There would also be required random sampling testing and reviews. This rule will have a 60-day comment period.  

Organizations should remain aware of biometric privacy laws being passed across the U.S.: More and more states are beginning to implement biometric privacy laws, leading to new lawsuits against organizations for alleged violations. Organizations should continue to track any new biometric privacy laws. The laws usually require organizations to inform employees and customers about biometric usage and provide a method for consent. States like Texas, Illinois, Maryland, and New York already have existing legislation while other states including Nevada, Arizona, and Connecticut have proposed laws.  

Federal regulators fine a psychiatry practice for posting personal health information: A New Jersey psychiatry practice owes federal regulators $30,000 for HIPAA violations after it posted patient information online in response to negative reviews. Manasa Health Center allegedly posted specific health information of a patient when it responded to a review online. There were three other similar incidents discovered by investigators. Hey, we all want to get positive reviews, but maybe don’t clap back at the negative ones by violating federal regulations.  

Google removes malicious Chrome extensions: Thirty-two malicious Chrome extensions with 75 million downloads have been removed from the Google Chrome Web Store. The extensions could have changed search results or pushed spam. Malicious code in the extensions would activate 24 hours after it was installed.  

Russian cybersecurity firm releases a detector for iOS malware: A new tool to detect new iOS malware was released by Russian cybersecurity firm Kaspersky. The firm discovered the malware on its own network, and it infected multiple iOS devices. Russia has claimed that Apple gave the NSA a backdoor so that the NSA can infect iPhones in Russia with spyware. There’s been no proof of those claims. 

FTC blasts Amazon with fines for violating privacy: Amazon was hit with $30.8 million in fines from the FTC for a series of privacy violations. The first charge was $25 million for violation of children’s privacy laws, as Alexa would keep their voice recordings for a period of time. Parents were then unable to delete the recordings. The other $5.8 million came from violating user privacy by allowing any employee or third party to gain access to private videos from Ring cameras. That led to some creepy behavior where an employee was watching female users’ Ring cameras. The FTC also said Amazon doesn’t have adequate security controls to protect Ring user accounts, which allowed cyberattacks on Ring cameras.  

Microsoft warns of a potential upcoming fine for violating the GDPR: Microsoft is preparing for a fine from the EU, alerting investors that it could be millions of dollars. The fine would be for LinkedIn targeted advertising, which violated the General Data Protection Regulation (GDPR). Microsoft wouldn’t be the first big company to receive a GDPR violation fine. Meta was also recently fined millions of dollars for targeted advertising.  

Third-party software company experiences large cyberattack:  A massive cyberattack has impacted companies from the BBC, British Airways, Zellis, and others. Some bank details may have been stolen, along with other personal information. Zellis, a payroll services provider, said data from 8 of its clients was stolen. The attack stemmed from U.S. company Progress Software. Hackers were able to break into its transfer tool, which is designed to move sensitive files. Organizations that use MOVEit were instructed to download a security patch. It’s unclear if there’s been any ransom demands yet.  

Two greenwashing lawsuits against retail companies set the precedent for what’s to come: Two lawsuits against retail giants H&M and Nike for greenwashing have garnered attention for it may mean for future cases. H&M was accused of making misleading statements about its sustainability, but a U.S. District Court dismissed the case in May for a lack of sufficient evidence. A similar lawsuit against Nike is still ongoing, although the plaintiffs may be revising their complaint considering the H&M decision. It’s difficult to prove greenwashing cases, but organizations should still have data backing up their sustainability claims and not make unqualified sustainability claims. Consumers are still demanding environmentally friendly practices from organizations all the way down the supply chain.  

Artificial intelligence threatens to make phishing scams even more sophisticated: The technology world has seen huge growth with artificial intelligence capabilities, but the risk for cyberattacks is now higher than ever. Phishing attacks were already popular, especially targeted at banks, but AI has given it a new platform. Language models now sound like humans, and a well-written email with the right logo may not be safe. Phishing will be more difficult to detect, allowing attackers to pose as anyone from the organization, even over phone calls. Be proactive on educating both employees and customers, especially about going straight to the source. Organizations should also be transparent about third parties and what those third parties are using to service customers.  

City of Oakland is sued after a ransomware attack that leaked employee data: The city of Oakland is facing a lawsuit for a ransomware attack that impacted the city’s system for months. After Oakland refused to pay the ransom, the attackers dumped stolen data that impacted about 13,000 current and former employees. The lawsuit alleges the city failed to protect employees’ personal information, including their health information. These lawsuits typically fail for not proving “concrete harm.” 

Is your organization prepared for a ransomware attack? As we’ve seen this week, ransomware is on the rise. How can companies prepare for what may be inevitable? It’s critical to understand the ransomware landscape and follow OFAC guidance that discourages organizations from paying ransoms. Organizations should also perform due diligence on potential ransomware actors, have a solid incident response plan that’s been tested, and collaborate with experts who can navigate this landscape.  

Recently Added Articles as of June 1

It’s time to dive back in after the long weekend! This week’s headlines brought us news on new vulnerabilities being discovered and potentially exploited, proposed regulations from the FTC and UK, vendor cybersecurity tips you won’t want to miss, and more! Check it all out below.  

Microsoft discovers new MacOS vulnerability: A new vulnerability was detected in MacOS software. Apple addressed a vulnerability where attackers were able to bypass System Integrity Protection. It was discovered and reported by Microsoft security researchers. Apple patched the vulnerability. Microsoft probably felt pretty good about itself for spotting this one.  

Telecom industry makes progress on climate changes, but the focus now shifts to vendors: The telecom industry is making great strides toward cutting down emissions, with three companies leading FT-Statista’s list of Europe’s climate leaders. However, emissions are still high with their vendors along the supply chain, such as those that actually produce the phones. While some telecom companies are beginning to require vendors to meet climate thresholds, others aren’t quite ready to take that step with their vendors. But it’s clear: ESG is becoming increasingly important to the TPRM lifecycle.  

OCC zooms in on underperforming large banks: The OCC is pledging harder bank enforcement on large banks that don’t correct “persistent weaknesses.” In an update to its policies and procedures, the OCC said large banks may be required to reduce operations, divest subsidiaries, or exit from lines of business. Continued poor performance on risk management assessments and management component ratings will gain the OCC’s attention.  

Vulnerability detected in Barracuda email protection application: A zero-day flaw in email protection and network security services provider Barracuda has potentially been exploited. The issue was identified on May 19 and Barracuda didn’t give information on the scale of the attack. Only affected users have been contacted. CISA has added the new vulnerability to its Known Exploited Vulnerabilities Catalog.  

Consider cybersecurity exercises with your vendors to prepare for an attack: Financial firms shouldn’t be worried about if a cyberattack happens, but instead it's when. Preparation and practice are recommended to expose potential flaws and fix them before they happen in real time. Third parties should also be invited to the exercises so firms can see how they’re prepared. Allow time to onboard vendors and don’t rush the due diligence process. If there’s a weakness in a vendor or in a vendor’s vendor, it can cause devastating effects.  

Insurance provider suffers a cyberattack: Nearly 9 million patients received the unfortunate news that their personal health information (PHI) was compromised in a cyberattack. MCNA, an insurance provider that services state Medicaid agencies, said it discovered in March that certain network systems had malicious code. Affected organizations include state departments of health and human services.  

UK proposes new reforms that would benefit AI: The UK is moving to address the explosion of artificial intelligence with proposed reforms. The country is taking a light touch, unlike the EU. The proposal gives clarity around anonymized “personal data” – it could be freed up to use for AI training. It also reduces restrictions around significant automated decision making (ADM) and makes it easier to repurpose personal data.  

FTC proposes new clarification to the Health Breach Notification Rule, digging deeper on privacy: New proposed changes to the Health Breach Notification Rule from the FTC would impose privacy and breach notification restrictions on almost all health and wellness apps. A breach notification would be required in most cases where identifiable health data is disclosed without authorization. This comes in the wake of recent enforcement on apps like Premom, GoodRx, and BetterHelp for unauthorized data sharing for marketing.  

Breach reports are increasing after a British outsourcing company is hacked: Two months after a cyberattack at British company Capita, many data breaches are still being logged. Capita is an outsourcing company and around 90 reports from organizations stemmed back to the late March attack. There was a second incident in April involving an unsecured Amazon Web Services bucket. The total number of people impacted is still unclear, although it could be in the millions.  

New research recommends robust third-party risk management to avoid security incidents: New research from Info-Tech Research Group recommended vendor management practices to help address increasing risks with third parties. The research suggests prioritizing vendors through rankings, like low, moderate, and high, and then focusing on high-risk vendors. It also recommended a standardized process for identifying and monitoring vendor risks. Organizations will need to completely understand their full vendor landscape to avoid security incidents. If only there was a platform out there that could help with that... oh wait, there is!  

How can banks keep their data secure while digitizing? While banks often lead the way in cybersecurity development, the pressure to digitize quickly has overwhelmed many and potentially left banks vulnerable to security risks. There are pressing cyber risks that banks will have to monitor and address. That includes safe data sharing with third parties, which is becoming a focus of regulatory agencies and state laws. Banks will also need to secure data in real time and the flow of it, especially because of how sensitive that data is. Implement content protection technologies to keep it safe for your consumers. 

U.S. releases additional sanctions for Russia and Belarus: Russia and Belarus were hit with another round of sanctions from the U.S. for their involvement in the war in Ukraine. It expands exports restrictions on industrial goods going to Russia and Belarus, prohibits engineering and architecture services to Russia, and expands permissions for the U.S. and other allied countries to transfer communications equipment in the two countries.