March 2021 Vendor Management News

In March, make it a priority to stay on top of vendor management news and resources. Find out what you missed and catch up on important information in this blog post.

Recently Added Articles as of March 25

There’s a lot to digest as we end the month of March and the first quarter of 2021. A helpful article discusses who “owns” third-party risk management and you can read up on the latest data breaches affecting both government agencies and large corporations. Cybersecurity trends and new government guidelines are also in the news this week.

Connected devices at risk in healthcare: Medical IT systems are not the only ones threatened by cyberattacks; hospitals must also be concerned with security cameras. A recent breach affected security camera data collected by Verkada Inc. Hackers gained access to live feeds of 150,000 cameras which where in hospitals, police departments, prisons and schools. These security cameras are part of a system of connected devices, often managed by third-party vendors like Verkada and are susceptible to breaches. A cyber security researcher has stated that personal health information is the most valuable data on the dark web, even more than credit card information. Healthcare organizations should be prioritizing and patching target vulnerabilities in addition to conducting regular security checkups and training.

Assessing your cloud security: The work from home requirements caused by the pandemic in turn caused the need for more cloud-based services. Customers continue to identify cloud security and compliance as the biggest problems that organizations need to address. Fifty percent (50%) of legal and compliance leaders agree that third-party cybersecurity and data breaches have increased the most since COVID-19. So, what can be done? First, it’s important to utilize both your compliance framework and a customized security framework that’s right for your organization. Within your security framework, adopt the shared responsibility model which defines the responsibilities of your cloud service provider and what you yourself need to manage. The second tip is to ensure vendor accountability in your supply chain by creating a set of best practices to share and secure data. You should also be aware of any gaps within your IT environment so you can be prepared to act. Partnering with experts and training your team with cloud security knowledge and skills is another way to optimize your efforts. Lastly, you might want to consider using artificial intelligence to identify the most important aspects in your cloud security program. It’s understandable that many organizations have rushed to the cloud and may have taken some shortcuts but it’s important to get on track moving forward.

Utah joins Ohio in establishing affirmative defenses against data breaches: Utah is now the second state to enact a law that protects “persons” that create, maintain and reasonably comply with cybersecurity regulations like the NIST and HIPAA Security Rule. This newly enacted Cybersecurity Affirmative Defense Act states that the written cybersecurity program must provide administrative, technical and physical safeguards to protect personal information. The defenses described in the Act generally don’t cover situations in which the person received notice of a threat.

Federal government to establish new guidelines on software vendors: The U.S. government plans to expand upon previous vendor guidelines for software services. This could potentially include a requirement for vulnerability disclosure policies that encourage security researchers to find and report weaknesses in their product. These new standards would be a big win in the third-party risk management industry because federal regulations would encourage SaaS and other IT providers to be more proactive and transparent about their security measures. The Commerce Secretary will be able to define “foreign adversaries” and determine whether a given import of information and communications technology should be allowed.

Shell is the latest victim to come forward from the Accellion breach: Oil and gas company Shell has reported a data breach that affected the personal information records of stakeholders. This goes to show that even huge organizations are vulnerable to third-party vendor data breaches. Accellion had been a legacy product for many organizations and a breach like this might have been prevented with better third-party risk management practices.

Third-party payment processor accused of ignoring fraud: More information is coming out about the complaint against third-party payment processor BrighSpeed Solutions, Inc. BrightSpeed is accused of knowingly processing payments for clients who used pop-up ads to scam consumers into buying overpriced and unnecessary software. The originating banks who processed these remotely created check payments had even voiced their concerns to BrightSpeed. They allegedly made false statements in which they exaggerated how much they vetted their clients and monitored their transactions. This story should serve as a valuable lesson when it comes to third-party vendors. You can’t simply look the other way when you suspect fraudulent activity.

$50 million ransomware attack on Acer: Acer has reportedly been given a deadline of March 28th to fork over $50 million to ransomware group REvil/Sodinokibi. Attackers claimed to have breached Acer and published stolen files like bank balances and financial spreadsheets on their data leak website. Acer was offered a 20% early discount on the ransom demand if they paid by March 17th, to which they reportedly offered $10 million. Apparently, the attackers weren’t satisfied with this amount, as they have said they’ll double the ransom demand if not paid in full by the March 28th deadline.

The right department for third-party risk management: Recent third-party data breaches have shown the importance of establishing a good third-party risk management program. However, many organizations are still figuring out where exactly to implement this program and who should be involved. This article outlines a few different departments that could possibly take ownership of TPRM and the pros and cons of each. Information security is probably the most obvious choice since it shares one of the main goals of third-party risk management – cybersecurity. If information security is a sub-department within IT, it’s important to determine whether they can objectively judge the risks and understand not to prioritize user demands and efficiency over risk. Compliance is another department that can manage TPRM, if they have cross-functional authority. Larger organizations may have their own risk management departments although it should be noted that they are often responsible for multiple risk areas and will likely be more effective if they work concurrently with IT and information security. The legal department is very knowledgeable in the contract area of TPRM, but that’s only one part of the entire program. The purchasing/contracting departments might also seem like the obvious choice to manage TPRM since they deal with the vendors on a regular basis. They should certainly be involved in the process by helping to identify all vendors who have access to certain information, but they probably don’t have the expertise needed to adequately judge risk levels.

Top 8 cybersecurity and risk management trends of 2021: Gartner has identified the top 8 trends that security and risk management leaders need to be aware of this year. Many organizations have been forced to fast-track their digital transformation and update their cybersecurity practices because of the pandemic. Gartner research VP, Peter Firstbrook, stated that up to 80% of organizations have said they’re challenged with finding and hiring security professionals. Identity-first security and support for remote work are a couple of trends that have come directly from the pandemic. With many employees working remotely, security leaders must adapt their policies and tools to be more effective in this distributed environment. More organizations are also beginning to create cybersecurity committees at the board level, while at the same time consolidating their security vendors to reduce complexity, costs and staffing requirements. New tools and techniques are also emerging to enhance privacy and better protect against security gaps through breach and attack simulations. A continuous increase in machines within an organization requires a strategy to identify them and a modern approach of cybersecurity mesh allows for security controls to be better distributed where they are needed most.

Data breach affects two government conference organizers: AFCEA and the U.S. Geospatial Intelligence Foundation notified past conference attendees of a recent data breach caused by a third-party vendor. The vendor provided registration services and potentially exposed names, addresses and phone numbers but doesn’t appear to have highly sensitive data like credit card information and passwords. After the SolarWinds and Microsoft incidents, this breach proves once again that the government will need to reevaluate their third-party risk management policies.

The important relationship between compliance and business: A compliance program’s success is heavily dependent on the transparency between compliance professionals and business employees. Business employees are expected to share information and coordinate procedures to ensure the overall compliance of the program. A Chief Compliance Officer (CCO) is initially given the challenge to clarify that the business owns the compliance responsibilities. The CCO should also ensure that these responsibilities do not interfere with business operations. In a way, the CCO acts as a liaison between the business strategy and compliance requirements.

Top 5 causes of cybersecurity struggles: Cybersecurity is constantly evolving and many organizations (not just financial institutions) are struggling to keep up with the changes. But why? In 2020 alone, the financial industry suffered from more than 1,500 events, 448 of those which disclosed data. The pandemic of course played a part in these numbers, as companies had to rapidly transition to remote work and were unable to implement sufficient security measures. Many organizations blame a shortage of cybersecurity professionals and low budgets on their cybersecurity woes. But, it should also be noted that many companies simply underestimate the value of good cybersecurity or overestimate their own capabilities. And, any cybersecurity training that is provided isn’t enough. A recent study by the Ponemon Institute found that half of the companies who were polled had no security policies in place specific to remote employees.

OpenSSL prepares security patch release for March 25: This is a HIGH priority security-fix release of OpenSSL version 1.1.1k.

Credit unions risk large financial impacts from cybersecurity attacks: A new report focuses on the particularly high vulnerabilities within the credit union industry. Two hundred and fifty (250) National Credit Union Administration (NCUA) credit unions and 150 vendors that are commonly used by vendors were researched and averaged a cyber grade of “B,” which suggests that their cyber breaches would be carried out by highly experienced hackers. However, most of these credit unions and vendors had other vulnerabilities such as insecure email networks and inadequate software patch management practices. Researches found that the financial impact of an attack on a single vendor could exceed $1 million for large credit unions and $300,00 for smaller credit unions.

Third-party vendors working remotely: With many organizations continuing to operate remotely, there is an increased focus on evaluating those third-party vendors who enable this capability. While your own organization might be thriving in this remote environment, are you sure that your third-party vendors are? If your third-party vendors are working remotely, certain things can be overlooked and lead to data compliance and data protection issues. Integrity360 CEO, Eoin Goulding, states that companies can sometimes rush into decisions about third-party system integrators because they fear an imminent attack, but they don’t fully understand the value of these tools and vendors or how to use them to reduce risk. Goulding also emphasizes the importance of reassessing policies and procedures to mitigate insider risk. Furloughs and layoffs, especially when working remotely, run the risk of data being taken by employees.

Attackers demand up to $100M from Acer: Another article that details the ransomware attack on Tawainese computer manufacturer Acer. The ransomware group REvil broke its previous record high of $30 million in this latest attack. Acer has had little to say about this event, but some cybersecurity experts identified a bad actor that targeted an Acer Exchange email server which would make it another victim in the latest Exchange hack

2020 saw an increase in the magnitude and frequency of cyberattacks: Not only did many private sector organizations move to the world of remote working, so did many government agencies. And, it should surprise no one that even the government is vulnerable to data breaches. A recent Ponemon Institute study found that 61% of federal agencies who were polled reported a breach that resulted in the loss of theft of sensitive or confidential information over the last two years. Vice President of the USPS Gregory Crabb pointed out the difficulty in fighting a cyber war because of the inability to see the size of the threat online. Claire Barret, chief privacy and information asset officer at the Department of Transportation knows that it’s not a matter of what to do IF you suffer a breach, but rather WHEN. She also sees the importance of not only managing the security of data but also understanding how it flows through your system.

NY issues guidelines for cybersecurity insurance: With the continuing rise of cyberattacks comes the increasing need for cyber insurance. Cyber criminals are not going anywhere so it stands to reason that the insurance market will adapt to fit the security needs of businesses. The New York Department of Financial Services became the first to create guidelines on cyber insurance with the intention of preventing premiums from exploding into outrageous amounts. This new Cyber Insurance Risk Framework outlines seven key practices to minimize risk to businesses. The first is to establish a formal risk strategy that is approved by senior management and the board of directors. Organizations should also manage and eliminate exposure to silent cyber insurance risk, which is risk that an insurer must cover under a policy that doesn’t specifically mention cyber. These policies should also evaluate systemic risk and measure the insured risk by a comprehensive plan. Educating the insurers and insurance providers of the value of cybersecurity is also part of the framework. The guidelines also call for cybersecurity experts to understand and evaluate the risk and a requirement of law enforcement to be notified of incidents.

Recently Added Articles as of March 18

New data breaches and the effects of the recent SolarWinds and Microsoft Exchange attacks continue to be top issues for this week, especially as they concern government agencies. There are also a few policy changes within the CCPA and more protection for consumers. Read on for the details.

Breweries and breaches: Molson Coors Beverage Company was one of the latest companies to suffer a data breach, proving that hackers aren't picky in choosing their victims. Companies of any size and industry are targeted either directly or through their vendors. A recent study by Ponemon Institute discovered that these breaches could cost millions of dollars, but proper planning can drastically reduce these numbers. This breach is just another example of the importance of all businesses to include cybersecurity and privacy compliance in their risk management strategy.

The façade of SMS security: SMS text messages are supposed to be an added layer of online security, but many have come to realize that they’re simply weak links that can easily be manipulated. An experiment with Vice.com’s Joseph Cox showed how simple it is for anyone to steal a person’s texts for the low price of $16. Using a service like Sakari allows customers to add a phone number to send and receive texts so there’s not much one can do to prevent someone else from using your number. Sakari is just one company in the unregulated industry of cloud-based text messaging services, so organizations should be extra vigilant if a third-party vendor utilizes this type of application.

Recent breaches are prompting change within government IT: The two recent cyber attacks of Microsoft Exchange and SolarWinds have forced government agencies to closely evaluate their current third-party risk management policies and procedures. North Carolina’s Chief Risk Officer, Maria Thompson, sees two simple tasks that governments need to do moving forward. The first is to identify there is a problem and the second is to establish stricter controls with the vendor contracts they already have in place. More transparency should be the goal. When the government isn’t notified of a breach until weeks or months after it happens, it forces them to spend more money and resources to resolve the issues. Many states are already taking steps to change policies, such as North Carolina and its adoption of NIST 800-53 Rev 5 controls, while other government agencies are shifting to more cloud-based providers which do a better job of assuring their customers about security.

A stronger supply chain risk management: Supply chains are as long and complex as ever, and the pandemic highlighted just how unprepared many companies were for disruptions. Third-party due diligence will serve as a solid foundation for your supply chain risk management. This article outlines the process of how to implement your due diligence program into your supply chain, from the fundamentals to building a maintainable solution. One big takeaway is to remember that multiple risk management frameworks are needed to understand which information to collect.

Lessons learned from Flagstar’s data breach: Flagstar Bancorp was just one of the clients that was affected by Accellion’s recent data breach. Flagstar had been using Accellion’s File Transfer Appliance Software when hackers were able to access their employees and customer’s sensitive information. This incident should serve as a reminder that even mid-size and smaller banks are still vulnerable to attacks involving their third or fourth parties. Two defensive tactics are described: red-teaming and threat-hunting. Banks can test out these tactics to simulate an attack and measure how well they respond.

Data breach trends in healthcare: Different types of hacking attacks continue to be the most common healthcare data breaches reported to federal regulators. 7.3 million people have already been affected by these breaches in 2021, according to the HIPAA Breach Reporting Tool. Healthcare providers and their vendors should always be on high alert to protect their data from hackers. The largest data breach so far in 2021 affected 3.1 million people within Florida Healthy Kids Corp. A vendor that hosted their website neglected to address some of its weaknesses over seven long years, which resulted in exposed patient data.

Update on SolarWinds breach: The SolarWinds breach is far from over, as government agencies are still trying to determine which emails and files have been compromised by Russian hackers. Microsoft President, Brad Smith, had then proclaimed the SolarWinds hack as the largest cyberattack that the world had ever seen… but along came the Microsoft Exchange data breach which is likely to be even larger.

IoT cybersecurity laws reach for and wide: Internet of things, or “IoT,” devices are expected to exceed a whopping 21.5 billion by 2025. The new “IoT Act” intends to improve the security of these abundant devices. NIST is also creating cybersecurity standards and guidelines which will complement this new act. It should be noted that while the act and NIST standards will influence both state and federal compliance, there will also be an indirect effect on those in the private sector that purchase IoT devices. Congress's intended result is that it will raise the bar on standards across non-federally regulated IoT devices, software and systems. The IoT Act takes effect in December 2022, but take a look at this article for some suggestions on what your organization should be doing now.

2019 data breach settled between AMCA and 41 states: A massive healthcare data breach from 2019 has finally been settled. The American Medical Collection Agency reached a settlement with 41 state attorneys general, which could potentially cost them a $21 million fine. The incident was caused by a hacker who gained access to the billing collections vendor, exposing sensitive information from a variety of AMCA clients including Quest Diagnostics and LabCorp. The settlement agreement requires AMCA to implement better security practices including an incident response plan and a qualified chief information security officer to oversee its practices.

Microsoft exchange hack puts third-party risk in the spotlight: The Microsoft Exchange hack continues to highlight the importance of third-party risk management. Although Microsoft customers have been encouraged to transition to the cloud, many companies still rely on physical email servers. At least 10 hacking groups have been identified in using this attack, with experts anticipating more incidents being reported in the coming weeks. Third-party and supply chain risk will only continue to become more intricate but there are many ways in which businesses can mitigate these risks.

Consumers are now more protected from abusive acts: The 2020 “Statement of Policy Regarding Prohibition on Abusive Acts or Practices” has been rescinded by the Consumer Financial Protection Bureau. This move will better protect consumers from abusive acts and enforce the law written by congress. The original policy statement was written in a way that was inconsistent with the CFPB’s duty to enforce Congress standards.

The top seven cybersecurity results of 2020: The pandemic has disrupted many organization’s workforces, and with that comes a new set of trends that have continued into 2021. One interesting thing to note is that ransomware is expected to have a bigger impact on the physical world, with operation technology and IoT devices becoming more common. We'll also be able to see the delayed effects caused by many organizations rushing through their digital transformation.

Volvo's new hire focuses on data protection compliance: Volvo recently hired a new chief compliance and ethics officer to strengthen its focus on compliance with data protection regulations. The auto industry is rapidly evolving, with a focus on online sales, electric cars and autonomous driver technology. With these changes come an increased awareness of the need to protect consumer’s data.

Four new changes to CCPA:  For anyone doing business with customers in California, things just got a bit trickier. Four sections have been modified to provide more clarification on a few blurry topics. Businesses are required to be more transparent about things like opt-out requests and the processes in their privacy policies.

VISA launches introductory payments courses: These free courses from VISA area a valuable tool if you need help understanding your payment solutions options. The courses will walk you through things like the transaction lifecycle and implementation strategies and are especially useful, as many third parties are in the fintech industry.

NIST updates 800-53: Section 3.2 Awareness and Training is updated with specific language around social engineering training. Social engineering is a type of vulnerability testing that focuses on the organization’s individuals and can involve common attacks like phishing emails.

Recently Added Articles as of March 11

With more and more vaccines being distributed, it almost feels like the end of the pandemic is within our sight. Many businesses have already settled into a “new normal” with remote working environments; however, many are still eager to return to a fully on-site schedule. There are sure to be many more shifts and changes within third-party risk management as businesses begin to look at their next phase of this pandemic. Read on to see what’s trending this week within the industry.

Consulting.us ranks top 10 risks for 2021: It’s little surprise to see that cybersecurity and third-party risk have both made the list as separate entities, with a cyber breach being the top concern. However, it’s interesting to note that other categories like data privacy are also listed separately even though they can intertwine with other areas. An Interpol report from August 2020 showed that phishing, ransomware and malicious domains exploded in occurrence last year, even while remote working has proved beneficial for many businesses. It’s clear that businesses with a solid control and understanding of their technology processes are in a better position to managing these risks. These “digital leaders” aren't only literate in cyber practices, but also perform their risk assessment audits on a continual basis.

Banks are challenged by new state privacy laws: As we often say, this patchwork approach to state privacy laws only contributes to overall confusion instead of clarity. Standards can differ state to state and are sometimes even in conflict with federal laws which make it difficult to manage them efficiently, particularly for smaller national banks. It's difficult to know if your bank is subject to all of the arising laws, and even more challenging to know which of your vendors and partners are. This piece by American Banker weighs in on the confusion.

Virginia follows California in enacting privacy legislation: Governor Ralph Northam recently signed the Virginia Consumer Data Protection Act (CDPA) into law. The CDPA adopted some elements from both the California Privacy Rights Act (CPRA) as well as the European Union General Data Protection Regulation (GDPR) which is reviewed in this analysis by leading law firm Michael Best. Some of the highlights of the CDPA include who it applies to (individual VA residents or consumers only) and who must comply (large businesses with more than $25M in gross annual revenues are not automatically subject to law).

Three steps to enhance your focus on third-party risk management: Currently, only 10% of corporate boards have a dedicated cybersecurity committee. Fortunately, that percentage is expected to increase to 40% by 2025. Cybersecurity issues will always be a presence so it’s important to incorporate third-party risk management into your program. This short article details the three ways that businesses can include third-party risk management into their cybersecurity processes. Improving pre-contract due diligence, continuous monitoring and unifying your interrelated teams are effective steps to improve your program.

Microsoft’s delayed response to hack warning: Timing is everything and it appears that Microsoft dropped the ball on notifying its users about its vulnerabilities. Microsoft confirmed that they were aware of the issue related to the Exchange hack back in early January but waited almost two months before issuing its first set of patches. In addition to the HAFNIUM attack - a Chinese hacking group - another report claims that there could be at least five other groups hacking the Exchange Server. It’s recommended that those with a local Microsoft Exchange Server from 2010, 2013, 2016 or 2019 should patch and scan as well as apply updates ASAP across all systems that were affected.

An explanation of Microsoft’s “astronomical” hack: It’s finally coming to light just how severe the recent Microsoft Exchange hack is. Anonymous sources have stated that up to 30,000 American organizations have been affected by these security flaws. The cloud-based Exchange Online is said to be unaffected by this hack, nor is Microsoft 365. A group named HAFNIUM is said to be behind these attacks whose primary goal is gathering intelligence. It hasn’t been determined if the U.S. government has been affected, but the European Banking Authority has confirmed breaches. Smaller sized businesses including city and county governments are especially at risk.

Additional information on the Exchange hack: This article details some of the types of organizations that are under attack by HAFNIUM including infectious disease researchers, law firms, higher education institutions and policy think tanks. Installing the patches from Microsoft won’t benefit those servers that have already been compromised. It’s entirely possible that the Exchange Server hack will surpass the one by SolarWinds as being the worst computer intrusion in US history.

FTC helps break down vast telefunding scam: 1.3 billion calls and $110 million in solicitations were the result of a telefunding operation that deceived generous Americans into donating to what they thought were worthy causes. Associated Community Services, and other related defendants, allegedly knew that most of the funds they raised were not being spent on charitable causes. They’re also being charged with making harassing calls - sometimes calling the same number thousands of times! It’s important to keep current with the FTC actions around UDAP and pay close attention to consumer complaints to be aware of any risk of your consumers' data.

CFPB files a lawsuit against a third-party payment processor: The now defunct BrightSpeed Solutions Inc. and its founder Kevin Howard are being accused of consciously processing payments for companies engaged in technical support fraud. The complaint states that older Americans were targeted by these companies and tricked into purchasing costly and unnecessary antivirus software. BrightSpeed continued to process these payments, even after they were aware of nearly 1,000 consumer complaints against their clients. This recent lawsuit serves as a reminder of the importance about ongoing monitoring on your third parties, whether they're general service providers or payment processers.

NIST releases cybersecurity standards: This publication includes a lot of information you would expect to see from NIST, with a heavy focus on cybersecurity practices by third parties as well as some important lessons learned during the COVID-19 pandemic. This generalized document is intended for any sized organization that wants to manage cybersecurity risks related to extended supply chains and supply ecosystems.

FINRA annual report released: FINRA’s annual report is now a two for one! Previous years were separated into two reports; one was reflective and focused on issues found in exams while the other was prescriptive of upcoming areas of concern. This year’s 46-page report combines the two, so you have an overall understanding of past and future issues. There is of course a lot of attention on cybersecurity and third-party risk management practices, especially as they relate to the pandemic.

Recently Added Articles as of March 4

We’re a little over a year into the pandemic, and times sure have changed. However, the pandemic isn’t the only reason we’ve seen major industry changes. With a new executive administration, regulatory agencies are shifting leadership and focus. Oh, and if you’re wondering if the board’s main concern is still COVID-19, you may be surprised to learn that it’s actually not the number one priority. Read on for all the details.

SEC publishes their 2021 Examination Priorities Report: As expected, the SEC has published their annual examination priorities report. While much of the priority list seems to remain consistent with 2020, this year, there is an increased focus on climate-related risks. You'll continue to see focus on information security, fintech and innovation, compliance programs, anti-money laundering, etc. 

How to manage cybersecurity like a Fortune 500 company: Is it possible to manage cybersecurity like a Fortune 500 company if your security team is on the smaller side? The short answer is, yes! Cynet published a guide called, “10 CISOs with Small Security Teams Share their Must Dos and Don’ts,” which shares how cybersecurity teams with less than five can effectively manage security. This is a very timely piece given the recent increase in data breaches.

Microsoft Teams to receive a privacy refresh: Do you use Microsoft Teams? With privacy and security being of the utmost importance, it’s a breath of fresh aire to see Microsoft Teams placing focus on security, privacy and compliance updates. The company plans to update the solution to include end-to-end encryption support for one-on-one voice calls. According to Microsoft, “Teams will support end-to-end encryption for organizations to help customers meet their security and compliance requirements by providing an additional option for conducting sensitive online conversations.”

Microsoft releases software updates to address security holes: Just in! We've learned Microsoft’s exchange server products have been exploited in an intricate attack deployed by a Chinese cyber espionage group. The group was able to access email communications because of four security holes. Microsoft released a software update to patch the issues. These exploits impact Microsoft Exchange Server versions 2013, 2016 and 2019. Microsoft has stated that its hosted Exchange Online servers are unaffected. The primary targets of these exploits are publicly-facing Exchange Servers running the vulnerable versions. However, it is important to note that even instances not accessible from the Internet should be patched, as undiscovered intruders already in your network could utilize this exploit for additional data exfiltration. It's recommended that your organization should immediately follow the guidance in Microsoft's announcement to assess whether these exploits impact your organization. From a TPRM perspective, you should also consider reaching out to your third-party vendors to request information surrounding: which version(s) of Exchange Server is utilized by the vendor, whether the server is accessible from the Internet and what activities the vendor is performing to assess the potential impact of these exploits, including timeline for applying patches even if the server is not publicly-facing.

What the CFPB director should focus on: Throughout the years, the Consumer Financial Protection Bureau (CFPB) has had several directors and interim directors, causing the agency to reflect a variety of viewpoints, which can become a lot to follow. With Rohit Chopra, a Federal Trade Commission member and former CFPB official, nominated to lead the bureau, what should the director’s focus be on with political viewpoints set aside? First, ensure the bureau’s actions preserve consumers’ access to credit. Second, develop long-term consumer protections laws. Third, implement a clear rulemaking process. And fourth, ensure consumers experience a level playing field across all financial institutions. But, the ultimate goal? Transparency. This article is important to read as it’s always key to anticipate what regulators may be thinking and how that could impact upcoming examinations and enforcement priorities, as they are a valuable lens to look at your own business model.

A password lapse may be to blame for the SolarWinds incident: The SolarWinds updates keep coming. And, now we learn that an intern used a very weak password in 2017, solarwinds123, to be exact, which was potentially available publicly via a GitHub repository. It’s not crystal clear to the extent, but could this leaked password be the start of it all that led to the recent hack?

The Securities and Exchange Commission (SEC) has authority: Recently, the SEC suspended trading in the securities of 15 companies due to some dubious trading and social media activity. They’re not messing around. Although not third-party specific, this is an important reminder that if the SEC is one of your regulators, they do have serious enforcement authority and the ability to launch investigations or even suspend trading.

Congressional oversight of financial institutions: As controls of various committees have shifted and the executive administration has changed, so have the interests of the oversight committees. There’s an anticipation that congressional oversight will increase in the private sector, with a particular focus on the financial services industry. If they continue to sing the same tune, you can expect to see focus on private equity, consumer finance, fintech and environment, social, and governance (ESG) issues.

Mapping internal controls and risk assessments: In this informative article by JD Supra, learn best practices to prioritize risks, map internal controls to risks and assess whether the controls are adequate to mitigate the risks. It even touches on options like the COSO 2013 Internal Controls Framework to assist.

TikTok pays $92 million to settle privacy violations: TikTok will settle dozens of privacy lawsuits at $92 million for using the app users’ personal data without consent and selling it to advertisers. The settlement is one of the largest privacy-related payouts to date. According to TikTok, the company disagrees with the allegations; however, has decided to settle to avoid a legal battle and to be able to put more focus on the TikTok community experience.

Payment system outage at The Federal Reserve: So, what do you do when the Fed goes down? Last week, the Fed experienced an operational error because of “an automated data center maintenance process that was inadvertently triggered during business hours.” According to a Fed spokeswoman, the error that caused outages at all 14 of the Fed’s services is due to human error. This is a very pertinent reminder to think about your own level of business continuity preparedness.

Model State Privacy Act released by Consumer Reports: One of the biggest concerns we discuss is the complexity of managing numerous somewhat divergent state privacy requirements as they are passed one by one. Consumer Reports steps in, in the absence of a nationwide standard, by proposing model legislation. The legislation would protect consumer privacy rights “by default.” Looks like privacy law makes the news again and will likely continue to do so for some time.

The impact COVID-19 has had on the board: We’re over a year into the worldwide pandemic, and that has many reflecting on lessons learned and what remains important. While COVID-19 is still a concern for the board, it’s not the main concern at this point. Instead, their priority has shifted and become how the pandemic has changed the business/competitive landscape as well as employee and customer expectations. There are 5 important questions boards are now asking themselves. Boards have much to consider, and as we return to offices, perhaps they’re considering reducing our reliance on certain data distribution and third parties. Curious to learn more?

Federal Trade Commission (FTC) weighs in on social media advertising: A senior attorney at the FTC shares his advice on social media advertising and marketing practices in an interview. Topics covered include regulations governing social media advertising, the role of disclosures and disclaimers, employee posts on platforms and more. This is cautionary advice from the FTC. Remember, many organizations manage their social media using a third-party marketing company, so the advice on oversight is tremendously important to follow.

Upcoming industry webinar on third-party risk: On March 8, CeFPro will host a complimentary webinar covering third-party risk in an increasingly interconnected world. The organization is well known for taking an expansive global look at all types of risk. If you're interested, be sure to register. 

Protecting device security and patient safety during COVID: The pandemic has brought on a massive shift in technology within the healthcare industry, including a new landscape of connected devices and telehealth platforms. In the rush to bring on new technology that provided lifesaving care, security onboarding processes for these devices often moved to the bottom of the priority list. The ongoing challenge is how to ensure that healthcare providers and device manufacturers collaborate on patient safety. There are a few key risks that arise when devices are quickly onboarded, mostly around the unknown vulnerabilities and security controls. There’s also a need for more visibility, as many administrators are unaware of exactly how many devices are operating on the network. Cyberattacks will always be a risk within the healthcare industry, but it’s a worthy effort to continue building resilience.