March 2022 Vendor Management News

Stay up-to-date on the latest vendor management news. Discover information to help improve or keep your third-party risk management (TPRM) program fresh. Below we've listed some notable articles to check out.

Recently Added Articles as of March 31

As the first quarter of 2022 comes to a close, cybersecurity and ESG continue to be big topics in the world of third-party risk management. The SEC’s proposed rule on climate disclosures is highlighting the need for consistency in ESG reporting and the White House budget plan has almost $11 billion set aside for cybersecurity. Privacy regulation is a trending topic for the healthcare industry and HIPAA violations resulted in four enforcement actions. There’s a lot to cover this week, so read on to learn more!

SEC releases 2022 priorities: The SEC released its annual report on examination priorities with environmental, social and governance (ESG) investing being a key area of significant focus. Information security, operational resiliency and emerging technologies and crypto-assets are other areas of focus and organizations should consider how their TPRM programs address these issues. The SEC notes that this report is used as an important tool to promote and improve compliance, prevent fraud and monitor risk.

Chrome users urged to upgrade: Google is warning billions of Chrome users of a new “zero-day” hack (CVE-2022-1096) that should be patched immediately. CISA has even ordered federal agencies to patch the exploit and has added it to its Known Exploited Vulnerabilities Catalog. Chrome/Chromium boasts over 3 billion users and is one of the most targeted software in the world. And, this latest hack marks the second zero-day of its type this year. Google issued an emergency update which is version 99.0.4844.84. With zero-day attacks on the rise, it’s more important than ever to ensure you patch vulnerabilities now.

Recent trends highlight importance of TPRM: As cybercriminals are increasingly targeting organizations through their third parties, it’s important to remember that risk-based vetting and ongoing monitoring are critical to protect against vendor risk. Many organizations rely on hundreds or thousands of service providers which leads to an expansive risk landscape. Organizations are exposed to numerous risks because of their vendors, including potential regulatory violations and reputational damage. An effective third-party risk management program should include a thorough assessment of risks and an ongoing monitoring strategy to stay aware of any new or emerging risks.

Healthcare groups call for increased privacy regulation: The Workgroup for Electronic Data Interchange (WEDI) and the Confidentiality Coalition recently issued a letter to the Department of Health and Human Services (HHS) and Department of Commerce (DOC) in which they urged the regulators to better protect patient privacy. The two groups argue that a large amount of health-related information is accessed by third-party apps and is therefore vulnerable to misuse because it’s not protected by HIPAA. The regulators were presented with five recommendations which include the release of additional guidance that would outline the permitted verification types. Entities that aren’t in scope for HIPAA regulations should be required to explain how and why they collect data and the regulators should work with the private sector to establish a framework for privacy and security of third-party apps.

Highlights of the SEC climate rule: Climate-related disclosures are the focus of the SEC’s proposed rule and it’s worth understanding some of the highlights so your organization can be better prepared for future regulations. The rule covers a variety of topics including governance or also known as the board of director’s oversight of climate-related risks. Strategy, business model and outlook is another key topic which includes descriptions of physical risks and transition risks. Greenhouse gas (GHG) emission metrics and financial statement disclosure requirements are also found within the proposed rule. This climate disclosure rule is yet another sign that regulators are increasing their focus on ESG issues, so it’s a good idea to act now within your third-party risk management program.

HIPAA violations result in HHS OCR actions: The Department of Health and Human Services (DHS) recently issued four HIPAA enforcement actions which serve as important reminders for organizations to remain in compliance. Three of the actions were handed out to dental practices, one of which made the brazen decision to disclose patient PHI to a third-party marketing company in the hopes of helping with an election campaign. This poor decision resulted in a $62,000 fine for violating the HIPAA Privacy Rule. Another dentist was penalized $30,000 for failing to provide a patient a copy of their medical record. The department’s Office for Civil Rights (OCR) director issued a stern warning saying that it’s critical to take HIPAA compliance seriously and OCR will continue to pursue penalties for violations.

Cybersecurity prioritized in White House budget plan: Of the $5.8 trillion budget plan for 2023, $10.9 billion is designated for civilian cybersecurity activities such as improving the protection of federal infrastructure and bolstering support capabilities through cloud business applications and enhanced analytics. The budget plan addresses many of the needs identified in last year’s executive order on cybersecurity. The Coast Guard, Federal Aviation Administration, Treasury Department and Department of Justice are just a few of the agencies that will receive funding to improve their cybersecurity efforts. While many experts see this budget as a step in the right direction, some warn that it’s just as important for organizations to move beyond the basics of “off-the-shelf” defenses and rapidly consume and share intelligence to stay ahead of attackers. With cyber threats becoming more prevalent and sophisticated, organizations should ensure they’re adopting more strategies to identify and respond to vulnerabilities before they’re exploited.

Company admits mistake in disclosure delay: Identity and access management company, Okta, is apologizing for the way it handled a recent hack from the Lapsus$ data extortion group. Though the incident was aimed at Okta’s third-party vendor, who provides customer support services, which then had a ripple effect on Okta, the company admitted that it’s ultimately responsible for its vendors and expressed regret for not disclosing the hack earlier. The company’s CEO originally called the incident an attempt, but an investigation revealed that 366 customers were impacted. Disclosing a third-party cybersecurity incident is never easy, but waiting too long to do so can lead to a worse outcome of irreversible reputational damage.

“Protestware” causes concern in the tech industry: Anti-war activists have been deploying “protestware” to support Ukraine, but some experts are warning that the open source ecosystem is too fragile for such attacks. The Open Source Initiative released a statement, urging activists to find alternative and less destructive ways to protest the war. Vandalizing open source projects essentially harms all of open source, with the additional threat of an increase in copycats. Using these attacks as weapons against Russia may be tempting, but the negative impact will overshadow any benefits.

Russia sanctions slow recovery of supply chains: Supply chain recovery isn’t arriving anytime soon according to the Biden Administration. After the president tightened sanctions on Russia, experts are noting that the increasing costs of fuel and metal will worsen supply chain pressures with ongoing production delays and freight issues. CFOs were already facing pandemic-related issues, but the ongoing Russian invasion has since added another layer of challenges to the global supply chain. Federal Reserve Chair Jerome Powell stated that supply chain disruptions should start to ease in the upcoming months, but it’s clear that we still have a long way to go before things begin to stabilize.

How to map and manage third-party cyber risks: Protecting your organization from third-party cybersecurity risks requires a well-planned strategy of both preventative and proactive measures. First, it’s critical to map your organization’s data flow to enforce data ownership and accountability while also implementing controls and monitoring policies. Second, perform assessments and evaluations on your third parties to understand how they safeguard data. It’s always a good idea to use industry standards when it comes to creating vendor risk profiles and don’t forget to create and test an incident response plan.

The need for consistency in ESG ratings and reporting: The pressure is building for organizations to report on environmental, social and governance (ESG) issues, but a lack of transparency and consistency from rating agencies is making the task difficult. Without regulatory guidance, CFOs must choose from a variety of ESG reporting frameworks and rating agencies to gather and analyze their data. Organizations are spending a lot of money to provide information, but investors are still not obtaining the data that they’re requesting. The SEC’s proposed rule on climate-related disclosures would help address the lack of standardization and give investors consistent information to use for decision making.

Third-party security incidents affected over 90% of organizations: If your organization experienced a third-party security incident last year, you’re not alone. A recent survey of IT and cybersecurity professionals revealed that 91% of respondents had at least one incident tied to a third party. Those in the financial services industry were most likely to report an incident, which is unsurprising considering the strict regulations on disclosures. With so many headlines on cybersecurity incidents, it’s not surprising that most survey participants expressed concern with risk exposure. The healthcare industry is particularly concerned as they know a third-party cyber incident could potentially be deadly. However, the good news is that the majority of respondents are keeping their boards informed of third-party security risks and incidents.

How banks can incorporate ESG into TPRM: The pandemic and emerging regulatory action has brought more attention to environmental, social and governance issues within the financial service industry. It’s no longer enough to establish ESG goals within your own organization and third-party activities also need to be included. When implementing ESG goals within a third-party risk management program (TPRM), it’s important to consider the people, process and technology that’s needed. Financial institutions should consider a smarter approach to integrate ESG factors into TPRM such as using advanced technologies like artificial intelligence or proprietary natural language processing. These can be used to assess third-party content and compare it with other sources. It’s also a good idea to utilize a TPRM platform that continuously monitors data collection, especially if there’s a lack of manual capabilities.

The basics of smishing attacks: Despite the funny-sounding name, smishing attacks are a serious scam that can cause major headaches for those that fall for them. Smishing attacks are carried out by scammers who send out text messages to their victims. These are a type of phishing attack that attempt to obtain sensitive information by fooling users with scam texts. The messages often appear to come from trustworthy sources and ask users to click on a link to make a payment, claim a prize or confirm information. A recent report stated that 74% of organizations have faced such attacks. Since most people are quick to open and respond to texts rather than emails, hackers have been increasingly using smishing attacks to steal information. The best strategy to deal with these hackers is to block the number without replying and never open an attachment or link from an unrecognized number. Don’t allow yourself to get outsmarted by scammers!

Recently Added Articles as of March 24

ESG risks are gaining more attention as the SEC just proposed new climate disclosure rules. The White House is warning of a potential Russian cyberattack and Meta got hit with an $18 million dollar fine for violating the GDPR. The ongoing disruptions in the supply chain are bringing awareness to fourth-party risks and there’s an important lesson on how to create a holistic view of third-party risk management. Read on for all the details!

Biden signs Cyber Incident Reporting Act: Critical infrastructure organizations will now be required to report substantial cybersecurity incidents to CISA within 72 hours, according to the recently signed Cyber Incident Reporting Act. Organizations that make ransomware payments must report within 24 hours while also preserving data related to the incident. This act applies to entities within communications, financial services, energy, healthcare and information technology.

Critical infrastructure targeted by AvosLocker ransomware: Organizations in finance, manufacturing and government are being targeted by the ransomware-as-a-service group AvosLocker. A recent joint cybersecurity advisory stated that some victims have been receiving phone calls from an AvosLocker representative who threatens to post stolen data online and executes a DDoS attack during negotiation. Security experts say that network segmentation, fast patching of vulnerabilities, multi-factor authentication and disabling unused ports are all practices that can help mitigate these types of threats.

Preparing your supply chain for ESG risks: Recent U.S. legislation has brought increased focus on environmental, social and governance (ESG) issues in corporate supply chain management. Last December, the U.S. enacted the Uyghur Forced Labor Prevention Act which addresses forced labor in China. The SEC recently proposed new climate-related disclosure rules and the Fashion Sustainability and Social Accountability Act was proposed by New York legislators in October of 2021. The New York act includes requirements on disclosing environmental and social due diligence policies and can provide organizations with a helpful blueprint to prepare for mandatory ESG disclosures. Organizations are urged to act now, so they can be ready for future ESG regulations. They can begin by integrating legal, sustainability and supply chain management, while also updating their due diligence policies and procedures. It may also be helpful to evaluate and update any existing ESG reporting.

White House issues warning for Russian cyberattack: The economic sanctions imposed on Russia have them eager for revenge, though they’ll likely stop short of a lethal attack. According to a recent statement issued by the Biden administration, intelligence suggests that Russia is preparing to deploy a retaliatory cyberattack against the U.S. and the president is urging those in the private sector to “accelerate efforts to lock their digital doors." The goal of the statement was to raise awareness and create a call to action so organizations understand the need to strengthen their cyber defenses. As third parties continue to be a significant source of cybersecurity risk, it’s critical to ensure that they take appropriate action to protect their systems from ongoing threats.

How to mitigate software supply chain risk: Supply chain attacks are often more difficult to detect and prevent than those targeting your organization. Cybercriminals are known to deploy hardware attacks on physical devices or firmware attacks on a computer’s booting code and the large scope in supply chains makes them difficult to trace. Fortunately, there’s a few effective tips to mitigate the risk of such attacks. Experts recommend investing in security operation center analysts who can assess your cybersecurity infrastructure and react to any threats. Vendor access controls are also important as they prevent third parties from accessing more than they need to. An enterprise password management (EPM) platform is another valuable tool that can give IT professionals full visibility into employee password practices.

Climate-related disclosure rules proposed by SEC: Are you ready for required climate change disclosures? The SEC recently proposed rule changes related to required climate-related disclosures in periodic reports and registration statements. The information would include details about material impact from climate-related risks, greenhouse gas emissions and indirect emissions from electricity or other forms of energy. SEC Chair, Gary Gensler, noted that these proposed changes would give investors more consistent and comparable information to be used in decision making. While cybersecurity is often a leading issue in third-party risk management, it’s important to remember that environmental, social and governance (ESG) disclosures continue to be top of mind for regulators.

A holistic view of third-party risk management: Third-party relationships are an essential asset for many organizations, but they can also bring significant amounts of regulatory, enterprise and environmental, social and governance risk. To mitigate and assess these risks, it’s important to take a holistic approach. Regulatory risk management covers areas of third-party sanctions violations as well as corruption, fraud, environmental harm and cybersecurity incidents. Third-party due diligence is expected to play a more important role in compliance programs for 2022. Enterprise risk includes a variety of areas including operational, business resilience and reputational. It’s likely that third-party risk will grow in volume and impact, so it’s important to a strong enterprise risk framework. ESG risks are also expected to receive greater attention in 2022 with many organizations beginning to invest more in the infrastructure of their third parties.

Protecting data in AI healthcare devices: As healthcare providers are increasingly using artificial intelligence, it’s important to understand some of the risks associated with data privacy and security. Organizations that use or sell AI-based products need to consider federal and state laws that regulate how to protect consumer data. A good place to start is by performing vendor due diligence prior to entrusting a third party with patient data. Consider how the data is collected and where it’s being stored as these are two separate factors. Compliance monitoring is another important practice as this can help determine if data is vulnerable to compromises. Access control and data for personnel and vendors are further considerations for AI companies.

Supply chain issues are increasing fourth-party risk: Supply chain disruptions caused by the pandemic are highlighting the increasing need for fourth-party risk assessments. A recent report revealed that 79% of businesses said that they need to improve their assessment of their fourth parties and 73% reported a third-party disruption. More organizations are evaluating their operational resilience and their dependence on both third and fourth-party vendors. To mitigate third and fourth-party risk, it’s essential to carefully assess compliance, cybersecurity and business continuity risks prior to signing the contract. Ongoing monitoring of third-party activities and focusing on critical vendors are also healthy practices to protect your organization.

The need for managing vendor relationships: Many organizations have tools in place to manage projects, clients and internal/external communication. However, vendor relationship management is often overlooked, yet extremely critical. Enterprise resource planning (ERM) and customer relationship management software is typically found in most organizations, but these tools are inherently closed in their design and therefore not suitable for managing vendors. A vendor relationship management platform is an open system that’s accessible to external stakeholders who can better solve business problems as they relate to vendors or suppliers. In recent years, globalization and the growth of vendors through mergers and acquisitions have created a stronger need for managing these vendor relationships.

Security challenges in IoT and medical devices: Healthcare providers continue to struggle with securing vulnerabilities in medical devices and cybersecurity experts admit that this won’t be an easy problem to solve. Rather than trying to fix all the vulnerabilities across a medical device ecosystem, it’s better to prioritize those that can have the greatest impact on patients. A simple strategy for healthcare providers is to ensure they’re aware of medical device risks and understand the assets that are connected to their network. Vendors also need to do their part in actively looking for vulnerabilities in their devices and quickly making patches to send to providers. Automating the remediation of medical device risks is another important practice that providers should adopt.

GDPR violations lead to $18.6 million fine for Meta: Facebook parent company Meta received a hefty fine from the Republic of Ireland’s Data Protection (DPC) as a result of 12 data breaches that were reported in 2018. The tech giant is accused of violating multiple sections of the General Data Protection Regulation (GDPR), specifically regarding its failure to implement measures that would prove its compliance in protecting users’ data. Though Meta is a U.S.-based organization, this recent fine serves as an important reminder for the need to comply with EU regulations.

Recently Added Articles as of March 17

This week, Utah is expected to sign a new privacy law and the SEC is proposing new rules on cybersecurity incident reporting. The Department of Justice created a new Task Force to handle Russian sanctions and a DDoS attack kicks the Israeli government offline. Canadian organizations can learn some tips to strengthen their third-party risk management programs. And, there’s some important steps to know when responding to a ransomware attack. Read on for all the details…

Utah could become the fourth state with privacy law: Utah is expected to join California, Virginia and Colorado as the newest state with a comprehensive privacy bill, titled the Utah Consumer Privacy Act (UCPA). The bill includes details on the right to access or delete personal data while also giving consumers the right to obtain a copy of their data or opt-out of data processing. Utah’s law doesn’t contain a private right of action or the right to correction, but contains many similarities to the other three state laws on record. If passed by Governor Cox, the law takes effect on December 31, 2023.

Israeli government kicked offline after DDoS attack: Several Israeli government websites were temporarily inaccessible after a distributed denial-of-service (DDoS) attack. This type of attack attempts to interrupt normal traffic of a server by flooding the infrastructure with junk internet traffic. It’s suspected that this was the work of an Iranian hacker group who was retaliating after an alleged sabotage that was attempted against one of their nuclear plants. Retaliatory cyberattacks seem to be making headlines in the wake of certain ongoing conflicts, so it’s important to stay on top of emerging threats that can harm your organization.

Ransomware variants identified in last quarter of 2021: Details are still emerging on the new cybersecurity records that were broken in 2021. In the fourth quarter alone, over 700 ransomware attacks were observed with 34 different variants. The most popular being LockBit 2.0, PYSA, Grief, Conti and Hive. Consumer products, manufacturing and professional services were the top three most impacted sectors. As we approach the end of Q1 2022, it should be interesting to discover how these statistics have changed since 2021. These findings should serve as a reminder to prioritize cybersecurity within your third-party risk management program.

Five tips to protect against Russian cyberattacks: After NATO, the EU and the UN came together to impose sanctions against Russia, U.S. agencies are warning organizations to prepare for retaliation in the form of ransomware attacks. Third-party risk management professionals are urged to immediately take five actions to help protect against these cyberattacks. First, organizations should inventory all their suppliers to ensure centralized visibility. Next, build a thorough profile of every supplier with details on demographics, fourth-party relationships and industry insights. Third, identify any concentration risk related to technology. This helps to find dependencies and visualize any potential attack paths. The next tip is to evaluate the business resilience and continuity plans of your vendors. Finally, ensure that vendors are continuously monitored for cyberattacks. This can be accomplished by researching the internet and dark web for third-party vulnerabilities, negative news and global sanctions lists.

How to mitigate 5 common healthcare cyber threats: New medical technologies allow for advanced patient care, but they also expand the cyberattack vector landscape. Electronic health records continue to be a popular target for cybercriminals, so healthcare providers should always be on high alert for any emerging threats and vulnerabilities. The top five cyber threats for healthcare professionals are IoT devices, mobile health and telehealth technologies, remote patient access, ill-equipped IT departments and insufficient employee security training. To address these threats, cybersecurity teams should ensure they implement common standards like multifactor authentication, validated backups and the integration of managed service teams.

Next steps for ransomware attacks: No one wants to become a ransomware victim, but not knowing how to respond to an attack can lead to more devastating results. Financial impact aside, reputational damage is also a huge concern. Research has shown that more than two-thirds of consumers are distrustful of an organization after a breach, regardless of who is at fault. To protect against ransomware attacks, it’s essential to maintain a robust cybersecurity program, which should also extend to your third parties. Employee security training, multifactor authentication, network segmentation and regular software updates should all be included in a cybersecurity strategy. But, what happens after a breach? The FTC has established a set of regulatory guidelines on how to respond which include tasks such as taking equipment offline and securing systems. It may also help to bring in experts in the areas of forensics, IT, information security or legal. Any vulnerabilities should be addressed and clear communication is key.

Enhancing TPRM for Canadian organizations: According to a recent Canadian report, 81% of survey respondents said there was an urgent need to create a more consistent third-party risk management (TPRM) program across their organizations. One business leader pointed to the pandemic as being a wake-up call for Canadian organizations to prioritize TPRM. While vendors can help provide efficiencies, they’re also exposing organizations to a variety of risks related to delivery delays, overbilling and data breaches. The report outlines a few key steps that can help strengthen business resiliency when partnering with third parties. The C-suite should be engaged with TPRM activities and organizations should create a formal operating model for their program. Full visibility of third-party material risks is also important and TPRM teams should plan for detailed material scenarios. Also, collaboration with industry leaders can help create a single viewpoint that shares vendor information.

SEC’s proposal for new disclosure and reporting rules: The SEC’s proposed amendments on cybersecurity practices are intended to provide investors with more information about an organization’s material cybersecurity incidents. In a recent press release, SEC Chair Gary Gensler noted that companies and investors would both benefit from consistent and comparable information on cybersecurity practices and incident reporting. The proposal would require current reporting and periodic updates about material incidents. It would also require reporting on policies and procedures that are used to identify and manage an organization’s cybersecurity risk. After a string of notable third-party cybersecurity incidents in 2021, this proposed rule hints at more regulatory updates in the near future.

Google to acquire incident response firm for $5.4 billion: Tech giant Google is looking to expand its security portfolio with a greater focus on automation, threat intelligence and managed detection and response (MDR). Google announced its plans to purchase incident response firm, Mandiant, after promising an investment of $10 billion to boost software security. Many experts see automation as key to responding to cybersecurity threats as the industry continues to face a talent shortage. Google still has gaps in their cybersecurity capabilities, most notably its lack of an endpoint detection and response (EDR) platform, which is expected to be the next area of focus.

New DoJ Task Force to enforce Russian sanctions: The U.S. Department of Justice has responded to the ongoing Russia-Ukraine conflict by establishing “KleptoCapture," a new Task Force aimed to enforce a wide range of sanctions and restrictions. Global currency is led by the U.S. dollar, which has become a primary “soft power” enforcement tool against Russia. This evolving regulatory landscape requires continuous monitoring of third parties with special attention needed for those in the shipping industry. Some of the most important steps to take should be conducting an internal assessment of potential exposure to Russian entities, especially those in financial services. Renewed or heightened due diligence should be conducted and contracts with service providers should be reviewed with more scrutiny. It’s also critical to continue monitoring any new Russian sanctions that can extend to the maritime, energy or aviation industries.

Cybersecurity and patient care go hand in hand: As healthcare organizations prioritize patient care, it’s time to acknowledge that this care should extend to cybersecurity. Data breaches continue to be a serious threat to the healthcare industry because of high value found in electronic medical records (EMR). Third parties are particularly risky for healthcare providers as they can be found nearly everywhere in a system. Cybercriminals can carry out ransomware attacks on IT systems which can lead to serious disruptions in admitting patients and controlling surgical software. To protect against these threats, healthcare providers should implement a variety of solutions including continuous training and education for staff as well as investing in monitoring software and ensuring that third parties have effective access controls in place.

Top 5 reasons for a business continuity plan: Disaster can strike at any time, but a well-written and tested business continuity (BC) plan can help limit the fallout. It’s critical that organizations prioritize business continuity plans, not only for themselves, but for their vendors. The first reason is clear: a BC plan aids in disaster recovery. Disaster can’t be prevented, but it’s important to understand the process of what’s needed to restore business operations. The second reason for a BC plan is that backups aren’t enough. Organizations should be aware of how they’ll access data during an unexpected event. Third, business continuity plans are also needed because insurance doesn’t cover loss of revenue and business prospects that result from downtime. Reason number four is that BC plans give you a competitive edge by enabling you to restore normal operations. And, the final reason relates to the simple need for a business to continue in the event of an incident. Business continuity plans a set of actions to take so your organization can resume operations quickly.

Recently Added Articles as of March 10

Global supply chain vulnerabilities and phishing attacks are just some of the effects of the ongoing conflict between Russia and Ukraine. The Strengthening American Cybersecurity Act is getting closer to President Biden’s desk and cybersecurity risk is making headlines in a healthcare data breach. Read on for all the latest details in the world of third-party risk management.

Geopolitical risk among the top 10 for 2022: Operational risk covers a wide range of issues, many of which are closely linked, such as IT disruption and information security. It comes as little surprise that geopolitical risk has jumped in popularity from the previous year considering the global impact of Russia’s invasion of Ukraine. A recent survey highlights the top 10 operational risks for 2022 with geopolitical risk coming in at number four, after IT disruption, theft and fraud and talent risk. Third-party risk also made the list at number seven as financial institutions continue to be heavily reliant on third parties for expertise and advanced technologies. Climate risk and regulatory risk rounded out the top 10.

92,000 Oklahoma patients impacted in breach: A January data breach at Duncan Regional Hospital exposed the medical records or over 92,000 patients. After discovering the breach, the Oklahoma-based healthcare provider disconnected its systems from external access and proceeded to implement its incident response plan. The exposed information included names, addresses, medical records and information about treatment, though it’s not clear weather the data was exfiltrated. Victims of the breach will be provided with credit monitoring and identity theft services. As cybercriminals continue to target healthcare providers for valuable data, it’s more important than ever to implement an effective cybersecurity program.

Russian phishing attacks targeting Ukraine and allies: The Russia-Ukraine war isn’t limited to armed conflict as Russian threat actors are continuing to launch various phishing campaigns and other social engineering attacks. Two Blogspot domains that were used by the group FancyBear were recently removed by Google’s Threat Analysis Group, but other malicious activity is continuing to concern officials. Groups from Russia, Belarus and China are targeting Ukraine and their European allies with various types of malware and denial-of-service (DoS) attacks. Ukraine is continuing to fight this digital warfare with an “IT Army," which aims to disrupt Russia’s government and their military initiatives. With the widespread capabilities of digital warfare, it’s a good idea to stay aware of any emerging cyber threats that can affect your organization.

Global supply chains impacted by Russian invasion: The ongoing military conflict between Russia and Ukraine is highlighting the fragility of global supply chains, according to new research from Moody’s Analytics. Rising gas prices are the most noticeable effect and oil shortages will be an inevitable result if the conflict persists. European countries will feel the greatest impact, though the global economy should also prepare for increasing oil and natural gas prices because of uncertainty about how the conflict will unfold. With global events like the pandemic and military conflicts disrupting supply chains, it’s important to consider how business resiliency can be achieved through an effective third-party risk management program.

Majority of cybersecurity vendors exposed to risk: New research from Israel-based security firm Reposify made a surprising discovery on the vulnerabilities found within cybersecurity vendors. After scanning 35 well-known vendors, Reposify found that 97% of them had exposed data assets on Amazon Web Services with 42% of them being critical or high risk. Experts say that this finding highlights the need for the cybersecurity industry to practice what it preaches especially considering organizations are increasingly relying on them to protect them from cyber threats. Reposify noted that cloud adoption, hybrid workplaces and the increased reliance on IT vendors are all contributing to an expanded digital footprint and less visibility on data and devices. Research like this should serve as a reminder that no vendor is fully immune from cybersecurity risk.

How to manage IT vendor risk: IT risk and business risk go hand in hand, so it should go without saying that vendor risk management is an essential practice. Organizations relying on IT vendors and suppliers are exposed to numerous cybersecurity risks like data breaches or ransomware attacks. If your customers are impacted by a vendor data breach, you can’t pass the blame onto your third party. Fortunately, an effective vendor risk management strategy can lessen the likelihood of a devastating incident. A strong due diligence process should be followed during onboarding and contract renewal and vendors should be categorized based on their criticality. Questionnaires should be required of critical vendors to ensure they have modern endpoint protection and alert and monitoring services. It’s also useful to utilize scanning tools while also ensuring that vendors patch their critical vulnerabilities.

Incorporating SBOM into third-party risk: Last year’s Executive Order on cybersecurity issued several recommended requirements including a software bill of materials (SBOM) for government contractors. An SBOM refers to a written record of an application or device’s third-party code and dependencies. In other words, this could include data fields, operational considerations and automation support. Financial institutions should embrace this requirement as their industry is often vulnerable to operational risks from physical hardware and software. Organizations need to consider how to strengthen and expand their third-party risk management activities considering the increasing volume and complexity of cybersecurity threats. SBOMs are an important tool to achieve more transparency about software and hardware that financial institutions are utilizing.

Senate passes act mandating cyberattack and ransomware reporting: The 200+ page Strengthening American Cybersecurity Act is one step closer to becoming law after a unanimous consent by Senate. The act is designed to modernize the government’s cybersecurity posture which is a much-needed improvement considering the expected cyberattacks coming from the Russian government. If passed, critical infrastructure organizations will be required to report cyberattacks within 72 hours and ransomware payments within 24 hours. Also included in the act is the authorization of the Federal Risk and Authorization Management Program (FedRAMP) which would require civilian agencies to report cyberattacks to CISA. If the House votes to approve, the act heads to President Biden’s desk for official passing.

Protecting against third-party script attacks: If your organization relies on third-party vendors to optimize site performance and mobility, you may be a prime target for a script attack. This type of cyberattack occurs when criminals gain access to a website through third-party applications and the risk of attack increases when using multiple apps. Cybercriminals can attack by either hacking a vendor or posing as one to gain access to a site. Hackers are also known to insert false patches which allows them to obtain access when the organization runs an update. To protect against these script attacks, it’s important to use only third-party applications that you trust. It’s also recommended to hire site reliability engineers to closely monitor your third-party application inventory. You should also ensure that your security system is frequently updated and operating well.

Recently Added Articles as of March 3

Russia’s invasion of Ukraine has led to significant sanctions and an increased risk of cyberattacks. Hacking groups are even taking sides with some using their skills to fight Russia’s government. A vendor cyberattack has revealed the vulnerability of auto manufacturers and ESG regulations will highlight enforcement risk in the near future. There’s a lot happening in the world of third-party risk management, so read on to learn more.

Data breach hits State Bar of California: Hundreds of thousands of attorney records were exposed on a public web, according to a statement released by the State Bar. The records included details on case numbers, case types and respondent and witness names. The breach appeared to be linked to a security vulnerability in a vendor the State Bar uses for its case management portal. The State Bar has since notified law enforcement and confirmed that all records had been removed from the public website.

How to prepare for sanctions: In an expected response to the Russian invasion of Ukraine, many countries have imposed significant sanctions which may pose unique challenges for organizations. The situation will continue to rapidly evolve, so it’s important to stay informed of regulations and build a strategy for compliance. In the U.S., financial institutions will be banned from opening or maintaining accounts for Russian banks. Keep in mind that various sanctioning bodies, like OFAC and the UN, have released their own lists, which may not align. Even if these sanctions change daily, it’s important to have a strategy to stay compliant. Organizations are urged to review their third-party due diligence policies and procedures in real time while also remembering to frequently monitor their third parties. Also, it should go without saying that alternative sources should be considered if you have any reliance on Russian suppliers or services.

Cyberattack on Toyota supplier halts production: A recent cyberattack on Toyota supplier, Kojima Industries, has suspended production lines at 14 plants in Japan. The production freeze is estimated to cost around 13,000 cars of output every day and it’s unknown how long the suspension will last. Manufacturers are especially vulnerable to ransomware. Cybersecurity experts highlight the importance of understanding your third-party risk and developing a continuous model for monitoring risk. Automation is key in vendor risk management and point-in-time assessments only are no longer sufficient.

Limiting liability from Russian cyberattacks: Cyberattacks can expose your organization to two significant legal risks. If the attack causes a major disruption or shutdown, a contractual force majeure clause may not protect you from liability. This type of clause is often broad in scope and essentially says that a company must take all reasonable actions to prevent business disruption from a cyberattack. Data privacy laws may also lead to liability, depending on the type of data that was affected. To address these concerns, organizations need to implement a strong cybersecurity strategy. Protecting data should include policies to retain and dispose of documents along with employee training. It’s also important to ensure that your vendors have implemented proper cybersecurity practices with details around notification and resolution.

The future of ESG regulations and enforcement risk: Environmental, social and governance (ESG) issues are continuing to attract attention which is increasing the potential for enforcement risk in the future. Organizations should be aware of litigation and reputation damage that can come from ESG regulations. Experts predict that there will continue to be a greater focus on supply chain transparency and due diligence. The UK’s Modern Slavery Act, France’s Duty of Vigilance law and Germany’s Supply Chain Duty of Care Act are just some examples of how global leaders are addressing these issues. Though it can seem overwhelming to manage ESG risks, an existing vendor risk management framework can help ease the burden. Things like risk assessments, monitoring, due diligence and oversight are all components of a third-party risk management program which can help manage ESG risks.

How to overcome four cybersecurity challenges: Implementing a strong cybersecurity strategy is a critical practice to protect data, applications and networks, but many organizations still face challenges that threaten their cyber resilience. A recent survey revealed that the top challenge in this process is the rapid growth of digital business and the inability to keep up. The effect of COVID-19 on the cyber landscape is another challenge, along with advanced threats and the lack of tools or technology. These four challenges can seem worrisome, but it’s possible to overcome them with through strong collaboration. CIOs and CSOs should be working together to address security incidents, improve operational efficiencies and reduce risks. Cybersecurity and IT teams should also share a unified view across the organization’s operations and infrastructure while working together to fix technical problems.

BitConnect founder indicted for Ponzi scheme: The founder of BitConnect has officially been indicted for an apparent multi-billion-dollar Ponzi scheme with allegations of wire fraud and conspiracy to commit the manipulation of commodity prices. Satish Kumbhani and his co-conspirators allegedly deceived investors. They claimed that BitConnect’s software could create significant profits. As cryptocurrency gains prominence with investors and regulators alike, it’s important to consider the value of vendor due diligence, which is an essential practice that highlights risk exposure from things like pending litigation.

Hacking groups join Russian-Ukraine war: The ongoing war between Russia and Ukraine has now extended to various hacking groups who are proclaiming their support for one side or the other. According to Ukraine’s Computer Emergency Response Team, state-sponsored Belarusian hackers are targeting Ukrainian military personnel through phishing attacks with the intent of gaining access to the victims’ messages. The threat actor known as UNC1151 is also targeting government and private individuals in Lithuania, Latvia, Poland and Germany. The infamous Anonymous collective tweeted its declaration of a cyber war against the Russian government and vigilante group GhostSec announced that they subjected Russian military websites to an onslaught of DDoS attacks. However, not all hacking groups are aligning with Ukraine. The Conti ransomware group initially confirmed its full support behind the Russian government, though later rephrased their statement to say that they don’t partner with any government and they’ll strike back against “Western warmongers”. With the rise in cybersecurity threats and newly formed sanctions, it’s a good idea to reassess how this war will impact third-party risk management.

Russian assault includes military and cyber techniques: In addition to a traditional military assault on Ukraine, the Russian government has also incorporated a string of cyberattacks against government websites. Cybersecurity researchers identified data wiping malware which was apparently in preparation for as long as three months. Ukrainian websites for the defense and interior ministries were targeted along with certain banking sites. Similar DDoS attacks were also targeting significant Russian websites, indicating possible retaliation. According to NATO, cyberattacks that are deemed crippling can potentially trigger an armed response, but the threshold on such attacks is vague. This type of modern warfare should serve as a reminder that cybersecurity is closely aligned with business resiliency and several other risks.

U.S. and UK warn of new Cyclops Blink malware: Cybersecurity officials in the U.S. and UK are warning of a new malware that has recently replaced the VPNFilter malware. The Russian state-sponsored group Sandworm is apparently behind the new malware labeled Cyclops Blink which has mostly targeted WatchGuard devices. Cyclops Blink contains modules that are specifically developed to upload and download files between its command servers. The malware can then collect device information and update itself. WatchGuard recommends that affected organizations should immediately follow their Diagnosis and Remediation Plan.

Arizona governor remains confident in state’s cybersecurity: Despite being half a world away, the Russia-Ukraine war can have a very real impact on U.S. organizations and government entities. The threat of significant cyberattacks has prompted Arizona governor Doug Ducey to reassure the public that state employees are properly trained on cybersecurity best practices. Preparation is key to a good defense and Ducey has stated that will remain “forever vigilant” against cyberattacks. He further stated that we should be looking at cyber warfare and cybersecurity through the lens of future warfare and security.

Venminder selected as CUNA alliance provider: The Credit Union National Association (CUNA) Strategic Services has announced its partnership with Venminder as a new alliance provider. CUNA Strategic Services President Barb Loman stated that the association was excited to bring on Venminder because this new relationship will help credit unions meet regulatory requirements. Venminder will also help CUNA’s partners strengthen their third-party risk management programs, which is often a challenge for many credit unions. By working with Venminder, CUNA partners can expect to make strategic decisions on managing vendor risk throughout the entire lifecycle, from onboarding and oversight to offboarding. Read more here.

Bug bounty hunter rewarded $250,000 from Coinbase: Cryptocurrency platform Coinbase recently issued a $250,000 reward to a researcher who discovered a flaw in their interface. The vulnerability was related to a flaw in an API and Coinbase engineers were able to quickly patch the bug before it was exploited by an attacker. The researcher explained how the incident unfolded on Twitter, lauding Coinbase for their quick reply to the issue he found. The company has encouraged other researchers to submit their findings to the HackerOne program, with an average bounty pay range of $150-$200. Perhaps the solution to our most critical vendor cybersecurity issues can be found in financial rewards!