Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.
Recently Added Articles as of March 23
This week's news highlights a new state privacy law, cybersecurity concerns, a data breach at a well-known luxury sports car company, hackers continuing to exploit big name companies, and more! Check out the articles below.
Iowa’s new privacy law: Iowa’s new, comprehensive consumer privacy law passed on March 15, making Iowa the sixth state to enact a privacy law. Once signed by the governor, the law will take effect on January 1, 2025. The privacy law closely aligns with other states’ laws. If your organization conducts business in Iowa, be sure to read up on this change. Other states are expected to follow suit, too, so it's best to be prepared and current on state privacy laws. Yours could be next!
Third-party data risk becomes a top priority: Cybersecurity is a large priority for the federal government, but there’s still a major gap that needs to be addressed... third parties! Around 60% of data breaches reported are initiated via third parties. With more and more data being shared outside typical parameters, third-party data breaches can take down even the most critical agencies and organizations. Digital transformation isn’t a thing of the past. It will be present from now until the far future, and the U.S. Government is taking this into account by working on expanding the National Cybersecurity Strategy to include third-party vendors. What does this mean for your organization? You must have a strong third-party risk strategy in place and review it often to help prevent cyberattacks.
Cybersecurity is a group effort: Long gone are the days where cybersecurity efforts are reserved for only CIOs and CISOs. With cyberattacks on the rise, board of directors and CEOs are in charge of owning cybersecurity by establishing a culture that can protect against cyber risk and overall understanding the impact. One way to do this is ensuring your board and CEOs understand the new SEC and investor community expectations and what regulatory oversight support is needed.
Hackers continue to target Microsoft, Google, and Apple: Hackers are still going after zero-day vulnerabilities, with emphasis on targeting Microsoft, Google, and Apple products. While very challenging, there are ways organizations can aim to protect themselves from these types of attacks. Some of these ways include using private tunnels or VPNs to access servers and adding network segmentation to reduce the spread of an attack.
NBA encountered a data breach: The National Basketball Association (NBA) recently suffered a breach through a third-party newsletter service. The third-party vendor suffered a breach, notified the NBA, and then the NBA notified customers so they're aware if their email address and names have been compromised. As of now, there aren't many more details to share regarding this breach, but it's good to see the NBA was quick to notify customers!
Operational resiliency is more than a component of disaster recovery plans: Disaster recovery plans have changed a little over the years, and unfortunately, they're often not structured well to protect against cyber incidents. Most disaster recovery plans only focus on the recovery aspect, and not operational resilience. Organizations should focus on improving their operational resiliency plans to ensure the organization and any critical third parties have plans in place for prevention, detection, and response.
The UK saw a surge in ransomware attacks: According to a recent report, ransomware incidents increased by 17% annually in the UK in 2022. Another report shared ransomware volumes declined globally by 21% in 2022, but those in the UK rose 112% year-over-year. Hackers don’t discriminate, and cybersecurity incidents are certainly widespread, including globally.
Well-known luxury sports car company experiences a data breach: Attackers recently gained access to a well-known Italian luxury car company’s IT system. Any guesses? Ferrari! Information breached includes names, addresses, email addresses, and telephone numbers. Ferrari shared the breach did not have an impact on operations as far as they're aware.
Zero-day vulnerabilities lowered in 2022: Mandiant reported zero-day vulnerabilities had fallen in 2022, by a third less than 2021. However, that hasn’t stopped threat actors to continually search for zero-day vulnerabilities in the most-widely used consumer products. Google and Apple were the largest affected group with 19 zero-days exploited with Microsoft coming in third with 18 zero-days exploited.
SEC proposes new cyber rules for the financial industry: The SEC has announced the proposal of three rules that are designed to standardize cybersecurity risk disclosures and enhance financial stability. These rules are now open for comments and come from changes to the SEC’s 24-year-old Regulation S-P rules that govern financial institutions and how to protect customer information. The current rule doesn’t say anything about notifying customers of a data breach. It does cover how they use their financial information and the proposed rules will enact that financial institutions notify customers within 30 days of a data breach.
Federal Reserve may be drumming up new third-party risk management guidance for banks: The Federal Reserve and other banking agencies are looking to create clearer third-party risk management guidance that could also provide advantages to smaller banks. Although clearer guidance won't fully address the issues smaller banks have, it will help. With clear regulatory expectations of all banks on due diligence, risk management, and ongoing compliance within third-party relationships, the new guidance should help to have all banks prepared.
Google Cloud joins in on the critical providers program: Google Cloud has joined the Financial Services Information Sharing and Analysis Center (FS-ISAC) to share threat intel as part of a larger industry effort to support supply chain security in financial services. Google Cloud is the first major cloud platform to join in on the program that started in January of 2022. Google plans on providing insights from its Threat Horizons reports, as well as share learnings from the Google Cybersecurity Action Team, an advisory group composed of form industry CISO’s and others.
Lenders utilizing discriminatory appraisals are violating the Fair Housing Act (FHA) and the Equal Credit Opportunity Act (ECOA): The Department of Justice (DOJ) and Consumer Financial Protection Bureau (CFPB) have reviewed a case that raises questions regarding the issue of appraisal bias. The DOJ has enforcement authority under both the FHA and ECOA. The case is currently pending and the U.S. District Court of Maryland is looking into whether the real estate appraisal company and an online mortgage lender violated state and federal law by undervaluing a plaintiff’s home.
Consequence of the banking crisis and cybersecurity: With Silicon Valley Bank and Signature Bank falling, the cybersecurity sector is looking into the potential consequences this may have caused, including poor financial planning. Cybersecurity companies were attempting to find an exit strategy once the economic instability became a reality, but the bank seizures didn’t help matters. Cybersecurity budgets are remaining robust, but a lot of organizations are looking to consolidate the number of cybersecurity vendors used.
Third-party servicer guidance and the higher education industry: The U.S. Department of Education released a guidance letter (also referred to as Dear Colleague Letter or DCL) in mid-February that changed the interpretation of its third-party servicer regulations. Up to this point, these regulations have only been applied to firms that are servicing federal student aid, but this new DCL will extend oversight to online program management companies. EDUCAUSE issued a formal response to the Department of Education that stated the overly broad terms used in the guidance letter lack sufficient grounding in law and regulation to support the department of education's guidance. EDUCAUSE will continue to work with the Department of Education to clear up the confusion of the DCL.
Supply chains impacted by ESG risk in 2023: Environmental, Social, and Governance (ESG) risks have become increasingly important, and chief procurement officers are continuing to prioritize ESG in 2023. This is because procurement teams need to adapt to the evolving legal and regulatory landscape to manage ESG risks. The two most notable laws to come into effect as of late, the U.S. Uyghur Forced Labor Prevention Act and the German Supply Chain Due Diligence Act. These acts carry severe consequences for non-compliance. Ensure your organizations are prepared for impending ESG risk.
Compliance note issued on Russia sanctions: In early March, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS), U.S. Department of Justice (DOJ), and the U.S Department of the Treasury’s office of Foreign Assets Control (OFAC) issued a joint compliance note entitled “Tri-Seal Compliance Note: Cracking Down on Third-Party Intermediaries Used to Evade Russia-Related Sanctions and Export Controls." The compliance note states the use of third parties to conceal Russian identities who are the real beneficiaries in third-party transaction, thus evading the sanctions or trade control agreements. Some of the red flags include last minute changes to shipping instructions, transactions involving assets with little or no online presence, IP addresses that don't match a customer’s reported location data, and more.
Frequently asked questions on failed borrowers: When Silicon Valley Bank and Signature Bank failed, many questions arose. On March 12, the Department of the Treasury, FDIC, and Federal Reserve released a joint statement saying they would make additional funding available to ensure all SVB deposits, both insured and uninsured, will be paid in full. They also created Bridge Banks for SVB and Signature bank which transferred all deposits and obligations. Check out the article for answers to some of the most frequently asked questions.
Recently Added Articles as of March 16
There's certainly big news this week as we hear about Silicon Valley Bank's and Signature Bank's closures. Healthcare data breaches are on the rise, cloud regulations are evolving, and more! Check out the articles below.
Bank failures lead to impending threats: Regulators have stepped in to operate Silicon Valley Bank (SVB), but that doesn’t stop malicious actors from seeing the potential opportunities to attack. Malicious actors don’t just follow the news... they react to it! There has been a recent uptick in newly registered domains related to SVB. Organizations should be aware of emails they’re receiving and ensure they aren’t phishing.
Bridge banks established to assume failing banks: The FDIC established two bridge banks, Silicon Valley Bridge Bank, N.A. and Signature Bridge Bank, N.A., to assume the deposits and obligations of the two failed banks. These bridge banks will continue to perform the contracts and have the ability to make payments to vendors and counterparties.
Understanding the significant threat of LockBit ransomware: First discovered in 2019, LockBit ransomware has become a very active and successful cybercrime organization, and continues to be a significant threat to organizations. The cybercrime organization attacks by using Ransomware-as-a-service (RaaS), which is an attack method that continues to gain popularity in recent years. Some of the industries LockBit tends to focus on include government, healthcare, financial services, and industrial goods and services. To protect your organization, it’s important to enhance your cybersecurity posture by ensuring Managed Detection and Response (MDR) is used and ensuring that employees are trained and educated on cybersecurity best practices.
Cloud regulations continue to evolve: The cloud is one of the drivers of business transformation and Gartner predicts around 85% of organizations will embrace a cloud-first principle by 2025. One of the industries that has been incorporating cloud services into their strategies to improve product offerings and customer experiences is financial services. Regulators are noticing the trend, and recent regulations and guidelines emphasize the need for effective multi-cloud operating models with well-defined exit strategies.
Regulators have seized Signature Bank: Signature Bank is the third-largest bank failure in United States history, not long after Silicon Valley Bank became the second-largest bank failure. Signature Bank customers got spooked by what happened with SVB and withdrew more than $10 billion in deposits. Regulators announced on Sunday that Signature Bank was being taken over to protect depositors and the stability of the United States' financial system. Signature Bank was heavily tied to the real estate and legal industries, as well as cryptocurrency. Some say the seizure of Signature Bank is also an anti-crypto message from regulators.
Microsoft 365 cloud productivity platform is getting multi-factor authentication: Microsoft is adding multi-factor authentication (MFA) for its Microsoft 365 cloud productivity platform. This is being accomplished by adding MFA capabilities to the Outlook email client. It will be available in mobile apps for iOS and Android devices.
Data breach caused by a third-party vendor: A U.S. mobile phone carrier recently notified millions of customers that their data was compromised in a breach caused by a third-party vendor. They utilized this third-party vendor for marketing, and no personal or financial information was impacted in the breach. Data compromised included number of lines, bill amount, past due payments, and other information that isn't as sensitive.
New data privacy legislation: In late February, the Data Privacy Act of 2023 was introduced, which would amend the Gramm-Leach-Bliley Act (GLBA). The amendments would include the terms “customers” and “consumers” being replaced with a more broader term of “individuals with customer/consumer relationships." The new act will redefine the definitions of Financial Institution and NPI, and financial Institutions will have to tell individuals when non-public personal information is being collected.
Silicon Valley Bank failure has everyone stunned: On March 10, Silicon Valley Bank ("SVB") collapsed, and is the second-largest failure of a financial institution in United States history. It first started when SVB announced that they sold a lot of securities at a loss and would sell $2.25 billion in new shares to make up for it on its balance sheet. This panicked venture capital firms to withdraw money from the bank. In addition, SVB’s decline stems partly from the Federal Reserve’s interest rate hikes this past year.
Healthcare privacy targeted by the Federal Trade Commission (FTC): The FTC announced two settlements last week in two health-related proceedings, BetterHelp and doTERRA. BetterHelp, an online counseling and therapy service, breached its privacy obligations when it shared health-related information its customers provided. Three doTERRA distributors claimed the products could help treat or prevent COVID-19, but this claim has no scientific basis. The FTC is focusing on the privacy practices of digital health companies.
Healthcare data breaches continue to increase: Data breaches have skyrocketed over the past five years in the healthcare industry. 385 million patient records have been breached from 2010 - 2022. Wow! Additionally, ransomware attacks have increased in frequency. Healthcare organizations need to increase their cybersecurity practices and cybersecurity resilience to stay ahead of malicious actors.
CISA shares three security flaws: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced three security flaws to be aware of. These include Teclib GLPI Remote Code Execution Vulnerability, Apache Spark Command Injection Vulnerability, and Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability. These vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Department of Justice explains the importance of corporate compliance programs: The Department of Justice (DOJ) shared its Evaluation of Corporate Compliance Programs. The evaluation is an effort to help organizations determine if their compliance programs are effective. This means ensuring it’s well-designed, completing a risk assessment on the program, training and communication, and more. One interesting recommendation is that organizations have a hotline of sorts to allow employees to air their grievances, compliments, and other useful information. Confidential reporting and internal investigation are considered the most critical components of an effective compliance program. Implementing an anonymous reporting system will help employees, customers, and others to be able to speak their mind, and may help organizations improve where needed.
Recently Added Articles as of March 9
This week, learn regulation updates, the new National Cybersecurity Strategy, preparing for a breach, and more. Check out the articles below.
Update on SEC proposed rules for cyber reporting: It’s no surprise that the SEC is cracking down on cybersecurity reporting, as regulators have been suggesting it for some time. The SEC is likely to announce their finalized proposal by the end of 2023. Now’s the time to review and improve your cybersecurity processes to prepare in advance.
Cybersecurity resiliency importance in 2023: Cybersecurity threats aren’t new, and they're certainly becoming more and more common. Business leaders are aware of the potential risks they pose and know organizations need to be prepared. It’s hard to know how threatening an attack can be until it happens. Investing in cybersecurity resiliency is critical. Most of the time, cybersecurity is housed under Information Technology (IT), but it’s more than just IT solving and managing the risk. Leaders also play a crucial role in securing the organization.
Improve hospital safety and cybersecurity with these tips: It’s extremely important to keep patients’ data and health records safe and confidential. This means hospitals must remain proactive, with physical security and cybersecurity plans in place well in advance of a data breach occurring. Some ways you can enhance your security include performing simultaneous audits, reducing visitors’ physical access and requiring check-ins, using encryption and minimizing the use of portable devices, appropriate training for personnel, and a culture of security.
Google Cloud Platform has a potential data exfiltration vulnerability: Research finds that hackers can take advantage of inadequate forensic visibility into Google Cloud Platform (GCP) to access vulnerable data. The insufficient forensic visibility leads to organizations being unaware of a potential data exfiltration attack. Read this article to learn more.
FTC enforcement actions on BetterHelp complaint: On March 2, the FTC announced a consent decree with BetterHelp, settling the claims that they engaged in unfair and deceptive trade practices when they made website visitor information available to third parties. What did the company do wrong? BetterHelp allowed third parties access to visitor data without visitor consent. The consent decree requires BetterHelp to get express affirmative consent for any future disclosure of covered information to a third party. Read more in the FTC complaint.
Microsoft OneNote is a tool of choice for hackers to spread malware: Many may not realize, but over the past few months, Microsoft OneNote has become a tool used by hackers to breach corporate networks. This is because hackers can create sophisticated templates that appear to be a protected document with a message to click to view a file. Luckily, there are steps your organization can take to help prevent this. This article gives a step-by-step breakdown that you’ll want to be sure you follow.
Biometric data regulations increasing: More and more businesses are using biometric data, from fingerprints, facial scans, and voice recognition. Biometric regulations have been increasing over the years, and 2023 will be no different. Illinois was the first state to regulate biometric data in 2008. Other states since have enacted laws to protect citizens from misuse of biometric data. If your organization uses biometric data, ensure you stay compliant with increasing regulations.
People still use checks? Be on the lookout for fraud: Check fraud is increasing. The Financial Crimes Enforcement Network of the U.S. Department of Treasury (FinCEN) released an alert warning banks and financial institutions alike to be diligent in reporting check fraud schemes targeting the U.S. Mail. So, when checking your mail, don’t open or cash any check that may be questionable. There are also a few red flags financial institutions can keep an eye out for. These red flags include customer complaints about checks never being mailed or received, existing customers with no history of check deposits, and more.
New National Cybersecurity Strategy: The long awaited National Cybersecurity Strategy is here. The full strategy is 39 pages long and is divided in to five pillars. The strategy is meant to help curb the rise of cyberattacks. Learn more about the full strategy here. And, wondering how it'll impact the healthcare industry? There's more information on the impact in healthcare here.
Insurers’ third parties must comply with regulatory requirements: Regulators recently took a hard look at insurers to learn more about their use of consumer data, artificial intelligence (AI), and machine learning (ML). It was found insurers continue to rely heavily on third-party vendors and there is a need for regulation of insurers’ use of consumer data, AI, and ML, as well as their third-party vendors. An insurers’ vendors will need to respond to regulatory requests and be prepared to demonstrate, at a minimum, that no illegal discrimination or bias is occurring. Third parties are being held to the same standards as insurers and compliance is not up for negotiation!
Recently Added Articles as of March 2
March is off to a busy start! There's news surrounding regulations, ransomware attacks, biometric privacy laws, and more! Take a look at the articles below to stay in the know.
Last year’s healthcare data breaches were some of the worst: The healthcare industry was no stranger to malicious actors in 2022. The severity of these attacks has increased from previous years, with two particular breaches being in the top 10 of all time. Over 7 million records were compromised from just those two attacks. The primary cause of these breaches was third-party vendors. Healthcare organizations should focus on increasing their cybersecurity practices to protect themselves from malicious actors.
Utilization of third-party vendors in the Department of Education: Recently, the Department of Education expanded the types of organizations covered under regulators’ third-party servicer definition. The deadline for organization's to report on their utilization of third-party servicers is extended to September. Third-party servicers administer any part of Title IV federal financial programs. If you’re defined as third-party servicer, there are additional regulatory requirements you must follow, like compliance and auditing.
Postsecondary institutions required to comply with the Safeguards Rule: Postsecondary institutions are subjected to follow the FTC (Federal Trade Commission) Safeguards Rule. This rule entails non-banking financial institutions to develop, implement, and maintain a security program to keep customer data safe. You may need to update cybersecurity protocols to comply.
Theft of law enforcement information is under investigation: The U.S. Marshals Service (USMS) is looking into theft of law enforcement information following a ransomware attack that has impacted a “stand-alone USMS system." The data includes employees’ personally identifiable information (PII). This is a reminder that no industry or organization is immune to a breach. Ensure you and your vendors have adequate information security programs in place to help safeguard from an attack like this.
U.S. Department of Justice charges Russian hacker: A Russian hacker has been charged with the following: computer fraud, conspiracy, and access device fraud. The 28-year-old hacker developed the NLBrute tool which is a malware used to decrypt login credentials (e.g., passwords). He used the device to hack login credentials of computers all over the world.
Managed security service providers (MSSPs) risk and TPRM: Late last year, the CyberRisk Alliance Business Intelligence surveyed professionals in the IT sector to understand their third-party risk management strategies. Their findings shared that they have been utilizing additional third-party vendors since the beginning of COVID-19 to combat the remote work environment and the vulnerability that came with it. Other findings include, limited resources and staff, poor visibility into supply chain, and more. Even if you or your MSSP does everything right, third-party risk still remains.
Biometric privacy laws are getting improvements: While the collection and use of biometric information is governed by legal frameworks, some states and municipalities have determined their own specific use. The majority of the 2023 state biometric privacy bills that have been drafted are modeled after Illinois’s Biometric Information Privacy Act (BIPA). If your organization uses biometric data for anything, be sure to stay current on the bills being introduced and passed.
Employee data access under California Consumer Privacy Act (CCPA): California first enacted CCPA in 2018; however, at the beginning of 2023, it became applicable to the personal information of employees, job applicants, contractor, subcontractors, and more. California is the first state to extend its privacy protection to employee personal information. Are you in compliance?
Third-party risk and the education industry: With online learning becoming ever so popular due to the pandemic, schools had to find the right tools to aid in student success. Most of the tools they used were Software as a Service (SaaS) applications which greatly advanced teaching methods, but could also pose a threat to teachers, students, parents, and administrators alike. District IT departments need to implement a third-party risk management strategy in order to keep the students and others safe from a breach or something worse.
This ransomware is bananas: Last week, Dole was hit by a ransomware attack, but the incident didn’t impact operations. Dole was quick to respond to the threat and brought in third-party cybersecurity experts to help their internal team remediate the issue and secure the company’s systems.
Software Bill of Materials (SBOM) will become popular this year: This year, you’ll see an increase in people wanting software bill of materials (SBOM) so they can be better informed. An example company, ACMECorp, is being required by regulators to release its SBOMs for Anvil (software) so that customers can understand if they’re affected by software supply chain issues, vulnerabilities, or license risks. SBOMs can help your organization understand if software applications you use are putting your organization at risk.
Joint statement released on crypto-asset market vulnerabilities: Federal bank regulatory agencies recently released a joint statement on liquidity risks to banking organizations involved with certain sources of funding from crypto-asset-related entities. The statement also includes effective practices to manage those risks.
First version of Artificial Intelligence (AI) risk management framework released: The National Institute for Standards and Technology (NIST) has unveiled their first version of its AI Risk Management Framework. This framework has been highly anticipated by many and is intended to serve as a voluntary guide for designing, developing, using, and evaluating AI-related products.
Laws non-bank lenders need to pay attention to in 2023: Many states have introduced commercial financing disclosure laws (CFDLs) - mainly California, Utah, and New York. However, more laws are likely to surface this year. The following states have also proposed various forms of CFDLs: Connecticut, Illinois, Kansas, Maryland, Mississippi, and Missouri. Non-bank lenders should be aware of these laws coming into play.
Overcome HIPAA myths and enhance your healthcare data protection: Even if Health Insurance Portability and Accountability Act (HIPAA) didn't require organizations to secure protected health information (PHI), they would still make it a high priority. There are many myths to debunk, including a popular one that all vendors are business associates and must enter a business agreement. Ensure your healthcare organization knows the truth about PHI and HIPAA to ensure your cybersecurity practices are sound.
Apple notifies of 3 new vulnerabilities: Three new vulnerabilities impact iOS, iPadOS, and macOS. These vulnerabilities are the result of a significant security model breach. The vulnerabilities, which are classified as medium to high severity, have been patched in iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2 that were shipped on January 23. Are you verifying your Apple devices are safe?
March 2021 Vendor Management News
In March, make it a priority to stay on top of vendor management news and resources. Find out what...
April 2022 Vendor Management News
Stay up-to-date on the latest vendor management news happening this month. Discover information to...
November 2020 Vendor Management News
Now that we are in the month of November and 2021 is right around the corner, make sure you're...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.