March 2024 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of March 27

A new study highlights the risks of third-party data breaches, another privacy law is coming, and financial institutions are readying for regulator focus on operational resilience. Be sure to check out all of this week’s news and headlines below!

Health plan organizations need vendor risk management: The healthcare industry has become a frequent target for cyberattacks, including health plan organizations. Many of these organizations outsource to third parties and need to be prepared in the event of a third-party cyberattack. Health plan organizations should have a vendor risk management program with processes and tools to manage vendor relationships. This should include assessing the vendor’s security practices and setting contractual obligations. Health plan organizations should also perform risk assessments on third-party vendors and continuously monitor for any changes in risks. Taking these steps can help protect health plan organizations. 

Three software vulnerabilities actively exploited: The U.S. Cybersecurity and Infrastructure Agency (CISA) added three actively exploited vulnerabilities to its catalog. These vulnerabilities are with Fortinet, Ivanti, and Nice. The mitigations provided by vendors should be implemented as soon as possible to avoid data breaches and cyberattacks. 

Prioritizing ESG compliance in the supply chain: Supply chain executives are aiming to reduce environmental, social, and governance (ESG) risks in the supply chain. There’s a host of new ESG regulations, including in California and the EU that organizations must take into account. Organizations must also address modern slavery and labor by incorporating sustainability practices for ethical labor. California and the UK have regulations that set requirements for disclosure and identifying and preventing modern slavery in their supply chains. While ESG regulations continue to face challenges in the U.S., organizations will need to focus on having strong policies that address third-party ESG practices. 

Steps to mitigate third-party risks: As regulatory agencies tighten guidance on third-party risk management, organizations will need to identify and mitigate third-party risks. Organizations should create a third-party inventory and then group them by criticality and risk rating. It’s beneficial to gain an understanding of how many critical vendors your organization has. Then, it’s time to create a governance plan. This should include defining roles and responsibilities and identifying standard contractual obligations. If a third-party relationship doesn’t work out, it’s important to have an exit strategy that clearly outlines how data will be erased or returned. 

Information compromised in retail third-party data breach: A discount retailer in Canada said customer information was compromised after a third-party data breach. Customers were contacted about the breach and told to use caution with potential spam emails and phone calls. Information included names, email addresses, and phone numbers. These types of third-party breaches have become more common, especially if the third party doesn’t have the right security controls in place. 

Another state privacy law for 2024 in the works: Kentucky looks to become the next state to pass a comprehensive privacy law, as the bill goes before the House and then to the governor’s desk. This would be the fifteenth state to pass a privacy law and the third this year. For organizations already complying with other state privacy laws, the Kentucky law wouldn’t impose major requirements. The law also takes a more business-friendly approach.

Financial regulators focus on operational resilience: Operational resilience is becoming a key theme for regulators in the financial industry, looking critically at how disruptions could impact financial organizations. Key focus areas include third parties that support critical operations and the need for third-party risk management. Regulators expect oversight of critical third parties and verification that they have sound practices and controls in place. Financial organizations should identify alternative third parties in case a current third party can’t deliver on services. Business continuity and disaster recovery testing is also key with third parties. By implementing these practices, financial organizations can be prepared to respond to increased regulatory oversight. 

Protecting data in the third-party digital age: Organizations are becoming more and more digital, and as the third-party landscape expands, it’s important to keep data protected. Although it’s a best practice to conduct due diligence on third parties before entering into a relationship, continuous monitoring is also extremely important. Real-time intelligence can help organizations identify risks earlier and begin to mitigate them. Software solutions can be a great component to your third-party risk management program. 

New report highlights risks of third-party data breaches: Unauthorized network access was the leading cause of third-party data breaches in 2023, according to a new study from Black Kite. These breaches create weak spots in extended networks and can ripple across an entire organization. Many organizations in 2023 were impacted by the MOVEit breaches and large organizations were the hardest hit by ransomware attacks. Real-time third-party risk management data can help respond to threats quickly before they become data breaches. 

The importance of operational resilience: The rise of the cloud and artificial intelligence (AI) has introduced new third-party risks, particularly for regulated organizations. Operational resilience needs to be a top priority for compliance and protection. Organizations have to lessen downtime and ensure supply chain security to keep critical operations running safely and soundly. This is especially true as more regulations target operational resiliency. 

Using third-party risk management to minimize geopolitical risks: Geopolitical risks are becoming increasingly important in supply chain security. However, many organizations lack mature third-party risk management programs to identify and mitigate supply chain risks. Organizations should look to implement third-party risk management programs that perform due diligence, identify risk ratings and criticality, and continuously monitor for emerging and changing third-party risks. Beginning these practices can help organizations identify and minimize geopolitical risks in the supply chain. 

New phishing attack targeting U.S. organizations: U.S. organizations should be aware of a new phishing attack that attempts to lure victims into opening a document. The email acts like it’s from the accounting department and asks recipients to open a Microsoft Word document to review the monthly salary report. Employees should use extreme caution for opening unexpected documents in their inbox. 

Protecting the mortgage industry with third-party risk management: The mortgage industry has been hit with multiple third-party cyberattacks in recent months, highlighting the need for third-party risk management. If a third party will have access to your organization’s network, it’s important to manage who has access and how much they have. It’s also important to be aware of when a vendor updates or patches their systems, as unpatched systems can leave you vulnerable to a data breach. 

Bank of England considering comments on proposed rule for critical third parties: The Bank of England is now considering comments on its proposed rules for third-party suppliers. The rules address concentration risks – where banks have too many critical operations that rely on only a few vendors. Questions from those in the industry could include how critical third parties are identified, how often the list of critical third parties should be reviewed, and what enforcement action would be taken for noncompliance. Financial services that must comply with the Bank of England will be in a waiting period for now to see how comments will be addressed. 

Recently Added Articles as of March 21

The EU passed groundbreaking artificial intelligence legislation, another state privacy law is passed, and organizations are focusing on supply chain risks. Catch up on all of this week’s third-party risk management news and headlines. 

Technology company experiences a third-party data breach: Employment documents stored on a third-party system were leaked at technology company Johnson Matthey. More than 6,000 records were breached, and information like Social Security numbers were included. According to the company, a contractor temporarily stored the information on the third-party system, but then accidentally left it there after the work was completed. Johnson Matthey has since removed the files. 

Setting contractual standards to enforce third-party cybersecurity: Organizations are increasing oversight of third-party suppliers, now asking for contractual terms on when and how third-party suppliers must notify them of a data breach. There are also stricter requirements for third parties to follow NIST standards. As more supply chain attacks occur, organizations are assessing which third parties can access their sensitive data and if they’re able to protect it. These contractual standards can be difficult to negotiate, but it’s crucial to do it at the beginning of the relationship. 

New Hampshire passes next state privacy law: U.S. privacy laws aren’t going anywhere in 2024, as New Hampshire became the next state to pass a comprehensive privacy law. It will go into effect in January 2025. The state included a lower threshold for applicability, so more organizations may have to comply with this new law. Organizations will be required to maintain data security practices to protect consumer data. Contractual agreements with data processers are also required. 

IT and construction sectors are most impacted by ransomware: Ransomware attacks heavily hit the IT and construction sectors in 2023, according to new research. Cybercriminals targeted the industries for the potentially lucrative information to gain. Challenges will likely only continue in 2024, as artificial intelligence adds a new area to exploit, Internet of Things (IoT) vulnerabilities increase, and more sophisticated ransomware attacks are launched. 

HHS revises guidance on tracking technology: The Department of Health and Human Services (HHS) updated its guidance on using web trackers for patient portals or health-related websites. Tracking technology still can’t be used in a way that would disclose electronic protected health information (PHI), but collecting information like IP addresses doesn’t always violate HIPAA. Not every IP address is considered PHI. 

How to advocate for cybersecurity with board members: Cybersecurity is increasingly important to invest in as more cyberattacks occur and more regulations are passed. When addressing cybersecurity with the board of directors, it’s important to focus on key concerns like the financial impact of cyberattacks, regulatory compliance, and protection of data. You should also focus on third-party risk management and security measures with vendors with the board. Using tools like a business impact analysis, data from risk assessments, benchmarks, and business objectives can also help get through to board members. 

Cybercriminals targeting document publishing websites: Document publishing websites, like Issuu and FlipSnack, are being targeted for cyberattacks. Cybercriminals will create multiple accounts and publish malicious documents. If people follow the malicious links, attackers are able to steal credentials or session tokens. 

Cybersecurity labeling program to roll out for manufacturers: The Federal Communications Commission (FCC) has adopted the voluntary cybersecurity labeling program for IoT products. Manufacturers who produce consumer smart devices can have a logo on the product for consumers to scan and get security information. Manufacturers will have to submit an application and get certified. The program doesn’t apply to medical devices.

Best practices to mitigate supply chain risks: Organizations are expecting an increase in supply chain attacks and are re-evaluating security practices with suppliers. Third-party risk assessments are key to understanding the risks suppliers pose and what their security practices are. It’s also important to conduct regular audits as risks change and emerge. Risk intelligence tools can be valuable to identifying new vulnerabilities. There are also practical steps to help manage supply chain risks like mapping the supply chain, assessing criticality levels, and determining a re-assessment frequency. 

Fake Chrome update installs banking malware: Android users should use caution with Chrome updates, as a fake Chrome update is installing malware onto devices. Attackers would be able to completely control an infected device and steal banking credentials and credit card details from mobile phones.

IT services provider is victim of malware: Customer data was recently stolen in a cyberattack at Fujitsu, an IT services provider. Malware was found on several computers and files containing both personal information and customer information. Both were stolen. The breach is still being investigated and there’s no evidence of the stolen data being misused et. 

EU passes world’s first artificial intelligence legislation: Artificial intelligence (AI) legislation has officially arrived with the EU’s adoption of the Artificial Intelligence Act (AI Act). This is the first comprehensive legislation addressing AI. The AI Act applies to providers who use or place AI systems in the EU market, no matter where they’re located. The regulation is risk-based, dependent upon the AI system’s level of risk – unacceptable, high, limited, or minimal. Organizations should evaluate AI usage within their organization, create an inventory, and analyze the risk to prepare for compliance. 

Preparing for HIPAA Security Rule changes: Sometime this spring the HIPAA Security Rule will receive new updates to address the increases in cyberattacks in the healthcare industry. To prepare, healthcare organizations should assess their current cybersecurity programs and address any gaps. The Department of Health and Human Services (HHS) has already released voluntary cybersecurity goals, which healthcare organizations should look to follow and implement. As HHS eyes more audits on healthcare organizations, it’s also important to document any policies and changes in cybersecurity programs. 

Recently Added Articles as of March 14

Regulatory agencies had a busy week with new regulations for financial market utilities, a final SEC climate disclosure rule, and new considerations for operational resiliency in banking. Third parties are a key focus for many regulators. This week’s news also included some important best practices. Check out all of the headlines below. 

OCC is considering operational resilience and critical third parties: Drawing from recent regulations around the globe, the Office of the Comptroller of the Currency (OCC) is sharpening its focus on operational resiliency. In recent remarks, Acting Comptroller Michael Hsu said the risks of operational disruptions is increasing, and the impacts are becoming more widespread, particularly as third parties play a greater role. Of course, the OCC often identifies operational resiliency as a key examination focus, but the agency is considering regulatory action, particularly with critical operations and third parties. Hsu said the agency plans to collaborate as it thinks about what an operational resilience framework would look like, but the focus on critical third parties is clear, and so is the importance of addressing those risks. 

New malware campaign in WordPress plugin: New malware is using a vulnerability in the Popup Builder plugin for WordPress. The attack injects malicious JavaScript code and it redirects visitors to phishing sites. WordPress users should keep plugins up to date and scan their sites for any suspicious activity or code. 

With more reliance on emerging tech, third-party risk management is a key feature: Third-party and supply chain management are top cyber risks for financial organizations, according to a new study. As risks continue to increase with emerging technology, there can still be a gap in having the capacity to manage those risks. As more work moves to the cloud, it’s important to have adequate third-party risk management and strong access controls. Third-party risk management was identified as a key weakness with emerging technologies at financial institutions, yet it’s crucial to be able to manage these risks, as they’re only increasing. 

Mitigating healthcare cyber risk with third-party risk management: Healthcare organizations have hundreds, even thousands, of third-party vendors they work with. Unfortunately, that raises the risk of cyberattacks, as cybercriminals realize they can gain access to multiple healthcare organizations through just one vendor. Healthcare organizations have had to focus on third-party risk management, using caution with data access management and limiting access to sensitive data. It’s important for healthcare organizations to develop a framework to manage third-party risks and work with vendors to manage risks. These steps can help protect against cyberattacks and limit the impact to patients. 

Gaining visibility into software as a service usage: Software as a service (SaaS) usage has continued to rise, but it can be difficult to track across an organization. SaaS products need to go through the third-party risk management process, too. Organizations should establish visibility into SaaS products and data. It’s important to have real-time intelligence on a SaaS device or application. This can help your organization make risk-based decisions.

New resources offered to help organizations manage Microsoft risks: Security researchers created a repository to help organizations manage Windows networks. It provides resources to help organizations be more secure against faulty configuration manager (MCM). The new tool offers 22 techniques that could be used to attack MCM. Before implementing the defense methods in the repository, organizations should still test it first. 

Mitigating the risk of third-party data breaches: Third-party data breaches can occur in a number of ways, like poor security practices, cybersecurity vulnerabilities, or human error. The impact of a third-party data breach can damage your organization’s reputation, cause monetary losses, and lead to regulatory action. There are several best practices that can help mitigate the risk of third-party data breaches. First, it's important to perform due diligence before entering into the relationship and establish contracts with audit provisions and security standards. Second, continuously monitoring third-party vendors helps mitigate any ongoing cybersecurity risks. And of course, data breaches aren’t 100% preventable, so you should ensure your organization and your vendors have incident response planning. This can help you be prepared.

Running background checks on third-party healthcare vendors: The Department of Health and Human Services (HHS) Office of the Inspector General (OIG) has background check requirements that require healthcare organizations to ensure a third party hasn’t been excluded from federally funded healthcare programs. Noncompliance with this can lead to a civil monetary penalty. This background check should be performed during vendor onboarding, but also periodically throughout the relationship, as a third-party vendor can be excluded at any time. 

Identifying and managing third-party risks: At some point in a third-party relationship, your third party will likely experience some form of an incident. However, it can be difficult to identify the risks of this as there are often varying factors. While assessing third-party vendors, it’s important to collaborate with subject matter experts in your organization. For vendors that pose higher risks, work closely with them to implement controls that will mitigate the risks. Collaboration is key – when both parties are working together, there’s greater transparency and security in the relationship. 

HHS releases cybersecurity practices to protect healthcare organizations: HHS released cybersecurity performance goals to help the healthcare industry mitigate cyber risks. Some of the best practices include multi-factor authentication (MFA), cybersecurity training, incident planning and preparedness, and limited data access. It’s also recommended for healthcare organizations to have vendor cybersecurity requirements and have a process in place where vendors disclose vulnerabilities so third-party incidents can be promptly addressed once discovered. Although implementation of these practices is currently voluntary, they’ll likely soon become regulatory requirements in HIPAA. 

The Fed updates third-party risk management rules for financial market utilities: The Federal Reserve Board updated requirements for financial market utilities’ (FMUs) operational resilience. One of the areas of focus is third-party risk management – the Fed expects FMUs to conduct business in a safe and sound manner, even when the work is through a third party. FMUs must have policies, procedures, and controls that identify, monitor, and manage third-party risks. There must be risk assessments on third parties, and information-sharing arrangements, and business continuity management and testing in place with “material” third parties. These activities should be risk-based as well. 

SEC approves final climate disclosure rule: The long-awaited Securities and Exchange Commission (SEC) climate disclosure rule was finalized. Most notably, the final version dropped Scope 3 emissions, which required disclosures with third-party vendors and suppliers. However, public organizations will still have to disclose climate-related risks and the actual and potential impacts of climate-related risks. Board and senior management oversight and processes for identifying, assessing, and managing climate risks will also have to be disclosed. The rule becomes effective 60 days after its posted in the Federal Register, but potential court challenges could slow it down. 

Recently Added Articles as of March 7

Third-party risk management must be a priority, as one regulator requires a bank to develop third-party risk management plans. A mortgage company experiences a third-party data breach and third parties have become a top target for cybercriminals. Check out all the news from this week below.

Including third parties in tabletop exercises: Tabletop exercises are crucial to practice emergency scenarios and understand how your organization will respond in a crisis. Since many data breaches occur through vendors, tabletop exercises should include key third-party vendors. Questions should include does your third party has access to your data, do you test fourth and nth parties, what policies and procedures are in place to vet third parties, and what are the procedures to remediate issues that arise. These questions can help guide your tabletop exercise.

Third-party risk management is a critical component for financial services firms: The financial industry and their third parties certainly haven’t had it easy lately, with cyberattacks, bank failures, and geopolitical risks. Regulatory agencies across the world have recognized this and responded with new requirements. One focus is operational resilience, particularly in the Digital Operational Resilience Act (DORA) in the EU. DORA targets critical third parties and sets a framework to manage those risks. The financial industry must have a proactive third-party risk management approach with continuous monitoring of third-party risk and performance. Not only is this a critical piece to regulatory compliance, but it safeguards financial institutions and their customers.  

Cybercriminal group is using phishing emails to gain account access: A cybercriminal group is sending thousands of phishing emails to be able to hijack accounts and access sensitive information. For the group’s plans to work, multi-factor authentication must be disabled for them to gain access. This is a reminder for organizations to use extreme caution when opening unknown links in emails and to use multi-factor authentication for all accounts. 

Bank must prioritize third-party risk management in a recent consent order: A Tennessee bank will have to submit plans for how it will manage third-party fintech partnerships after a consent order with the Federal Deposit Insurance Corporation (FDIC). The plans will include termination strategies, onboarding deposits and processing third-party payments, and an assessment of existing fintech relationships. A formal onboarding process is also required, which should include an assessment of the third party’s finances and compliance. This order is the latest in a string of regulatory actions on banks’ third-party risk management practices, particularly with fintech partners. Banks should be prepared for increased scrutiny and prioritize following the Interagency Guidance on Third-Party Relationships: Risk Management.

Mortgage company is impacted in a third-party data breach: A mortgage company was the victim of a data breach in December due to a third-party bug. A user accessed a third-party system used by Fairway Independent Mortgage Corporation. Impacted customers were notified of the breach, but it’s unclear how many were impacted across the country. After the third-party bug was discovered, Fairway implemented a patch to resolve the issue. The company didn’t disclose who the third party was.

Questions to assess cloud vendors: Cloud software vendors often offer critical services to organizations, so it’s important to assess them. Ask what certifications they have and if there are formal standards and guidelines in place, as this helps establish if the cloud vendor follows industry best practices. You should also assess the cloud vendor’s audit trail for critical data and activities as well as business continuity and disaster recovery plans. Security questions for cloud vendors include where data centers are located and what controls are in place for accessing and modifying data. Also, try to gain an understanding of the cloud vendor’s reliability and performance, such as how often the vendor performs backups and if there is a guaranteed uptime. These questions can help evaluate if the cloud vendor is a good fit for your organization. 

Geopolitics, economy, and ESG are big third-party risk management concerns: Geopolitical issues, inflation, and environmental, social, and governance (ESG) pressure are leading challenges in third-party risk management, according to a new study. Despite these issues, third-party risk management leaders are feeling optimistic about the future. They're prioritizing updating third-party risk management methodologies, strengthening the role of executive leadership, and improving skills. Mature third-party risk management programs are better prepared to face the challenges, so it’s important to consistently improve your program. 

Cybercriminals exploited Windows flaw: A group of cybercriminals exploited a flaw in Windows to obtain access and disable security software. The flaw was patched by Microsoft earlier in the month. The cybercriminal group, known as the Lazarus Group, used sophisticated tools to be able to gain access, showing the dangers of these rapidly evolving groups. 

Supply chain is a top target for data breaches: Most third-party data breaches target software supply chains (75%), according to a new study. In 2023, third-party data breaches made up about 29% of all reported breaches, but this number could be understated. Suppliers are becoming an increasingly popular target for cybercriminals and can wreak havoc. Healthcare and financial services are the top industries targeted in third-party data breaches. Third-party risk management is increasingly important to help prevent and mitigate the impact of these breaches. 

Organizations face complex third-party challenges with ESG: Multinational organizations have had to juggle a litany of new regulations across the globe, particularly around environmental, social, and governance (ESG). These requirements don’t just encompass organizations, but also third-party suppliers. A third party’s poor ESG practices can impact an organization’s reputation and regulatory pressure has only intensified this issue. Organizations will have to ensure they monitor their third-party suppliers on ESG practices.