May 2023 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of May 25

In this week's news, there are headlines on regulators fining companies for data breaches and misusing data, the threats of ransomware attacks and malware, best practices to keep your cybersecurity strong, another new privacy law, and an FTC policy on biometric technology. You won’t want to miss any of it, so check out more news below.

North Korean group launches new malware targeting Microsoft: A North Korean threat actor group is targeting Microsoft web servers with espionage malware. The Lazarus Group uses poorly managed or vulnerable web servers for their initial breach. It places a dynamic-link library (DLL) in a folder path with a normal application and then executes the malicious DLL. Last year, Microsoft warned that North Korean groups would target open-source software.  

New report shows continued threat of ransomware attacks: A new report said that 85% of organizations had a ransomware attack over the past year. Veeam’s 2023 Ransomware Trends Report showed that threat actors have largely targeted backup repositories and that organizations aren’t prepared to face the threats. In fact, 80% pay the ransom even with advisories against it. Organizations will need to improve their risk management programs to be prepared for cyberattacks.  

Meta fined for violating GDPR: Meta, Facebook’s owner, was fined €1.2bn for violating the General Data Protection Regulation. That’s $1.3 million in U.S. dollars. The Irish Data Protection Commission alleged that Meta’s transfers of personal data to the U.S. violated the GDPR. The European Court ceased its Privacy Shield agreement with the U.S. in 2020, which ended certain data transfers. The two are working on a new deal expected later this year. Meta has been given until October 12 to stop the transfers.  

Apple patches vulnerabilities that may have already been exploited: Apple has patched three vulnerabilities, but it may be too little too late. The bugs were found in Apple’s WebKit browser platform. It’s possible that these were already used by threat actors, but Apple didn’t provide many details on it. Two of the threats were reported by anonymous researchers and the third was reported by an engineer with Google’s Threat Analysis Group and a researcher with Amnesty International’s Security Lab. 

Best practices to be prepared for and protect against cyberattacks: Cyberattacks are increasing, with attackers becoming more creative to steal data. The global cost of this is in the trillions and will only continue to rise. Organizations should have cyber recovery and resilience plans, so they’re prepared to withstand disaster. Perform your due diligence and ongoing monitoring on cloud vendors to protect your data. 

Pentagon explosion hoax goes viral on Twitter: An explosion at the Pentagon went viral, causing the stock market to dip. There’s just one problem. It was all fake. AI-generated images went viral because verified Twitter accounts, including one impersonating Bloomberg news, tweeted the images. This is just one instance of the dangers behind paying to be verified on Twitter. U.S. agencies confirmed that it was all fake.  

Fertility app hit with fine from the FTC for sharing user data with advertisers: Fertility app Premom is in some hot water with the Federal Trade Commission. The FTC fined the app, made by Easy Healthcare, $100,000 for allegedly misleading people who downloaded the app between 2017 and 2020, saying it wouldn’t share user data with advertisers. The FTC has now banned it from sharing user information. Easy Healthcare has denied the allegations.  

The FTC releases new policy statement on biometric information technologies: The FTC has also adopted a new policy statement on the use of biometric information technologies. To determine if companies are misusing biometric information, the FTC will look at things like failing to evaluate third parties who either use biometric technology or are given access to the data, failing to assess harm to consumers before collecting biometric information, false statements or claims about the use of biometric information, and failing to promptly address known or foreseeable risks. Are your third parties involved with biometric technology? It’s time to do some due diligence.  

Texas is set to join other states with a data privacy law: A new privacy law is awaiting the governor’s signature... this time in Texas. While it’s like other data privacy laws, it also uses terms and definitions that are different from other states. If signed, the law will go into effect on March 1, 2024. This law casts a wide net and doesn’t exempt certain businesses based on revenue or data volume. With this ongoing trend of privacy laws, it’s important to make sure you’re in compliance, even if your state hasn’t passed a law yet.  

What are the five main types of insider threats? Is your organization at risk for insider threats? It’s more likely than you may think, with nearly 75% of organizations moderately vulnerable. Here are five main types of this threat. Privileged insiders may be unintentional or nefarious, but access policies and a Privileged Access Management solution will help. Malicious employees are definitely nefarious with their internal knowledge. No surprise, third parties are also a risk. Be sure you have your third-party risk management program in place. Moles are an insider threat that works for an outside agent. And you always have unwitting employees, so make sure you do your cybersecurity training.  

FDIC issues a consent order on bank after concerning practices with third parties and fair lending compliance: After the FDIC deemed Cross River Bank’s practices to be unsafe and unsound, it issued a consent order. CRB is required to make corrections like strengthening third-party compliance controls, disclosing products offered by or with a third party, and preparing assessments and reports from an independent third party on its information systems and fair lending compliance. The consent order is prompting speculation on potential regulatory action on institutions that collaborate with third parties on offering marketplace lending and credit products.  

Third-party risk management a top challenge for non-profits: With rising costs, non-profits may be turning to outsourcing as a solution. But are they prepared to handle the risk of third parties managing donor data? It’s crucial for non-profit organizations to do due diligence when onboarding a vendor to determine if it’s financially sound, where it operates, and if it has fair employee practices. Nonprofits will also need to do ongoing due diligence with their vendors and develop policies and procedures on its use of third parties. CFOs should also create a framework for identifying and managing risk.  

Four common misbeliefs vendors may have about broken promises: According to KLAS Research, 25% of healthcare providers said that vendors haven’t been keeping their end of the bargain. Why do they feel this way? Here are four common misbeliefs vendors might have. Large providers have too high expectations. KLAS’ research showed there was no difference between large or small healthcare providers. Another misbelief is that certain members weren’t part of the purchase decision, so don’t understand the expectations. Those who did make the decision were actually the most likely to say there were broken promises. Another misbelief is that it’s hard to keep promises for complicated products. Actually, that’s a section where providers were the most satisfied. And the last misbelief is that vendors just shouldn’t make promises at all. Vendors that don’t make promises are likely to underperform.   

Third-party risk management a top concern for compliance professionals: A new survey shows that third-party risk management is becoming a bigger priority for senior compliance professionals. The survey from Compliance Week and FTI Consulting, Inc. also revealed that third-party risk management is the largest area where technology solutions are used. There’s a great need for tools that offer visibility into overall risk.  

Lessons for healthcare professionals after massive NextGen data breach: The breach at NextGen healthcare, which impacted more than 1 million people, should serve as an alarm for senior management in healthcare. Leaders should implement regular assessments, conduct cybersecurity trainings for staff, understand who their third parties are, and have a disaster recovery plan to be able to respond to a breach.  

Vendor fined after 2018 HIPAA data breach: MedEvolve, a practice management software, was fined $350,000 after a 2018 HIPAA breach. The Department of Health and Human Services’ Office for Civil Rights said an unsecure FTP served exposed the health information of 231,000 people. An investigation found other potential HIPAA violations like failing to have a contract with one of its vendors. 

Recently Added Articles as of May 18

This week’s news brings us information on a new proposed fee for banks from the FDIC, multiple ransomware and hacking attacks impacting millions of people, top risks posed by cybersecurity threats and the emergence of AI, and the importance of doing due diligence on your vendors before and after the contract is signed. Check out all the news below: 

Ransomware attack takes 6 million patients’ information: Almost 6 million current and deceased patients’ information is now in the hands of a ransomware group after pharmacy provider PharMerica fell victim to an attack. Hackers took names, Social Security numbers, and health insurance information. The group Money Message took responsibility for the attack on its dark web. PharMerica offered a year of free identity protection services to those impacted.  

Discord suffers a data breach: Gamers beware! Discord experienced a data breach that exposed a third-party customer support ticket queue. It included email addresses and any messages and attachments between users and Discord support. The breached account was disabled when it was discovered. Discord hasn’t offered many details as of yet, including how many were impacted and what caused the breach. It’s a good reminder to do your due diligence on your customer service vendors. 

Third-party risk management is crucial in protecting supply chains: Very few organizations today can say they don’t use third parties somewhere. Third-party risk management is crucial to making sure the supply chain remains intact. Be sure to have an inventory of vendors that includes their information and criticality. Due diligence before signing the contract can help avoid major disasters down the road. And don’t forget that due diligence should also be done on an ongoing basis to keep risk management current. Offboarding a vendor also ensures that your customers' data remains safe. 

Four cybersecurity items to review as a corporate board: So, you’re a board member and you’re worried about cybersecurity. Here are four risk trends you should know. First, email and text attacks are common and successful, so make sure employees have proper training to avoid these. Ransomware attacks can happen to anyone, so review your incident response plan and back up your organizations data. Of course third-party risk gets a spot! Conduct yearly audits of your critical vendors' cybersecurity plans. And lastly, yes, insider threats are very real. Consider strict access control policies, multi-factor authentication, and make sure your staff are trained properly!  

New ransomware group forms, targeting U.S. and South Korean organizations: Pharmaceutical, insurance, wealth management, and manufacturing organizations should be on the lookout for a new ransomware group. RA Group started in April 2023, launching a data leak site on the dark web, where it posted stolen data to the site. The ransomware targets logical drives and network shares. It tries to encrypt specific folders. A ransom note titled ‘How to Restore Your Files.txt’ is then dropped onto the system. Review your cybersecurity and incident response plans both internally and with your vendors.  

Protecting your information in SaaS platforms: Many tech organizations heavily rely on SaaS platforms for proprietary code, day-to-day work, and customer information. However, that also leaves them vulnerable to a devastating attack. It’s wise to implement threat detections for data breaches. Review your SaaS platform’s business continuity and disaster recovery plans. As layoffs occur, organizations should offboard employees from SaaS applications, including any admin access.  

Florida tries to fix its telephone solicitation rules after a wave of litigation: An amendment to the Florida Telephone Solicitation Act (FTSA) is sitting on the governor’s desk to be signed. It limits the FTSA as it redefines autodialing, limits violations to unsolicited calls, and requires individuals to allow 15 days for texts to stop before suing. An earlier revision of the law, from 2021, broadened the language, which created a slew of litigation. This new legislation is looking to find the balance between protecting consumers and allowing organizations to market.  

Florida likely to pass a privacy law, joining 9 other states: Florida is expected to be the next state to pass comprehensive privacy laws. The legislation is similar to what has already been passed in states like Iowa, Indiana, Virginia, and others. This will only apply to data processors or businesses that generate more than $1 billion in sales. Individuals also can’t sue for violations of the laws. The law would take effect on July 1, 2024. 

Fives risks AI poses and how board members can manage them: It’s not uncommon for third parties to use AI systems or services, but that can pose a risk to your organization. To help mitigate cybersecurity risk, you should request an AI security assessment from your vendors. Board members should develop guidelines and standards for the use of AI to help mitigate reputational risk. Continue performing regular due diligence with your third parties and have a crisis plan in place. Stay on top of legislation and regulations around AI as it forms to manage the legal risk. 

University’s message system attacked by cybercriminals: Even universities aren’t safe from the threat of ransomware. Bluefield University warned students about texts from its communication system after a ransomware group used it to message the campus. The message actually alerted students to the attack and said their personal information was at risk of being leaked. Luckily for the students (but not so much for the university), they received a one-day break from exams.  

FDIC proposes new fee for uninsured bankers after Silicon Valley Bank and Signature Bank losses: The Federal Deposit Insurance Corporation (FDIC) wants some protection from uninsured depositors after Silicon Valley Bank and Signature Bank closed, costing them $15.8 billion. The FDIC Board of Directors proposed a rule to charge a special fee for the cost of protecting uninsured bankers. About 113 banks will have to pay the fee. No banks with under $5 million in total assets would have to pay. This rule will have 60 days of public comment.  

Next steps for when your vendor relationship grows cold: What should you do when a vendor relationship suddenly turns sour? Check the contract! Take another look at the terms and conditions, fine print, and service level agreements. Maybe there’s something that can make your relationship blossom again. If it’s time to end the relationship, take lessons from this and use it for your next vendor. Add more details to the RFP and include new contract terms, like requiring third-party audits. And don’t leave them out in the cold! Schedule regular meetings to ensure everyone is on the same page.  

Partnering with a fintech? Do your due diligence!: Many financial institutions are seeking partnerships with Fintechs for a variety of reasons. But before you take the leap, don’t forget the necessity of due diligence! To do effective due diligence on fintech partners, evaluate changes to your risk profile. Trust but verify the information given to you. Ongoing due diligence is equally important! Throughout the partnership, you’ll need to make sure your fintech is meeting its obligations.

Recently Added Articles as of May 11

The headlines this week brought us news on regulators looking at cloud services and the explosion of AI, companies trying to prevent cyberattacks and the need for cybersecurity practices, new guidelines for non-banking supervision, great tips for managing your vendors, and more! Be sure to check out the articles below. 

Gartner survey finds that cybersecurity assessments are increasingly important: According to a recent Gartner survey, 60% of supply chain companies will use cybersecurity risk as a serious factor in third-party business decisions by 2025. Cyber criminals have focused on small-and-midsize businesses, particularly targeting supply chains. And as supply chain businesses shift more information to the cloud, there’s more vulnerabilities. It’s important to perform cyber risk assessments before and after contracting with a third party, so your organization's supply chain can remain safe. 

As organizations move to the cloud, regulators start to watch for third-party risk: Financial services are migrating more information to the cloud, increasing risk and attracting regulators. According to an upcoming survey from Cloud Security Alliance, only 33% aren’t using the cloud for critical operations. Regulators are looking closely at third-party risk, especially supply chain risk. A supply chain could easily be disrupted if cloud vendors go down or have a cyberattack. If regulators ask your organization if you’re managing and monitoring third and fourth parties, do you have an answer?  

Data breach at cloud-based healthcare vendor impacts 1 million people: More than 1 million people were notified of a data breach with cloud-based health records vendor NextGen Healthcare. An unknown third party gained access to information like Social Security numbers, addresses, and birthdates. NextGen has offered impacted people 24 months of free fraud detection and identity theft protection. The incident offers an important reminder to monitor third parties and check for evidence of audited security controls. 

Microsoft implements number matching in mobile notifications to stop cybercriminals: Cybercriminals are figuring out how to get through multi-factor authentication, and organizations are beginning to put controls in place. Microsoft is now enforcing number matching in push notifications. Cybercriminals will spam with multiple push notifications asking them to approve attempts to log in. Once people give in, attackers will be able to log into their accounts. 

Can cyberattacks be considered under the Act of War doctrine?: Pharmaceutical giant Merck filed claims to recover $700 million in losses after a cyberattack from the Russian government. However, cyber insurance companies refused to pay, citing an act of war exclusion. A New Jersey court sided with Merck, saying the insurers failed to show that the attack was a warlike action. Although most cyber insurance policies include an “act of war” exclusion, some of them fail to explicitly include cyberattacks. The use of the act of war exclusion has led to many legal disputes. Can insurers keep pace with this changing landscape of cyberattacks? It may be time to revisit policies.  

Regulators scramble to make AI safe: As AI has raced to the forefront of technology, regulators are trying to catch up with the substantial cybersecurity issues. The Federal Trade Commission has pointed to the National Institute of Standards and Technology (NIST), which updated a framework designed to address AI risks. However, that framework is vague and likely to change, making it difficult to apply. Technologists are asking regulators to keep up with AI’s changes and its risks. 

Third-party services on e-commerce sites should be monitored and managed: Are third parties handling data from e-commerce websites properly? The truth is, you could be liable for compliance with privacy laws, and your reputation could go down with a data breach. Third-party services are used in e-commerce for analytics, API, AdTech, and personalization. It’s easy to install third-party scripts and then leave it to be forgotten. Organizations should know their vendors, what data they collect, and begin to remediate the risk.  

Washington’s landmark health privacy law is notably different from other states: In April, the state of Washington enacted a health privacy law, which provides consumers several rights that may present challenges to businesses. Although it’s like many other states’ privacy laws, it goes a step further, like giving consumers the right to get a list of all third parties and affiliates that a business has shared or sold health data to. It’s also missing common exceptions, like being able to use data to defend against legal claims. The differences should cause companies to take a close look at their policies. 

Financial Stability Oversight Council proposes new guidelines: The Financial Stability Oversight Council proposed new guidance that would change the process for determining non-bank supervision by the Fed. It would eliminate the 2019 guideline statement that says the Council would rely first on existing regulators, and it would also eliminate the cost-benefit analysis. The process would be in two stages: a preliminary analysis and then an in-depth evaluation.  

Department of Education’s third-party services guidance delayed: The U.S. Department of Education postponed the implementation of the controversial third-party servicer guidance. In February, the department released a Dear Colleague Letter that broadened its regulatory oversight over third parties that partner with institutions that participate in federal student aid programs. Those changes were supposed to be immediately implemented, but backlash caused the department to delay. Now, any new guidance will be effective six months after it’s published. It’s unclear what the department’s next steps will be.  

How do organizations measure the social component of ESG? The social component of ESG can be challenging to implement and measure. Organizations should look at their employees and surrounding communities. Organizations can measure increases in employment opportunities, accessibility to employment for local community members, and equal pay initiatives. Social loans can also help fund projects like affordable housing and inclusive workspaces. 

Tips for maintaining a positive vendor relationship: What can organizations do to limit finger pointing from vendors? Service level agreements (SLAs) help ensure the finger is never pointed in the first place. A well-crafted SLA will set expectations, compliance, and mandate escalation. Regular meetings where vendors provide updates on changes to products or staff are also important. And, of course, vendors shouldn’t promise what isn’t possible. Doing proper due diligence before the contract is signed will help.  

Site shut down for verifying stolen credit cards for more than a decade: The Department of Justice indicted a Russian citizen for running a stolen credit card checking operation. He allegedly created the Try2Check underground service in 2005 and it made him millions. Cybercriminals used the site to check what stolen cards were valid and active. It was shut down last week. If you know where Denis Gennadievich Kulkov is hiding in Russia, you could get a $10 million reward! 

Federal agencies release a statement on using AI to break the law: Federal regulation agencies are zooming in on artificial intelligence and its potential misuse. In a joint statement with the DOJ and the FTC, the Consumer Protection Financial Bureau said advanced technology and automated systems aren’t excuses for breaking the law. While AI has increased efficiencies, federal regulators are growing increasingly concerned with the consequences. Compliance with laws and regulations is still required!  

Cybersecurity should be a part of the entire organization to prevent cybercrime: With cybercrimes increasing, organizations should work cyber into every aspect of business. Risk management, incident response planning, and threat intelligence can increase trust in your organization. Cyber strategies should be regularly reviewed and updated. Employees should receive cybersecurity training. Cybersecurity should also be factored into digital planning and improvements. It’s time to be proactive with cybersecurity across your organization.  

Recently Added Articles as of May 4 

This week's headlines bring us information on data breaches, the healthcare industry's preparedness for TPRM, more new laws and regulations, and the Fed's report on Silicon Valley Bank that you'll want to be sure to read. Check out the articles below to stay in the know. 

Key risk management tips for hospitals: So many aspects of healthcare involve vendors. Whether you’re outsourcing IT roles, or using a cloud system for heating and cooling, third parties have access to sensitive patient information and hospital systems. It’s vital for hospitals to keep patients protected and monitor third parties. Identifying the vendors, managing the ongoing relationship, making TPRM a security priority, and being proactive will help you stay on top of third-party risk management.  

Boards and managers play key roles in third-party risk management: Although using third-party vendors has many benefits, it also comes with risks. A recent study from SecurityScorecard showed that 98% of companies use vendors that have had a cyber breach in the last two years. Third-party risk management is more important than ever. Boards and managers are responsible for setting policies that prioritize due diligence and they should evaluate best practices, like training scenarios, risk guidelines, and whistleblower programs.  

First Republic Bank becomes the second-largest bank failure in US history with assets sold to JPMorgan Chase: After signs that it was in deep trouble, regulators seized First Republic Bank and asked banks to submit bids. JPMorgan Chase, the biggest bank in the U.S., acquired $92 million in deposits and $203 billion in loans and other securities. First Republic catered to mostly wealthy clients, but they quickly pulled their money at the first sign of trouble. All the bank’s 84 branches opened on Monday as JPMorgan Chase.

OCC and FDIC release guidance on overdraft fees, emphasizing the need for third-party risk management: If you're a banking using third-party vendors for your overdraft protection program, be aware that the OCC and FDIC pushed the need for effective risk management this week. Both agencies released guidance on overdraft free practices and urged banks to consider and manage the risks that come with using vendors in overdraft programs.   

T-Mobile reports its second breach in 2023, impacting hundreds of customers: Attackers received 836 T-Mobile customers’ personal information for more than a month, beginning in late February. The information ranged from phone numbers, Social Security numbers, government ID, contact information, or T-Mobile account information. Impacted customers were offered two years of free credit monitoring and theft detection services. This was a much smaller attack than the one reported earlier this year, which impacted 37 million people.  

Telehealth and remote medical devices expose flaws in healthcare organizations’ cybersecurity: Since the pandemic, digital health solutions are increasingly popular. More people are now using remote monitoring devices like wireless pacemakers. But with this move to the cloud, cyber risk increases. Breaches can now pose a risk to a patient’s wellbeing and even life. Healthcare organizations still have a lot of progress to make in cybersecurity and will need to increase their efforts in third-party risk management.  

New malware toolkit discovered in DNS records: A new malware toolkit that’s been named Decoy Dog has been uncovered in DNS records. Although its usage is very rare, it’s also very sly, using techniques to sneak in undetected. Decoy Dog establishes a good reputation with security vendors before moving to cybercrime. It also uses a pattern of periodic and infrequent DNS requests to stay under the radar. What a dog! 

Google reports that it blocked 1.43 million bad apps in 2022, and still has work to do: Google was working overtime in 2022, improving security features that the company says prevented 1.43 million bad apps from going to the Play Store. Google also said it banned 173,000 bad accounts. Part of the prevention was to require things like a phone number and email address to join Google Play. There’s still room for growth as decoy apps that run ad malware in the background are still sneaking in. 

Could misinformation be considered malware?: It’s not uncommon for company social media accounts to be hacked, allowing misinformation to spread quickly. It’s also become easier to pose as legitimate companies on social media (Does anyone remember Eli Lilly?). But could it actually be considered a form of malware? Malicious content can be spread through malicious conduct, so misinformation and malware can often go together. Companies should at least be aware of this threat and be prepared to respond.  

The Fed owns up to its role in Silicon Valley Bank’s failure in its new report: The Fed may be looking at some course correction after changes in 2019 that lessened oversight for banks helped contribute to SVB’s failure last month. Although SVB had some unique challenges, the report acknowledged that the Fed’s supervisors were slow to grasp the problems and then didn’t respond aggressively enough when spotted. Whether the Fed will actually tighten its reigns in the future remains to be seen.  

Montana privacy law passes: Montana has joined a slew of other states to pass a comprehensive privacy law. It mirrors the one Connecticut passed last year and is effective on October 1, 2024. Tennessee, Iowa, and Indiana have also recently passed privacy laws.  

Senators try to pass cannabis banking legislation once again: Should banks be penalized for providing services to cannabis businesses? Two lawmakers are trying to prevent federal regulators from penalizing banks that service legitimate, legal cannabis businesses. If passed, the FFIEC would have 180 days to release guidance. The first version of this bill didn’t have enough support to pass, but with some changes from two bipartisan legislators, maybe this one has a chance.   

Programming mistake at mail vendor compromises 10,000 Medicare recipients: Just over 10,000 Medicare beneficiaries in Alabama, Georgia, and Tennessee received unpleasant news from the Centers for Medicare & Medicaid Services. A vendor’s mailing error caused Medicare Summary Notices to be sent to the wrong people. The risk of identity theft is believed to be slim.  

Data breach VoIP provider disrupts software supply chain, exposing the need for TPRM: Oops! This employee at 3CX probably had a bad day. After an employee downloaded a trojan version of software, North Korean threat actors attacked the software supply chain. Two critical infrastructure organizations and two financial trading entities were compromised. The breach remained undiscovered for at least a year. It may be wise to actually pay attention to your company’s cybersecurity training this year. 

A new study shows that healthcare is more reactive than proactive with cybersecurity: In its first wave of results, a study of 48 healthcare organizations found that most of them are not keeping up with recommended cybersecurity guidelines. It showed specific weaknesses around third-party risk management and medical device security. As healthcare increasingly becomes a cyber crime target, organizations will have to continue to put more resources into risk management.  

Who’s enforcing federal privacy laws?: It seems like every federal agency is involved with some aspect of enforcing privacy laws. From the Federal Trade Commission, to the Consumer Financial Protection Bureau, to the Department of Education, the list goes on and on! Here’s a helpful overview of who’s enforcing what in the government agencies.   

AI is making a big splash and now come the regulations: AI is the next big technology trend, with companies rushing to keep up. But it also comes with a lot of risk. Now the federal government and states are introducing new rules to control the use of AI. California’s proposed law would require companies to disclose how they’re using AI tools, require annual assessments, and allow for lawsuits against employers if AI is used discriminatorily. Companies may need to start paying attention to how their vendors use AI.