May 2024 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of May 16

This week’s headlines highlighted the impact of third-party data breaches, regulatory scrutiny of third-party risks, and the importance of vendor compliance. Catch up on all of this week’s news below. 

Former NCUA chairs throw support behind third-party regulatory authority: Four former chairs of the National Credit Union Administration (NCUA) board pushed for NCUA supervisory authority over third-party vendors in a letter to the Senate and House. The current NCUA chairman, Todd Harper, has pushed for this regulatory authority, which has to be granted by Congress. The letter cited the increasing use of third-party vendors by credit unions, which has increased risks. The four former chairs called for regulatory oversight to ensure credit unions mitigate third-party risks. Several have opposed the NCUA’s push for regulatory authority, including America’s Credit Unions and the Credit Union National Association (CUNA).

Spanish bank experiences a third-party data breach: Customer and employee data was exposed at a Spanish bank, Banco Santander, after a third-party data breach. Cybercriminals were able to gain access to a database hosted by a third-party provider. Information like transactions, access credentials, or banking passwords wasn’t compromised. 

Third-party data breach contributes to a record year for educational institutions (37.6M records exposed): 2023 was a record year for data breaches in the education industry, according to a new study. The increase was attributed to the third-party MOVEit breach, which impacted more than 800 educational institutions. Of the 4.3 million records compromised in 2023, 1.7 million stemmed from third-party data breach. Since 2005, 37.6 million records have been compromised in education data breaches. The good news is that the first quarter of 2024 had much less data breaches, with only 16 incidents reported. However, educational institutions should still be on guard for cyberattacks. 

Compliance with cybersecurity regulations is a challenge (44% of cyber professionals struggle): Regulatory compliance in the cybersecurity sector has been a challenge to achieve, according to a new survey. Some cybersecurity regulations, such as the U.S. Sarbanes-Oxley Act (SOX), were considered very complex to comply with, while others, such as the EU Cybersecurity Act, were only somewhat complex. Many organizations surveyed hadn’t achieved full compliance with all the cybersecurity regulations.

Federal regulators note banking industry risks in a House testimony: Federal banking regulators noted the industry’s resiliency after the Silicon Valley Bank (SVB) failure last year, but also said that risks remain. The remarks came in a prepared testimony to the U.S. House. The Office of the Comptroller of the Currency (OCC) chairman specifically noted third-party risks, especially in the fintech space. 

Predictions for the future of cybersecurity attacks: As data breaches grow, a study recently made ten cybersecurity predictions on the future landscape. The predictions include a continued increase in supply chain attacks, weaponized ransomware as a tool for war, and cloud security failures leading to data breaches. Artificial intelligence (AI) attacks also made the list. Realistic deepfakes for social engineering made the list too. The study emphasized the importance of an incident response plan and maintaining backups and recovery in the event of a breach. 

Software firm reports a third-party data breach: An Australian software firm, Iress, reported a third-party data breach on a platform that manages the firms’ pre-production software code. No customer data was exposed in the breach, as Iress said it doesn’t store customer information on the third-party platform. There was also no disruption to operations, but Iress is reinforcing its security measures. 

Colorado is set to become the first state with comprehensive artificial intelligence legislation: Colorado is on track to become the first state to enact AI legislation. The bill lays out how developers and deployers of AI should use reasonable care to protect consumers from discrimination. Differing from many state privacy laws, the bill doesn’t offer a private right of action to citizens and is instead only enforceable by the state attorney general. The bill focuses on “high-risk” AI systems, which is essentially one that plays a big role in making important decisions, such as education enrollment, employment, financial lending, and healthcare services. Those that deploy AI must create a risk management program and complete an impact assessment of the system. 

Vendor to pay millions after mishandling private medical information: A vendor will pay a $2.7 million settlement with the U.S. Department of Justice after mishandling private medical information. The Pennsylvania Department of Health used the vendor for contact tracing during the pandemic. Employees of the vendor used unauthorized Google accounts to store information, violating the vendor’s contract. 

Recently Added Articles as of May 9

This week, several new third-party data breaches were revealed. Financial regulators released a guide to aide community banks in third-party risk management and healthcare regulators updated controversial guidance on third-party tracking technology. Catch up on this week’s headlines below. 

Third-party data breach compromises UK Ministry of Defense: A data breach at a third-party payroll system has exposed the data of military personnel at the UK Ministry of Defense. About 272,000 personnel had data compromised in the attack, including names and bank details. The third party was publicly criticized for “evidence of failings” as the system wasn't properly managed.

Agencies released a third-party risk management guide for community banks: The Federal Reserve (Fed), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) released joint guidance, which is intended to be a third-party risk management resource for community banks. The guidance follows last year’s Interagency Guidance and covers the third-party risks smaller banks are likely to face. It offers examples for each step of managing the third-party relationship and offers questions community banks should consider. 

Survey reveals innovation over security in AI projects at many organizations: Innovation is a key to success for many organizations, but does it take priority over security? According to a new report, 70% of organizations are more focused on innovation than security with generative artificial intelligence (AI). Organizations acknowledged the importance of secure AI in the survey, but only 24% of generative AI projects are being secured. Since generative AI is such a new technology, it’s important to create a framework that manages the risks, especially as regulatory action picks up across the globe. This includes addressing AI usage by third parties by accessing third-party AI risks, establishing policies that address use of organizational data with third parties, and understanding how third parties use AI. 

Third-party and supply chain data breaches increased in 2023: Third-party data breaches took a big rise last year, according to Verizon’s Data Breach Investigations Report. In 2023, third-party breaches increased 68%, with software vulnerabilities as a leading cause. In total, 15% of all breaches in 2023 involved a third party, which increased 6% compared to 2022. The report expanded its definition of “supply chain breach” to include vulnerabilities in third-party software. 

City of Wichita shuts down networks after a ransomware attack: Wichita, Kansas shut down some of its network after a ransomware attack over the weekend. To contain the spread of the ransomware attack, the city shut down its computer network. Online payment systems are down, including those for court citations and tickets. The attack is still under investigation

Australia privacy commissioner warns of increased third-party data breaches: Third parties are a weak spot in customer privacy, according to Australia’s privacy commissioner. The warning comes after a third-party data breach that exposed more than 1 million Australians’ data. A report from the Office of the Australian Information Commissioner said that 121 secondary, or third-party, breaches were reported in the last six months. The commissioner said organizations must ensure third parties adhere to privacy obligations, particularly in third-party contracts. Organizations should also evaluate that privacy protections are in place at the third party. 

North Korean groups are targeting organizations in phishing emails: The National Security Agency (NSA) and FBI have warned that North Korean hacking groups are exploiting weak email policies in phishing attacks. The group has sent emails that appear credible from sources like journalists, academics, and other experts. Organizations should update Domain-based Message Authentication Reporting & Conformance (DMARC) security policies. 

State officials emphasize importance of third-party risk management in local government: Local governments and state agencies are learning from past third-party data breaches and have been prioritizing third-party risk management. At the National Association of State Chief Information Security Officers (NASCIO) conference, officials emphasized the importance of vendor contracts that address security practices and security plans that address vendors. Many states are turning to each other for help to ensure vendors are secure. 

Accounting firm facing lawsuits after third-party data breach: After a third-party data breach that impacted about 1.1 million people, BerryDunn is now facing a lawsuit over its vendor’s breach. At least 8 lawsuits have been filed so far, alleging that BerryDunn was negligent in its security practices. 

Steps to reduce supplier risks: Organizations are becoming more and more connected to other organizations in a vast supply chain network. However, experts say it’s still the organization’s responsibility to ensure their data remain secure. Creating an inventory of who is in your supply chain is a critical first step to managing risks. Then, you’ll need to identify critical suppliers and understand how much access to your data they have. Questionnaires and risk assessments can determine what controls your suppliers have in place and whether they’re effective. Taking these steps can help limit the third-party risks your organization faces. 

Healthcare agency updates third-party tracking technology guidance: Despite criticism, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) doubled down on its guidance for third-party tracking technology. The OCR released updated guidance on what’s considered an impermissible disclosure of protected health information (PHI) in regards to third-party tracking technology. Some industry experts said the updated guidance didn’t change or clarify anything, just reinforced the agency’s stance. More than 200 lawsuits were filed as of 2023 over the use of third-party tracking technology at healthcare organizations. Healthcare organizations should proceed with caution when using third-party tracking technology for marketing purposes. 

CISA alerts to actively exploited GitHub vulnerability: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted to a critical flaw in GitLab that’s being actively exploited. Cybercriminals could take over an account by redirecting password reset emails to an unverified email address. Accounts with multi-factor authentication (MFA) are still at risk but won’t have an account takeover due to the second verification. 

Recently Added Articles as of May 2

In this week’s third-party risk management news, organizations expressed concern about visibility into third parties, the Federal Trade Commission finalized notification requirements for healthcare breaches, and the first U.S. bank closure of 2024 occurred. Catch up on all of this and more below.

Keys to cybersecurity success in the hotel industry: The hotel industry has gone increasingly digital over the years, from digital keys, to reservations, and payment details stored digitally. This has made the industry susceptible to cyberattacks and ransomware, including third-party attacks. Hotels should refer to foundational frameworks, like the PCI Security Standards Council, to manage third-party risks. Best practices like multi-factor authentication (MFA) and network segmentation are also important to implement.

Reserve Bank of India expects regulated entities to manage third parties: Regulated entities (REs) in India are expected to manage third parties that deliver critical operations, according to the Reserve Bank of India (RBI). Before entering any relationship with a third party, REs must perform a risk assessment and due diligence. The third party should have operational resilience and be prepared to respond to disruptions. 

Ransomware activity increases this year: Ransomware activity increased in the first quarter of 2024, according to a new report. The increase is 21% compared to the first quarter of 2023, and is based on the number of victims reported on ransomware groups’ sites. Information technology and services were the most targeted industries.

Third-party risk management in the trucking industry: The trucking industry increasingly relies on third parties, especially as the industry shifts to digital. It’s important to ensure third parties have strong cybersecurity programs. Carriers should first determine how much data each third party has access to and then assess the financial health and cybersecurity of each third party. A third-party risk management program can help not only assess third parties, but fourth and nth parties further down the supply chain.

Proactive third-party risk management practices to protect from risks: Today’s supply chain has become even more complex and has introduced new risks for organizations. Cyberattacks have increased and geopolitical tensions have risen, all threatening to disrupt the supply chain. Organizations should be proactive in addressing risk through practices like vendor due diligence, contract negotiations, and continuous monitoring. Through this approach, organizations can lower the risk of operational disruptions, ensure compliance, and improve their reputation. 

Best practices in cybersecurity for third-party risk management: Recent third-party cyberattacks in healthcare have reminded organizations of the importance of good cyber hygiene in third-party risk management. There are critical best practices for organizations to implement to protect against cyber threats. Organizations should thoroughly review third-party documentation to validate security practices. Third parties should also comply with cybersecurity standards and continuously educate their employees on best practices. 

Selecting the right IT service providers: Many small and medium-sized organizations rely on third-party IT services to maintain a secure environment. However, it’s important to ensure third-party IT vendors grow and mature with your organization. Consider the vendor’s track record and reputation in the market and evaluate whether the vendor can meet your organization’s needs. Service level agreements are a great tool to ensure the vendor can meet performance expectations. The vendor should also be able to scale with your organization and offer timely support. This can help ensure the IT vendor isn’t just a service provider, but a partner with your organization. 

CISA released AI threat guidelines: The Cybersecurity and Infrastructure Agency (CISA) released several guidelines for critical infrastructure on artificial intelligence (AI) threats. AI risks are categorized into three types: the use of AI in attacks on infrastructure, targeted assaults on AI systems, and failures with AI design and implementation. CISA recommended a strong organizational culture for AI risk management and for organizations to understand where AI is used and put risk mitigation efforts in place. 

First U.S. bank failure of 2024 spotlights economic challenges: Republic First Bank became the first bank to fail in 2024 and was acquired by Fulton Financial. Republic Bank faced struggles with high interest rates, which it reported hurt its commercial real estate portfolio – that was almost half of Republic Bank’s loan book. With the current economic environment, organizations may need to re-evaluate their vendors' financial health and stay attuned to any red flags in their finances. 

Third-party breach at a healthcare data group compromises 1 million records: A third-party data breach impacted more than 1 million records at BerryDunn’s Health Analytics Practice Group. A managed service provider detected suspicious activity on its network and notified BerryDunn, who immediately investigated the breach. The organization notified impacted customers of the breach. 

FTC finalizes Health Breach Notification Rule: The Federal Trade Commission (FTC) finalized changes to the Health Breach Notification Rule with third-party requirements. Vendors of personal health records (PHR) that aren’t covered by the Health Insurance Portability and Accountability Act (HIPAA) will need to notify the FTC, individuals, and potentially even media when there’s a breach of personal health information (PHI). This includes health apps and other technologies, which aren’t covered by HIPAA. The third parties to these vendors will also need to notify of a breach. 

Protecting data in third-party risk management: Data access has become an increasingly important subject in vendor risk management. To remain secure, organizations need to closely evaluate vendors that store, access, or transmit their data. A growing network of vendors has led to a complex supply chain that may be vulnerable to cyberattacks. Some organizations don’t continuously monitor third parties that can access their data, which may leave them blind to emerging risks. This can also lead to a reactive approach, where organizations can only respond, but not prevent. Focusing on intrusion prevention and employee training can help organizations be more proactive.

Third-party tracking technology lawsuits against the healthcare industry are on the rise: Lawsuits against healthcare organizations for third-party tracking technology are rising. A recent report showed that healthcare accounted for 28% of 1,150 tracked incidents in 2023. Around 200 lawsuits have been filed over third-party tracking technology. The Department of Health and Human Services (HHS) addressed the issue of third-party tracking technology in a bulletin, but it has experienced industry pushback as HHS said IP addresses are considered protected health information (PHI). The focus on this issue is likely to evolve and continue throughout the year. 

Third-party visibility and cyber risk a top concern: Only 43% of organizations expressed confidence in their ability to manage cyber risks and attacks, according to a new report. Many find it challenging to implement security policies across the organization, while smaller organizations worry that senior management doesn’t see the risk of cyberattacks. Organizations are also concerned about a lack of security and control over the supply chain, along with visibility into third parties. 

Agricultural industry hosts massive tabletop exercise: The agricultural industry is preparing for damaging cyberattacks in a massive tabletop exercise with federal officials. A mock scenario examined how well participants are prepared to respond to a cyberattack on food and agriculture. More than 2,000 participants were able to test their preparation. This is the ninth year the sector has had this tabletop exercise. Lawmakers and regulators have recently focused on the agriculture industry’s preparedness for cyberattacks, including ransomware. 

Selecting a third-party fraud prevention vendor: Financial institutions are reporting an increase in fraud and financial crimes, according to a report, leading to an increase in third-party relationships to prevent fraud. When selecting a fraud prevention vendor, financial institutions consider reputation, ease, and expertise. Many financial institutions also want to test a vendor’s technology before selecting them. As financial institutions continue to battle fraud, they’ll work with third parties in their efforts. 

New survey shows the increase in data breaches and security events: More than half of organizations have been compromised by a cyberattack, according to a new survey. Many of these organizations reported unplanned downtime, data exposure, and even financial loss. More than 50% of senior management now share penetration testing reports with their board of directors and 500 security events that need remediation are reported weekly.