November 2021 Vendor Management News

Stay up-to-date on the latest vendor management news. Discover information to help improve or keep your third-party risk management program fresh. Below we've listed some notable articles to check out.

Recently Added Articles as of November 25

Regulators are still in full force this Thanksgiving week, as they jointly approved a final rule regarding incident notifications. FINRA was also busy defending increased ESG disclosures and web scrapers are gaining more attention. The breach of the week award goes to GoDaddy and the supply chain crisis continues to highlight due diligence challenges. There’s still a lot cooking, so read on to learn more!

1.2 million Wordpress accounts affected by GoDaddy breach: Domain name registrar leader GoDaddy recently announced the details of a data breach in a mandatory SEC notification. The breach was discovered on November 17th and impacted Wordpress users with a managed hosting plan. The stolen data appeared to be limited to customer numbers and email addresses for many users, but the incident also exposed secure file transfer protocol (sFTP) and database usernames and passwords. GoDaddy noted that impacted users have been contacted directly and they’re taking steps to strengthen its system with more layers of protection. However, they haven't yet offered guidance to remediate any data breaches that impacted individual sites.

Poor cyber risk management in Western Australia: Local government entities in Western Australia received some harsh criticism after the Auditor General discovered its weak cyber risk management efforts. An audit report revealed that most of the vulnerabilities found during black block testing were over a year old, with one existing for over a decade. Almost half of the vulnerabilities were also critical and high severity. Two entities hadn’t performed penetration testing since 2015 and one was missing testing altogether. The report directed entities to the principles found in the Australian Government Information Security Manual to improve their cyber posture.

Regulators take a critical look at web scrapers: Data brokers who use web scraping are being advised to proceed with caution as regulators are taking a closer look at potential privacy concerns. Web scraping is the general practice of collecting website data through automation. This can occur without the knowledge or authorization of the website owner as companies have often created web crawlers to be used on public websites. Scraped data rarely leads to enforcement actions, with a few exceptions falling under the Computer Fraud and Abuse Act. Vermont and California have enacted laws to specify that data brokers supplement their unfair and deceptive trade practice (UDAP) statutes. And, other state privacy laws can potentially be violated with web scraping such as those in Virginia or Colorado. If your organization discovers that it has been the target of web scraping, it’s recommended to consult with legal counsel and consider reporting it to the Department of Justice. Regularly reviewing and updating your terms of use is another strategy to prevent web scrapers from finding loopholes and gathering data without permission.

Debt collectors turn digital: After the CFPB’s debt-collection rules go into effect November 30th, many customers can expect more digital outreach and fewer phone calls from collectors. PNC Financial Services Group and KeyCorp are just two financial institutions that are transitioning to email and text to communicate with customers who need to repay debt. Electronic communication isn't only more efficient, but also more cost effective. Research found that customers who were contacted electronically made 12% more payments than others who were contacted by phone or mail. Online pop-ups and notifications are also less confrontational than phone calls and can be used to direct customers to a solution such as temporarily reducing payments.

Increasing ESG regulations championed by FINRA chair: According to FINRA Chair, Eileen Murray, self-regulation and reporting of environmental, social and governance (ESG) disclosures simply isn’t enough. She recently stated her concerns with the lack of accountability and consistency, calling for the need of regulators, businesses and educators to handle these issues. Investing in sustainable companies is growing, but there still lacks a clear standard for being ESG compliant. Murray pointed to the SEC as the agency who should be responsible for ESG regulations, while FINRA appears to focus on diversity, equity and inclusion (DEI) disclosures.

Healthcare IT leader offers vendor risk management tips: As the healthcare industry has faced an increase in cyberattacks over recent years, information security experts are working hard to create game plans for vendor risk management. The information security officer at St. Joseph’s Health states that it’s more important than ever to prioritize vendor risk management because of the constantly evolving threat landscape. Technology is shifting to more cloud-based or shared environments, so it’s critical to understand security controls and how data is handled. A good starting point is to understand the scope of your organization’s third-party vendors and onboarding process. This allows IT leaders to ensure that necessary controls are in place so security assessments can be performed. It’s also important to include minimal security provisions into agreements such as service level agreements, right to audit controls, breach notification requirements and ongoing assessments.

Security breach risk explodes for mid-sized organizations: A new report revealed an alarming statistic that stated mid-sized businesses are facing up to a 490% increase in security breach risks since 2019. Smaller organizations often lack the resources to protect themselves against threats and the cybersecurity industry is geared towards the needs of larger businesses. The number of attacks increased at least 50% for every industry between 2020 and 2021, with healthcare and transportation seeing an increase of over 125%. Mid-sized businesses were only investing in the basics of email phishing and malware and they were seeing a broader range of attacks such as bot attacks, Wi-Fi phishing, insider threats and malware in cloud apps and email. 

Incident notification final rule jointly approved by regulators: Banking organizations are now required to notify their primary federal regulators within 36 hours after the identification of a computer security incident, according to the recently approved final rule. This notification is required for incidents that have a material effect on a bank’s operations or its ability to deliver products and services. Additionally, organizations are required to notify customers as soon as possible if the incident has a material effect on them for 4 or more hours. Banks are required to comply with the final rule by May 1, 2022.

Gap widens between tech and financial regulations: Cybersecurity technology is advancing at such a rapid pace that U.S. financial regulators are falling behind. Financial institutions are increasingly using more advanced technology, such as artificial intelligence (AI) and biometric authentication, to mitigate risk and fight fraud. Even smaller banks were forced to adapt to a digital business model as the pandemic restricted their on-site access. However, some experts are concerned by the lack of a national framework to protect data, with only a few states that have created privacy laws. Regulators are still attempting to understand these emerging technologies used by financial institutions and are expected to issue guidance on AI risk management within the next year.

Balancing due diligence during the supply chain crisis: At the height of the pandemic, global supply chain management was brought into the spotlight as the U.S. faced shortages of medical supplies and other goods. Business leaders were tasked with identifying weaknesses in their supply chains and quickly filling in gaps, which pushed due diligence onboarding further down the priority list. Chief compliance officers need to find the right balance of onboarding high-risk vendors while also implementing effective risk mitigation strategies. To achieve this, it’s important to regularly check in with vendors and suppliers and test transactions to verify payments and regulatory interactions. Contracts should also be reviewed and audits should be conducted on a regular basis.

What to expect from the FTC’s final rule: The Standards for Safeguarding Customer Information was amended by the issuance of the FTC’s final rule in late October. This amendment provides greater detail of the obligation for financial institutions to maintain an information security program, which should be overseen by a qualified individual. Data breach reporting obligations weren't included in the final rule, but may be added in the future. The rule instead requires that institutions implement a written incident response plan. Increased security controls are another important requirement to note, which includes things like encryption, multi-factor authentication, audit trails, change management, the secure disposal of customer information and the secure development of apps that use customer data. Covered institutions are also required to ensure their service providers implement appropriate safeguards to protect customer information through periodic assessments.

Highlights from OCC climate change expectations: Earlier in November, the OCC turned its focus towards environmental initiatives with its release of Five Climate Questions Every Bank Board Should Ask. This call to action is a good indication that the agency expects banks to address these questions now, so they can better prepare for further guidance. The five questions ask about exposure to climate change and carbon tax as well as which sectors should warrant increased focus and whether data centers are vulnerable to extreme weather. The OCC also supplements these five questions with their expectations for risk management activities. More detailed guidance is expected to emerge throughout 2022, and the general themes found in these five questions likely won’t change, so it’s recommended that OCC regulated banks start their climate change discussions now so they can determine how to fulfill the agency’s expectations.

Recently Added Articles as of November 18

CISA just released its cybersecurity playbooks for Federal Civilian Executive Branch (FCEB) agencies. A hacker sent out fake cyberattacks using the FBI’s email. And, listen to a podcast on the growing threat of ransomware while reading up on the potential risks from mergers and acquisitions. We also have a rundown of some regulatory hot topics and some important information on the recently identified Golang malware. There’s a lot happening this week, so read on for the latest!

CISA publishes cybersecurity playbooks for FCEB agencies: Six months after the Biden Administration released the Executive Order on cybersecurity, CISA has published their playbooks for FCEB agencies to plan out their activities related to cybersecurity vulnerability and incident response. These agencies can now look to the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks to form their defensive procedures. The playbooks contain decision trees to guide the reader through incident and vulnerability responses. While the playbooks are intended for FCEB agencies, CISA is encouraging private organizations and critical infrastructure entities to use them as a benchmark for their own cybersecurity practices.

Exposure of PHI costs two New Jersey printers $130,000 in fines: Claim numbers, the names of providers and facilities, dates of service and descriptions of medical services were exposed thanks to an error that went undetected by two New Jersey companies that provide printing and mailing services to a healthcare organization. Command Marketing Innovations and Strategic Content Imaging were fined for the 2016 incident, in which a printing error caused one member’s statement to be printed on another one. The two companies were accused of violating HIPAA regulations by failing to secure protected health information and not reviewing and modifying their security measures. To reduce their fines by $65,000, both companies agreed to a Consent Order which states that they must implement a security information program to track vulnerabilities.

Regulatory topics gaining momentum in the U.S., EU and UK: As we approach the end of 2021, organizations should evaluate the changing regulatory landscape that’s been affected by a new administration in the U.S., the Brexit transition and ongoing pandemic. One notable topic that’s trending is environmental, social, and governance (ESG) disclosures, which are still being developed in all three regions. In the U.S., the Federal Reserve is considering potential mandatory climate risk stress tests for large financial institutions and the EU Commission has established a framework that focuses on ESG factors within their financial system. On the UK side, the FCA addressed climate disclosures in two recently published consultation papers, with a policy statement expected later by the end of the year. A shift in politics is also making some changes, as the Biden Administration has proposed initiatives related to fintechs and cryptocurrencies. After the UK left the EU, there remains uncertainties about how financial services will be managed across the border, especially for organizations conducting business in both regions.

Fake cyberattack warnings sent from FBI email: Did you recently receive an email from the FBI warning you of a cyberattack? Not to worry because the email was bogus. For reasons still unknown, the attacker exploited a flaw in the FBI’s messaging system and sent out the fake warning that simply contained gibberish and no call to action. The agency further assured that the attacker didn’t access any personally identifying information, nor was he able to compromise any data. The alleged attacker explained to information security journalist, Brian Krebs, that the vulnerability was related to the ability for anyone to apply for an account on the Law Enforcement Enterprise Portal (LEEP). Despite no apparent harm done, the attack highlights the potential for other criminals to exploit the FBI’s infrastructure.

Strengthening cybersecurity practices to fight ransomware: With ransomware attacks on the rise, organizations are seeing the need to improve their cyber defenses through specific modifications and a shift to software-as-a-service (SaaS). A recent survey polled 100 IT experts to ask about the changes they’ve made to protect against ransomware attacks. Many organizations have implemented multi-factor authentication, but more than half have still not prioritized Zero Trust principles, which is often promoted as a more effective strategy. One recommendation to protect against these attacks is to set up access management defenses. Multi-factor authentication and single sign-on can also reduce these threats. Just-in-time access and randomized passwords for privileged accounts are also helpful, with the ultimate goal of Zero Trust.

One-third of retailers, restaurants and hospitality companies have been breached: A recent survey by Cornell University revealed that 31% of companies in retail and hospitality have been the victims of a data breach, with 89% experiencing more than one in a single year. Payment systems have shifted from simply processing transactions to providing customer data and insights. Almost 75% of companies are using multiple cybersecurity systems, but they’re divided on whether these systems are managed by one or more departments. Another interesting finding showed that 65% of security leaders believe that their customers are annoyed by additional security measures who just want easy to use systems. Companies are also divided on the value of using third parties to securely manage information. For those that don’t use third-party suppliers for information security, half believe that their current method is less costly.

CyberWire podcast dives into the growing threat of ransomware: As the cost of ransomware is expected to top $20 billion in this year alone, security experts are trying to predict where this threat will lead over the next five years. Industry expert Kevin Ford of the Environmental Systems Research Institute predicts that there will be a 30-50% increase in number of events moving into 2022. He also anticipates more “whack-a-mole” type scenarios in which bigger ransomware gangs can be apprehended, but smaller groups or individuals could pop up in their place to use the same tools. He argues that a better strategy is to go after the criminal infrastructure that hosts and distributes the code that makes ransomware possible. Overall, he’s hopeful that our perspective on ransomware will shift to a focus on public safety instead of solely on data and privacy protection.

Beware of risks during mergers and acquisitions: There are many benefits that come from mergers and acquisitions (M&A), such as new opportunities and innovations. However, the M&A process also brings about information security and compliance risks which are often overlooked. Prior to an M&A, organizations should review the security posture of its potential target acquisition. This includes high-level security assessments and public information like disclosed security breaches. Thorough due diligence should also be performed during the M&A, which might include data asset inventory and security assessments to ensure the target organization’s systems are aligned with industry standards. A comprehensive evaluation of the third-party risk management program should also be performed. There are also tasks to be done after the M&A such as maintaining security monitoring and determining the need to consolidate processes.

Software supply chains still at risk after SolarWinds hack: Protecting the software supply chain from third-party risk continues to be a struggle for many organizations, even as they’re supporting their digital transformation with artificial intelligence (AI) and machine learning (ML). This rush to establish new digital features often neglects security issues, leaving many organizations vulnerable. A newer risk that has emerged is called dependency confusion, which occurs when an open source package isn’t properly named. A hacker could potentially create a package with the same name, which would then be downloaded by an unsuspecting user. While the Biden Administration has attempted to address software supply chain security, some experts remain focused on the gaps that are left in the order because it doesn’t apply to non-federal contractors.

Post-pandemic will reveal new risks: Cybersecurity will continue to be a top risk during and after the pandemic, but there are also new risks emerging such as business continuity, regulatory shifts and third-party oversight. A recent survey of internal audit leaders discovered that cybersecurity and data protection are the top risk for 90% of respondents. Remote operations increased the use of new technologies, but brought challenges to organizational relationships and retaining talent. There’s also an increasing focus on third-party risks, environmental concerns and diversity, equity and inclusion (DEI). Internal auditors are responding to these challenges by increasing resources, which is inspected to continue over the next few years.

Golang malware contains over 30 exploits: Millions of routers and IoT devices are potentially at risk from Golang malware, according to AT&T Alien Labs. The malware has created a backdoor to receive a target from a report operator through port 19412 or another module that’s running on the same machine. To protect against these exploits, users should maintain their software with security updates and minimize internet exposure on Linux servers and IoT devices, while also using a firewall that’s properly configured. It’s also recommended to monitor network traffic and outbound port scans. Unreasonable bandwidth usage should also be examined.

Outsourcing compliance can bring great rewards: Compliance departments are facing numerous external threats including bribery, climate change activism and cyberattacks, so it’s understandable that many are realizing the benefit of outsourcing certain duties. However, some are still wary that outsourcing compliance responsibilities is giving up control, but legal experts are quick to reassure this isn’t necessarily true. Compliance departments can have as much control as they want when it comes to outsourcing. One major benefit from outsourcing is the expertise that comes from a provider who understands regulatory changes. Compliance monitoring, reviewing sanctions and employee training are just a few examples of functions that can be outsourced. The ultimate goal is to take a strategic approach with a compliance partner so they can fill in the gaps on skills and expertise.

U.S. organizations are paying more for ransomware: According to a recent poll, the average ransom paid in the U.S. was a whopping $6.3 million, while the UK and Australia paid far less. The UK averaged $848,000 and Australia had an impressively low cost of only $59,000. Of course, paying the ransom was just one element of the financial and reputational risk. Many organizations also faced disruptions to their operations, as well as lost revenue and customers. Executives continue to be overconfident in their ability to defend against attacks, with 83% believing that they can retain their data without having to pay a ransom and 77% thinking that operations would return to normal within five days. While cybersecurity leaders might feel prepared to fight ransomware, they should continue to improve processes because cybercriminals show no signs of slowing down.

Recently Added Articles as of November 11

This week, the OCC is urging banks to review five climate related questions and small banks are asking Congress for help on addressing cybersecurity risk. The Department of Justice caught another Kaseya hacker. And, we often talk third-party risk, but fourth-party risks are gaining more attention. Other headlines include a stock app data breach and a spy campaign. Read on to learn more…

Enterprise risk to the Nth degree: As organizations continue to expand their third-party ecosystem, there’s one area that hasn’t always received proper attention. The risk of fourth parties, fifth parties and beyond can be categorized as “Nth party risk” which may be leaving some organizations vulnerable. A study revealed that almost 25% of the Nth-party ecosystem of Fortune 500 companies were at risk or had known vulnerabilities. To address these Nth-party risks, it’s important to prioritize visibility within your vendor inventory by having a good understanding of the volume of assets that are connected to your organization. Taking this first step will help quantify the exposure to Nth-party risks so you can work towards identifying and mitigating them.

Third-party risk management tips from a healthcare system: Third-party cybersecurity in the healthcare industry has been a trending topic in recent years, partly because of the increase in attacks and the industry’s struggles to keep up with security demands. Legacy systems and old medical devices that can’t be upgraded lead to unique risks that need to be addressed. At a basic level, a third-party risk management strategy should incorporate three aspects. First, organizations should have a strong process in place to onboard, assess and reassess their vendors. These steps will vary depending on the vendor’s risk level and their access to protected health information (PHI). Access management for employees and non-employees is another important component, especially as employees might be transferring within a hospital and require different accesses. Lastly, collaborating with vendors is a key factor to manage third-party risk. Employees should also be educated on cyber risks so they can differentiate between a secure system and a data breach.

Congress urged to help small banks with cybersecurity: Cyberattacks and data breaches are more risky for community banks, minority lending institutions and credit unions, according to a group of experts who recently spoke to lawmakers. These smaller banks argue that Congress needs to address the gaps in data security laws that exempt retailers and other entities that handle financial information. While larger banks have the resources to protect against third-party cyber risk, smaller banks are left at a disadvantage and are unable to obtain the same level of protection. The House Financial Services Committee proposed three bills to address these issues. One bill would expand the Gramm-Leach-Bliley Act and allow the CFPB to enact and enforce rules that govern data aggregators and other financial institutions. The other two bills would regulate third-party vendors for credit unions and confirm that the CFPB is authorized to oversee credit rating companies.

7 million users exposed in stock trading app: An unidentified threat actor is responsible for the unauthorized access of personal information for about 7 million Robinhood customers. The stock trading and investing platform disclosed the breach early this week in a blog post and is in the process of notifying its affected users. The company also noted that the breach was the result of social engineering and didn’t appear to involve social security numbers, bank account numbers or debit card numbers. In response to the incident, Robinhood is recommending that users implement two-factor authentication on their accounts.

OCC urges banks to ask five climate related questions: Keeping with the increasing attention on environmental issues, the head of the OCC, Michael Hsu, laid out five climate questions that bank boards should be asking their senior management. The first question should simply be asking about overall exposure to climate change. Senior managers will have to develop a framework to answer this question and boards should be pushing them to create scenario analyses. The second question relates to counterparties, sectors or locals that should receive increased attention, with a focus on physical and transition risks. Question three asks about carbon tax exposure and question four aims to assess data center vulnerability in terms of extreme weather. The final question should ask about ways in which banks can seize opportunities that come from climate change. Hsu stresses that being unprepared to identify climate change risks will put banks at a competitive disadvantage to their peers who are better prepared.

U.S. technology and defense at risk from spy campaign: The NSA and a California-based cybersecurity firm uncovered a campaign by foreign hackers which targeted organizations in technology, defense, energy, healthcare and education, both in the U.S. and in other countries. The firm stated that the campaign involved specific methods and tools that are often used by Emissary Panda, a Chinese hacking group that has ties to the nation’s government. The hackers were apparently motivated to steal credentials, maintain access and collect sensitive files to be used for exfiltration. More details on the attack can be found on a blog post by the cybersecurity firm Palo Alto Networks.

Kaseya hacker arrested and charged by the DOJ: A REvil ransomware partner from Ukraine has been arrested by the U.S. Department of Justice and charged for a number of offenses, including his involvement in the July attack on the Kaseya platform. The 22-year-old suspect is just one of seven REvil affiliates that have been arrested so far and he’s apparently been involved in about 2,500 attacks worldwide. Out of the $767 million in ransom he’s demanded over time, he only succeeded in obtaining about $2.3 million. In addition to this latest arrest, the DOJ also announced that it seized $6.1 million from another Russian REvil affiliate, although this hacker has yet to be detained.

IT leaders lack confidence in data breach mitigation capabilities: According to a study by Syntax, over half of the leaders in IT stated that they wouldn’t be successful in mitigating a data breach or ransomware attack. Executives are overestimating their innovation capabilities, but aren’t confident in defending against cybersecurity incidents. The same study also found that 94% of IT leaders were spending more on cloud technology because of the pandemic and the resulting shift to a hybrid work environment. Cyberattacks affected 81% of respondents, but only 60% felt prepared to handing a phishing attack, which was the most common type reported. Organizations are expected to face a shortage of skills in the new year and managed service providers (MSPs) will likely see the largest decrease in investment.

Fourth-party risk presents a growing challenge: Enterprise risk management encompasses threats from all areas of operations, including third parties, fourth parties and beyond. Fourth-party risk can essentially be defined as the risks associated with your third-party partners’ vendors, which are likely unseen to your organization. One important difference between third-party and fourth-party risks is the level of control that an organization has. Since your organization doesn’t have a direct contract with these fourth parties, it can’t always monitor these risks. Still, there are ways to ensure that all vendors maintain an appropriate level of data security. Organizations should understand the roles, functions and activities of their third parties that are required to perform their jobs. Least privilege access should be maintained and it’s important to review fourth-party cyber risks in SOC 1 and 2 certifications and the SSAE 18.

How to improve third-party access management: A concerning report by Ponemon Institute revealed that 65% of organizations don’t know which of their third parties have access to sensitive data. When over half of organizations have experienced a third-party data breach, this statistic proves there’s a need for change. An ad-hoc method of managing third-party access can cause confusion between departments and security issues in the future. Identify governance and access (IGA) is important to ensure that systems and applications are only accessed by the appropriate people and at the appropriate time. This concept incorporates the lease privilege access model, which states that users should only have the minimum level of access that they need to perform their job duties. To successfully deploy IGA, organizations should prioritize automation, governance, identity lifecycle management and business alignment.

The growing risk of third-party corruption: Enforcement actions from the Foreign Corrupt Practices Act (FCPA) usually include third-party misconduct, so it’s evident that third-party bribery risks continue to be a concern for organizations worldwide. The U.S. Department of Justice is also being more aggressive in pursuing violations of Office of Foreign Asset Control (OFAC) violations involving third parties. Bribery and sanction risks are basic compliance requirements that should be included in any third-party risk mitigation strategy. One notable example of these violations can be found in the 2018 Epsilon case, in which the organization was found to have “reason to know” that its third party was intending to ship goods to the sanctioned country of Iran. The U.S. Court of Appeals stated that this “reason to know” requirement can be established through circumstantial evidence and this principle was reaffirmed in another sanctions case that was resolved earlier this year.

Recently Added Articles as of November 4

November begins with China’s new Personal Information Protection Law, new activity from the SolarWinds hackers and the arrest of an international ransomware gang. A massive data breach exposed over 800 million “dummy” records and a federal court ruling in South Carolina is allowing consumers to take direct action against an organization’s vendor who suffered a breach. Read on to discover other headlines on privacy laws, modern slavery and cybersecurity stock.

Rise in ransomware attacks leads to cybersecurity stock growth: Gartner research has estimated that the cybersecurity market will grow to over $73 billion in 2021, so it’s understandable that cyber and information security are expected to be the top investments of 2022. Microsoft announced that their cybersecurity revenues top $10 billion annually as it continues to integrate more security tools into its Office 365 software. The ongoing pandemic and increase in remote working environments have led to a greater demand for security products that support remote employees. Understandably, the airline, hospitality and retail industries, which suffered during the pandemic, are expected to scale back on their security software spending. Artificial intelligence is also an emerging trend, used both by hackers and cybersecurity firms.

CISA orders clean-up of government cybersecurity: After two major hacks targeted the US federal government over the past decade, CISA is stepping in with a new directive to address hundreds of software and hardware vulnerabilities. In the directive titled Reducing the Significant Risk of Known Exploited Vulnerabilities, the security agency calls for federal agencies to be more proactive in mitigating known vulnerabilities with specific timeframes. Over 18,000 vulnerabilities were identified in 2020 and organizations are struggling to remediate them because of limited resources. While the directive applies to government agencies, CISA encourages those in the private sector to remain aware of CISA’s public catalog.

Due diligence questions to ask software as a service (SaaS) providers: Millions of organizations are dependent on third-party SaaS providers which can often leave them vulnerable to data breaches. To better understand the security environment of a SaaS provider, it’s important to ask the right questions. Organizations should begin by asking what type of auditing is performed on the platform. Requesting a recent external security assessment is a good way to gain more insight into this process. Other questions regarding SOC 2 certifications, single vs. multitenant environments and right to audit are also worth considering.

Third-party risk assessments are a must for healthcare: As healthcare providers are becoming more reliant on outsourcing critical operations, they’re also facing an increased risk of third-party cybersecurity incidents. To protect against these risks, it’s vital to assess the security practices of third-party vendors thoroughly and regularly. One area of struggle for organizations is the often time-consuming assessment process. Especially since vendors should be assessed based on their risk level and increased risk means a larger assessment. In other words, a critical vendor with access to a large amount of data will need to be assessed at a greater frequency and depth than a non-critical vendor that doesn’t have this same access. Risk assessments should be used to gain a better understanding of a vendor’s weaknesses, which will help the organization in building a stronger cybersecurity program.

China’s data privacy law now in effect: November 1st marked the first day in which China’s Personal Information Protection Law (PIPL) was enacted. The PIPL details the requirements in which data can be collected, used and stored and also includes data processing requirements for organizations outside of China. Multinational corporations (MNCs) that transfer personal information out of the country will be required to pass a security assessment given by state authorities as well as obtain data protection certification. The details of the security assessments remain unclear and MNCs are encouraged to consider the impact of the PIPL on their IT infrastructure and any data processing activities.

Europol arrests 12 in a suspected ransomware gang: The suspected threat actors behind ransomware attacks on worldwide critical infrastructure have been arrested by Europol, the law enforcement agency of the European Union. The suspects were detained in Ukraine and Switzerland with the help from other international authorities including Norway, France, the UK and the U.S. The hackers are believed to be responsible for attacks in 71 countries and have used various methods including phishing emails and SQL injections to compromise networks. Some of the criminals would gain access and remain undetected for months while they were looking for other weaknesses before deploying a ransomware attack.

Nobelium hacking group is now pursuing downstream vendors: The Russian hacking group behind the infamous SolarWinds attack is now setting its sights on resellers and managed service providers, according to a recent Microsoft alert. Nobelium is apparently trying to duplicate previous methods used in targeting global IT organizations (e.g., password spraying and phishing). Microsoft also released technical guidance that will be helpful for organizations in these vulnerable industries.

Feds warn against paying ransom in updated guidance: Making a ransomware payment could potentially violate OFAC regulations, according to the department’s Updated Advisory released in September. One of the top goals for the Biden Administration in fighting ransomware attacks is to disrupt the system that helps drive them. The advisory lists out mitigating factors that OFAC will consider before enforcing sanctions. The first is the extent of the organization’s compliance program and defensive actions against exposure risks. The second factor is how well the organization cooperates with officials after they suffer an attack. If an organization reports the attack quickly and cooperates with authorities, they’ll be less likely to face civil penalties. The advisory also provides tips for preventing an attack, such as regularly testing backups and maintaining an incident response plan. If an attack occurs, the organization should follow CISA guidelines which include isolating the impacted systems and notifying affected individuals.

Vendor faces negligence claims directly from customers: A federal court in South Carolina gave the green light for a group of consumers to file claims against their organization’s vendor who suffered a breach in 2020. The complaint alleges that data collection and maintenance provider Blackbaud didn’t comply with regulatory standards after being subject to a two-part ransomware attack in which social security numbers and bank account information was compromised. Blackbaud initially told the consumers that this information wasn’t affected and supposedly neglected to implement security measures to mitigate cybersecurity risk. A key takeaway from the court’s decision is realizing that cybersecurity insurance may be become more difficult and expensive to obtain if consumers can sue vendors of which they have no direct contract.

Preparing your third-party network for modern slavery legislation: Modern slavery continues to be a growing concern among countries around the world. It’s only a matter of time before more legislation is introduced to eliminate this human exploitation in supply chains. Private organizations in places like Germany, the UK and California are already required to report on how they audit their third-party vendors for slavery risks. The EU, Canada and Hong Kong are expected to introduce their own laws soon. To prepare for the introduction of such laws, organizations should focus on continuous improvement. Begin with establishing a team to understand modern slavery legislation and then move on to creating a framework with appropriate policies and procedures. Within a supplier environment, obtain vendors’ codes of conduct and include specific modern slavery language in contracts.

Data breach exposes over 800 million dummy records: A security researcher discovered the unsecured database of MIT’s Medical Information Mart of Intensive Care system, which fortunately was simply a test environment that didn’t contain any real patient data. The database included nearly 900 million records that were divided into categories such as document type, patient ID, doctor notes and dates of service. The researcher stated that the database was at risk of a ransomware attack and open to anyone with an internet connection. Deep 6 AI was notified of the unsecured database and then took action to secure it. They released a statement to emphasize that no real patient records were exposed.

Guide to acceptable use policies: For customers reviewing an acceptable use policy (AUP), there are certain items to consider. To begin, AUPs can be defined as a set of service provider guidelines that state how their technology can be used. Customers should understand whether the technology’s use rights align with how their organization intends to use it. Also, consider whether there’s a requirement to implement certain security procedures and if a breach of the AUP results in suspension or termination of access. To find the AUP, look within the body of the services agreement or on the service provider’s website. However, beware that an online AUP can change at any time without your consent or knowledge. It’s important to either request that the terms be moved to the agreement or add a provision that prohibits the provider from updating the AUP during the contract term.

How automakers benefit from weak privacy laws: As vehicles are becoming more connected, automakers are able to collect tons of data related to drivers’ locations, abilities and even entertainment preferences and voice requests. Certain third parties, like insurance companies, are seeing the benefit of buying this data, as they can better customize their services. Some law experts have expressed their concerns at the lack of transparency required for automakers to collect this data. For example, auto manufacturers will usually be open about the type of information they’re collecting, but there’s no standard for how long they’re keeping it. The California Consumer Privacy Act gives drivers some insight into how their information is used, but the U.S. still lacks a federal law that would govern these apparent deceiving and unfair practices around consumer privacy.