November 2022 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of November 24

As we enter the holiday season, we’re looking at new methods hackers are using to target potential victims. Even in times of giving and hospitality, it’s important to stay vigilant as malicious actors exploit time off. As the oil and gas industry is urged to improve security, it’s important to understand how third-party risk management can help improve security against supply chain risks. Don’t miss out on this week’s industry news!

Application vulnerabilities may create increased risks amid holiday sales: As customers rush to online retail and hospitality applications for holiday sales, a new report shows that nearly three-quarters of these applications contain insufficient security controls. These flaws could create issues for retailers and ecommerce sites by allowing hackers access to privileged networks and information. With the rising threat of cyberattacks and data breaches, organizations should ensure their security to protect against threats to their reputation, sensitive information, and operations. Retailers are urged to take proactive steps to assess their applications for any weaknesses that could leave them vulnerable to attacks from malicious actors.

New technology gives hackers access to better data-stealing features: With the rise of new technology, hackers are developing more sophisticated ways to steal sensitive information. This includes the implementation of information-stealing features which can extract data from apps and browsers. One such software, named Aurora, is not easily detectable and contains a wide array of functions that hackers can use to steal their victim’s data. Resources are working to compile the websites that are used to distribute Aurora as well as the indicators that show that your device has been compromised.

Malicious actors steal authentication tokes to bypass MFA tools: Researchers with Microsoft have warned that hackers are stealing authentication tokens that are used by multifactor authentication (MFA) tools. With these tokens, the malicious actors can bypass MFA tools and gain access to privileged accounts and information. As this type of attack can be difficult to detect, you should ensure that your security processes utilize endpoint detection and proper controls to identify and address malicious activities.

Cybersecurity experts look for new platform to share information: In the wake of sweeping changes at Twitter over the past several weeks, many organizations have left the platform, causing cybersecurity professionals to question where they should share information and industry news. While Twitter has acted as an aggregator of information in the past, where organizations can share news of recent cyber incidents, massive changes have damaged the credibility of information shared on the platform. Organizations wanting to maintain credibility have continued to distribute information through press releases and SEC filings.

Malware attack uses Google ads to deploy ransomware: Researchers have been tracking a series of attacks, named DEV-0569, which utilize Google ads to target victims. After the target clicks an infected link, ransomware is downloaded onto their device. Users should be cautious of clicking on unknown links and ads.

Hackers take advantage of holidays to launch cyberattacks: With the holiday season upon us, it’s important to remain vigilant and to maintain cybersecurity best practices. Though this time of year is one for relaxation and taking time off, experts caution organizations to stay updated on their security as hackers take advantage of lowered attentiveness to deploy large-scale attacks. Surveys show that, during holidays, organizations take longer to identify and respond to attacks such as data breaches and ransomware. As the threat of ransomware attacks and third-party data breaches continues to grow, you should continually assess your organization for vulnerabilities and assess for any suspicious activity.

Experts caution oil and gas industry of potential cyberattack: Over the past several months, focus has turned to the security of critical infrastructure in the wake of cyber threats. Recently, regulators and lawmakers are urging the offshore oil and gas industry to improve security measures and technology to protect against the potential of a major attack. Though officials in the industry have been aware of the mounting threat for years, there have not been any sufficient changes made yet, leaving behind an increased risk of disruptions to the U.S.’s fuel supply.

Increased third-party reliance creates greater risks for many organizations: Recent surveys have highlighted that, while many organizations have continued to expand their vendor inventory and reliance on third-party products and services, a high percentage of those organizations are facing higher risks caused by their supply chain and vendors. As the number of third-party data breaches and incidents continues to rise, it’s important to implement third-party risk management strategies to protect your organization from these risks. To manage the risks presented by a growing supply chain, your organization should take proactive steps to improve your practices and third-party risk management program maturity.

The role of security questionnaires for third-party risk management: When dealing with your vendors, it’s critical to understand the risks they pose to your organization. Security questionnaires are a valuable tool to help your team assess your vendor’s risk posture and how well the vendor’s controls can protect your sensitive data. As a best practice for third-party risk management, you should request a security questionnaire from a vendor before entering a contract relationship. Topics to include in a thorough questionnaire may include security compliance, risk management plans, security controls, and security procedures.

How school districts can implement third-party risk management practices: For many school districts, new technology has been introduced into the way students are taught. However, this can create security concerns resulting from threats such as data breaches and exposure to inappropriate applications. As risks continue to grow and change, it’s important for school districts to implement the proper controls and practices to protect against malicious actors, legal risks, reputational damages, and operational disruptions. These practices include requesting vendor assessments, performing ongoing monitoring, and integrating automated controls to assess vendors.

Recently Added Articles as of November 17

This week, experts discuss why hackers target small and mid-sized organizations as well as security best practices your organization should implement. To protect your sensitive data, it’s important to improve cybersecurity measures, assess your vendors for any security gaps, and gain a deeper understanding into supply chain risks. Meanwhile, the SEC updates its electronic recordkeeping requirements. Be sure to check out this week’s news below!

Experts discover malware targeting game servers: Cybersecurity experts have identified malware deployed to target game servers. This malware, called RapperBot, utilizes Distributed Denial of Service (DDoS) attacks against servers that run a version of Grand Theft Auto. When infected, the malware breaches the device and gains access to its credentials. Users should ensure that they're continuing to practice security best practices and know how to identify suspicious activity.

University of Miami Health System improves self-distribution: By opening a new distribution center, University of Miami Health Systems aims to improve self-distribution and supply chain resiliency. In the wake of supply chain challenges and other incidents, the organization will have an inventory of select items available to meet their needs.

Cyber insurance providers look to stabilize amid ransomware concerns: As the number of ransomware attacks continues to rise, many organizations seek to implement proactive cybersecurity measures, such as cyber insurance. However, the demand has made it difficult for many organizations to buy cyber insurance because of high premiums and inflexible plans. Recently, providers have stated that the industry is improving as premiums are rising at a slower rate and organizations work harder to improve their cybersecurity measures. While malicious actors continue to threaten organizations from all industries and sizes, it’s important for cyber insurance providers to become more flexible in assessing risk, so that organizations will be able to better protect against ransomware attacks.

New studies highlight application vulnerabilities and supply chain risks: According to several new studies, the majority of applications contain at least one security gap or vulnerability. Experts suggest using multiple tools when analyzing the applications, coding, and software that your team uses, to ensure that you can identify and address any present risks. It’s important to ensure that you use penetrating testing to see how well your security tools work and to find any weak points in your system. Additionally, it’s necessary to assess your vendor’s security practices and check open-source code for vulnerabilities. The supply chain continues to pose many severe risks, so it’s essential to address any potential risks before an incident occurs.

Hacker group impersonates well-known brands: A malicious group of actors have launched a large-scale traffic generation scheme by impersonating thousands of well-known brands. The group, known as Fangxiao, is working to generate ad revenue for their own websites. The brands they’ve impersonated include McDonalds, Knorr, Coca-Cola. To protect yourself from this scheme, you should be wary of any suspicious websites, unsolicited messages, or unfamiliar links.

The FTC focuses on Twitter following concerns of compliance violations: A spokesperson for the Federal Trade Commission (FTC) stated that the agency is assessing Twitter, following the departure of several employees responsible for security and compliance. Twitter’s security team handled third-party risk management activities and worked with advertisers. While employees at Twitter have expressed their concerns of backlash for potential violations, lawyers have stated that it’s the company’s responsibility to maintain compliance.

Cybersecurity best practices for small and mid-sized organizations: In today’s threat landscape, no organization is safe from cyberattacks. However, many small and mid-sized organizations are at increased risk of attack because of their limited resources and security. To begin taking steps to protect against common incidents such as supply chain attacks, phishing, software vulnerabilities, and compromised credentials, your organization should implement cybersecurity best practices such as using multifactor authentication tools and strong passwords, training your employees to identify scams, deploying incident response tools and threat detection software, and encrypting your sensitive data.

Microsoft released a series of patches to address vulnerabilities: Microsoft has released several security updates and patches to fix identified vulnerabilities in its software. These vulnerabilities included zero-day vulnerabilities and actively exploited security gaps. If you use Microsoft, you should update your systems to ensure that the patches are integrated.

Using third-party risk management to manage cyber risks: When onboarding a new vendor or assessing an existing vendor, it’s important to gain a deep understanding of the vendor’s cyber risk posture so that you can best identify the ways to mitigate the risks that may threaten your organization’s security and sensitive information. You should ensure that the vendor’s security policies and controls align with your organization’s standards and comply with regulatory requirements. Along with looking at the vendor’s security controls, data breach notification policy, and data retention plans, you should assess your vendor’s subcontractors (your vendor’s vendors) and set a liability cap in case an incident occurs.

SEC implements updates to electronic recordkeeping requirements: The SEC recently released its updated amendments to its electronic recordkeeping requirements, which were first released in 1997. These amendments seek to improve and modernize the ways that brokers-dealers, security-based swap dealers, and major security-based swap participants store records and use technology. Among these amendments are new rules that require eligible parties to use the WORM format for storing records and provisions that give the SEC increased oversight into the records that third parties have access to.

Understanding third-party cyber risks: While outsourcing goods and services from third-party vendors is essential for many organizations to maintain operations and perform basic daily functions, it’s important to understand the cyber risks that third-party relationships can pose and how your can work to manage these risks. When assessing your new or existing vendors, you should examine their penetrating testing results and ransomware simulations, how well their employees are trained in security awareness, and how often the vendor updates their software and checks their networks for malware. As many hackers target the supply chain and third-party vendors, it’s important to verify whether your vendors can protect your sensitive information.

Recently Added Articles as of November 10

This week, we’re looking at several different cyberattacks, from a third-party data breach targeting a healthcare provider to ransomware and email scams. Meanwhile, the FBI comments on the minor disruptions caused by DDoS attacks and NIST focuses on improving cybersecurity in the water industry. Finally, experts suggest staying updated on third-party risk management best practices to maintain compliance and to identify risks in your supply chain. Don’t miss out!

Medibank suffers ransomware attack: Medibank, an Australian health insurance provider, became the victim of a ransomware attack in which hackers gained access to sensitive customer data including names, medical claims information, and passport numbers. Medibank refused to pay the ransom, stating that payment doesn’t guarantee that the hackers would return the stolen information. Customers affected by the data breach are urged to stay aware of attempted phishing attacks and financial fraud and should implement new passwords and multifactor authentication to protect their other accounts.

Best practices for picking a UCaaS vendor: Unified Communications as a Service (UCaaS) tools area great way for organizations to improve efficiency, privacy, and compliance. However, when selecting a UCaaS vendor, it’s important to ensure that you’re picking the right option for your needs and organization. You should choose a vendor that can comply with your industry-specific regulations, understand risks that could result from remote employees, use end-to-end encryption software and secure hardware, invest in advanced security tools, and utilize specialized experts.

Experts identified malware that deploys ransomware on compromised devices: Researchers have found that Amadey malware has been used to deploy ransomware through compromised Microsoft Word files and false Word icons on infected devices. Using this malware, hackers can steal the user’s sensitive information and upload other viruses. Users are urged to exercise caution when downloading unknown files.

The importance of vetting fourth parties and cyber resilience: As organizations have continued to branch out and outsource products and services, you need to be aware of your vendor’s third parties, and the ways that your fourth parties can impact your organization. In some cases, your third party’s vendors may be essential to your own organization’s operations. It’s important to consider how well your vendors can maintain operations and to understand your organization’s resiliency if one of your vendors, or their vendors, were to fail. As risks continue to evolve, and relationships become more complex, your third-party risk management team should assess your fourth parties for potential risks that could harm your vendors and your organization, too.

Third-party data breach targets St. Luke Health: St. Luke’s Health suffered a third-party data breach after one of its vendors was targeted by a ransomware attack. At first, investigators didn’t believe that St. Luke’s information was affected during the breach, but further research found that customer information such as medical record numbers, diagnosis codes, and more was compromised. As the number of cyberattacks continues to grow and hackers continue to target third-party vulnerabilities, it’s essential to protect your sensitive information, assess your vendor’s controls and incident response plans, and implement zero trust models.

Using third-party risk management to mitigate cyber risk: For organizations that outsource products and services to third-party vendors, it’s essential to implement effective third-party risk management strategies to protect against risks. Where should you begin? Third-party risk management requires the participation of many departments and stakeholders to develop procedures for identifying and mitigating risks. Your team should engage with your vendors by asking specific questions and verifying the controls responsible for protecting your organization. Especially when dealing with vendors that have access to your sensitive data, you can’t be too careful, and using third-party risk management to vet your vendors is a must.

Hackers develop new gift card and email scams: Hackers are continuing to develop new social engineering attacks, including gift card scams that target employees. In these scams, the hackers impersonate a boss or manager and reach out to an employee with an email asking the employee to purchase gift cards. The employee is then asked to send the card numbers through email and the hacker will use the codes to resell the cards or buy cryptocurrency or goods for resale. Another scam targets customers, in which the malicious actor pretends to be a lawyer reaching out about an overdue payment. The hacker will send a phony invoice to scam the customer out of their money. With these methods, it’s important to educate your employees on the best ways to identify and report suspicious activity and potential scams.

SEC develops new legislation to regulate key areas of the market: As discussed last week, the Securities and Exchange Commission has been working to regulate the market through proposed legislation regarding “clawbacks” and investment advisor activity. In addition, the SEC is moving towards monitoring ESG compliance, insider trading, and ephemeral messaging. Statements from the SEC suggest that they'll be amending rules and using historical actions to oversee ESG compliance. Meanwhile, the SEC is working to expand its insider trading policies and has responded to calls to penalize companies for using ephemeral messaging. Your organization should check your policies and procedures to ensure compliance with updated regulations and industry requirements.

NIST focuses on improving the water industry’s cybersecurity: Following recent cyberattacks targeting key infrastructure, the National Institute of Standards and Technology (NIST) has announced that it’s turning its focus on improving the water industry’s cybersecurity measures. The plans include projects to secure remote access and network segmentation to tighten security and protect against malicious actors. NIST is currently accepting comments on the plans from stakeholders in the water industry.

Guilty charges highlight the importance of following cybersecurity regulations: Following the conviction of Uber’s ex-Chief Information Security Officer for failing to report a cybersecurity incident, the industry is looking for ways to avoid making the same errors. To protect your organization and sensitive data from hackers, you should have robust incident response policies and plans in place to quickly identify and mitigate the impact of a cybersecurity incident. In addition, you should implement procedures that will allow your employees the ability to report any suspicious, illegal, or unethical activity, which can help protect both your employees and senior management from wrongdoings.

FBI says that DDoS attacks cause minor disruptions on U.S. infrastructure: Hackers have been targeting companies in the U.S.’s key infrastructure with denial-of-service (DDoS) attacks, but the FBI has stated that these attacks create only minor disruptions. These attacks often target public facing companies such as financial institutions, medical providers, airports, and government, but have only limited success rates. Officials state that these attacks have greater psychological impact as opposed to operational disruptions. The FBI, CISA, and MS-ISAC have released information on best practices for mitigating the risk of DDoS attacks.

Understanding the impact of the California Privacy Rights Act (CPRA): As new updates to the California Privacy Protection Act are set to go into effect at the start of the new year, you should determine whether your organization will need to comply. With the new updates, organizations subject to the legislation will be required to process employees' and business partners' data like consumer data. This means that employee and job applicant data will fall under the CPRA and your organization may need to update policies related to business to business  information and service agreements with third-party human resources software providers before the updates go into effect in January.

Recently Added Articles as of November 3

It's a new month with a lot of third-party risk related articles to kick it off! Regulators are working to protect consumer interests and data privacy through new rules and proposed amendments. Meanwhile, as malicious actors continue to target third-party vulnerabilities, experts suggest best practices for organizations to bolster cybersecurity measures moving into the new year. Be sure to check out all this week’s news!

How to detect open source vulnerabilities: Open source vulnerabilities are difficult to detect, with statistics showing that it takes an average of 800 days to identify a security gap. These weaknesses can be exploited by malicious actors and cause serious problems for organizations that use the software. If your organization uses open source code, it’s important to stay vigilant for any potential weaknesses and to perform ongoing monitoring activities to check for any vulnerabilities in your servers. Other solutions include investing in tools that are built to detect open source vulnerabilities.

Chegg faces allegations from the FTC following a series of data breaches: After suffering four data breaches over the past several years, the Federal Trade commission is taking legal action against EdTech player, Chegg, alleging that the company has failed to protect its customers and their sensitive data. As part of the FTC’s mission to protect consumer data, the FTC has proposed guidelines for Chegg to follow, which include offering multifactor authentication tools to customers and employees and giving customers access to the information that Chegg has collected about them. Meanwhile, Chegg has stated that it’s committed to protecting its data and customers.

CFPB instructs consumer reporting agencies to eliminate false information: The Consumer Financial Protection Bureau  has put out a statement to instruct consumer reporting agencies (CRAs) to eliminate false information from credit reports. In a statement, the CFPB highlights that false information can cause serious consequences for customers, so CRAs should create and implement procedures for detecting and eliminating incorrect data.

U.S. Bank suffers from a third-party data breach: U.S. Bank recently suffered a third-party data breach, in which one of its vendors accidentally leaked customer information. The compromised data includes names, Social Security numbers, addresses, and closed account numbers. Approximately 11,000 customers were affected during the third-party data breach, and U.S. Bank has been working to notify customers who had their information exposed.

Healthcare medical device manufacturers to take proactive approach to security: When it comes to security, many organizations have taken a reactive approach with a focus on recovery following an incident. However, the increase in cyberattacks targeting the healthcare industry has encouraged medical device manufacturers to take a more proactive approach to improve security protocols. For many providers, this should include third-party risk management activities, as a recent study found that many manufacturers don’t perform vendor risk assessments. To help these organizations improve their processes, experts are working to develop security metrics, guidelines, and benchmarks to show where improvements are necessary.

How AI impacts the UK’s Consumer Duty regulations: As technology evolves, it’s important to look at how previous regulations and guidelines are impacted and informed by the technology. With the rise of artificial intelligence (AI) in the financial industry, the UK’s Consumer Duty regulations seeks to ensure the protection of consumers. When properly used, AI can be beneficial for all parties, but it’s critical to carefully assess and examine the use of new technologies to maintain compliance and ensure that the necessary controls are in place to protect consumer interests.

Google released a patch for exploited vulnerability: After a zero-day vulnerability in Google Chrome was detected, Google released an emergency patch. The vulnerability, CVE-2022-3723, was actively exploited by malicious actors, so users should update their browsers to implement the patch.

Cybersecurity best practices for the new year: Going into 2023, your organization should continue to stay updated on best practices for cybersecurity. As hackers continue to develop sophisticated methods for stealing data, it's critical to understand what you should do to protect your organization from security risks. Educating your employees on how to identify and report suspicious activity, such as phishing, and addressing vulnerabilities in your supply chain, are only two ways that can you work to improve your organization’s cybersecurity practices. Other methods such as a cybersecurity mesh can also protect your organization from cloud technology risks and other emerging threats.

SEC requires companies to develop and implement “clawback” policies: In a recent vote, the Securities and Exchange Commission decided to adopt rules regarding “clawback” policies that deal with incentive-based compensation. Under the new rule, the SEC will require companies to follow standards for creating, implementing, and reporting clawbacks with the aim of recovering compensation given to executive officers as the result of erroneous financial reports. The detailed provisions explain the executive officers that are held accountable, how to disclose restatements, and the types of compensation that are applicable. Organizations that report to SEC should be sure to stay updated on these new requirements.

SEC’s new proposal requires investment advisors to perform vendor due diligence and ongoing monitoring: The SEC has released a newly proposed rule, which would prohibit investment advisors from outsourcing select products and services without performing ongoing monitoring and due diligence activities on their third-party vendors. If an investment advisor outsources without performing effective oversight, their customers could face harmful consequences. The SEC says that the proposal will hold investment advisors responsible for their obligations to their customers and will ensure that the vendors comply with federal regulations.

Using third-party risk management to address emerging threats: Experts say that relationships between organizations and their third parties are becoming more complicated. Fourth-party relationships, increased access to private data and privileged networks, and partnerships with immature vendors create new risks for organizations who continue to broaden their vendor inventory to outsource key products and services. These threats can create severe risks for organizations, if left unmanaged. Third-party risk management activities are critical to maintain your organization’s reputation, operations, and financials. Experts suggest using ongoing monitoring and thorough risk assessments to ensure that you can identify and address any risks that could threaten your organization’s security, compliance, or trust in your vendors.

FTC is urged to regulate health apps and preserve data privacy: The College of Healthcare Information Management Executives (CHIME) has urged the FTC to begin overseeing health apps and to hold them accountable for misusing consumer data. Experts with CHIME have called to the FTC’s authority to regulate health information as its governance will preserve data privacy and hold malicious actors accountable if they're found engaging in dubious practices.

Third-party data breaches threaten healthcare organizations: As many healthcare organizations have expressed their concerns over the increasing number of third-party data breaches targeting the industry, it’s imperative for these organizations to strengthen their cybersecurity and third-party risk management strategies. Third-party risk management activities are key to identifying and mitigating the risks that can threaten your organization’s data privacy and security. To defend your organization and customers from malicious actors, your third-party risk management team should communicate your third-party risk management policies and requirements with your vendors, implement business continuity and disaster recovery plans, and integrate cyber insurance and controls, especially when dealing with critical or high-risk vendors.

Understanding the risks in bank-fintech relationships: Over the past several weeks, we’ve covered comments surrounding the OCC’s increased scrutiny of bank-fintech relationships. As banking-as-a-service (BaaS) continues to grow, lawmakers have turned their focus to understanding the best ways to regulate these partnerships. Questions concerning who holds responsibility following potential incidents, the best ways to protect customers, and how to preserve data privacy will need to be answered soon, especially as the BaaS model is projected to grow exponentially over the next several years. Banks should look towards third-party risk management best practices to mitigate potential risks and stay updated on emerging regulations to ensure that their fintech partners comply.