November 2023 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of November 30

What does your third parties’ cybersecurity resilience look like? This week’s headlines remind us of the importance of strong incident response plans, operational resilience, regulatory compliance, and third-party contracts. Be sure to check out all of this week’s news below!

Business continuity and operational resilience are a concern in third-party relationships: European banks must be prepared for third-party disruptions that may threaten critical operations, according to a warning from the Basel Committee. Basel is a global standard setter for bank regulations. The committee said many banks don’t have business continuity plans and exit strategies for critical third-party relationships. There’s also concerns around concentration risks, where banks rely on a singular vendor too much. Banks should ensure they have a third-party risk management policy that addresses operational resilience and have strong contracts in place with third parties. 

Healthcare organization is forced to divert patients after ransomware attack: Patients were diverted from emergency rooms after a ransomware attack hit Ardent Health Services. Ardent took its network offline and suspended user access after the cyberattack. The organization said it was still able to deliver patient care, despite the emergency room disruptions. The incident is still being investigated.

Third-party data breach leaks Canadian government employee information: A third-party data breach is responsible for leaking Canadian government employee information, including passports and financial information dating back to 1999. Two relocation services used by the government were breached earlier this year. The LockBit ransomware gang has claimed credit for the attack, but that hasn’t been officially confirmed. The two relocation firms began a merger in August 2022. As cybercriminals target third parties more often, it’s clear that any third party can pose risk to your organization.

Preparing for the SEC’s cyber incident disclosure requirements: As the SEC’s cyber incident disclosure compliance date approaches, organizations must be prepared now. Board members need to be informed about cybersecurity and the risks the organization faces. Organizations should also revisit incident response plans to ensure that roles and responsibilities are assigned in the case of a cyber incident. Cyber insurance can help protect organizations from risks, too. As the December 15 date is just over the horizon, organizations will have to act quickly to ensure compliance. 

Using cyber incident response plans to prepare for third-party data breaches: Recent cyberattacks have shown how just one weak link in the supply chain can wreak havoc on organizations. It’s important for organizations to know the risks from not just third parties, but fourth and nth parties as well. CISOs must have an incident response plan that’s been tested and will prevent any last-minute scrambles. Cybersecurity is a demanding field, leading many to burnout and a shortage of talent. It’s important to collaborate and consider partnering with other experts to prepare for third-party breaches. 

Third-party contracts can help stymie data breach costs: A new report on data security incidents showed an average ransom demand of $3.7 million and an average forensic cost of $58,000. The costs of a data breach can be significant for any organization, and some of them can be at the hands of a third party. Organizations should look to third-party contracts to help mitigate some of the costs, outlining cyber insurance requirements and the responsibilities of each party after a data breach. Other safeguards can be beneficial for both third parties and organizations, like data encryption and cybersecurity standards. 

Fake browser update targets Apple users: A fake browser update trick has now moved to Apple computers after using a similar campaign on Windows computers. If someone downloads the fake update, malware is released to steal information. This can even compromise the macOS password manager, which stores login information and credit card data. Apple users should exercise caution on browser updates, especially if it’s unexpected and through a third-party website. 

Critical vulnerabilities found in ownCloud’s system: Three critical vulnerabilities were disclosed in ownCloud’s open source file sharing software. One of these vulnerabilities can leak administrative passwords and mail server credentials. ownCloud is a self-hosted platform that many organizations use to control their data. ownCloud has released recommended fixes, which organizations should implement immediately to protect their data. 

How risk management practices can protect fintech organizations: As fintech continues to evolve and innovate, it’s crucial for fintechs to stay ahead of the curve. Third parties can pose a serious risk to fintech organizations, so it’s important to conduct due diligence during third-party selection, have strong contracts, and regularly assess third parties. Regulatory compliance must also be a priority as they become more complex. Fintechs should conduct regular security audits, as they’re highly attractive targets for data breaches. Any operational downtime can prevent customers from accessing services and damage reputations, so it’s important for fintechs to have risk management practices and incident response plans. 

Two regulators look at AI-driven voice communication risks: The FCC and the FTC have both announced initiatives around AI voice communications, aligning with the Biden administration’s recent executive order. The FCC is looking into the risks of AI-driven spam calls and text messages, but also the potential of using AI to identify and prevent spam calls. The FTC announced a voice cloning challenge to address the dangers of AI voice cloning technologies. Submissions must prevent, monitor, or evaluate malicious voice cloning.  

Using vendor risk management to manage supply chain risks: After the CISO of SolarWinds was charged for the data breach that caused massive supply chain disruption, CISO’s are evaluating their level of accountability and responsibility. To prevent cyberattacks and remain secure, organizations must mitigate supplier risks. Identify all vendor cybersecurity risks and prioritize them based on impact. Questionnaires can be helpful to assess vendors and their cybersecurity practices as well. Having a vendor risk management program will help with vendor oversight and monitoring, which is crucial to stay prepared for new and emerging risks. The recent action against SolarWinds, and the increasing number of cyberattacks, serves as an important reminder for organizations to manage vendor risks.

Vulnerabilities found in Windows Hello fingerprint authentication: Vulnerabilities in Windows Hello fingerprint authentication was discovered. These flaws are only active in systems where fingerprints have already been set up. An attacker could falsely claim that an authorized user has authenticated and get through the system. Organizations should ensure fingerprint sensor implementation is audited by independent parties.

After OpenAI struggles, evaluate vendors’ governance structures: After the recent turmoil at OpenAI that threatened to disrupt a major vendor, organizations should take a closer look at their vendors’ governance structure. Although vendor business disruptions may not have as big of an impact as they would with OpenAI, it’s still important to understand future goals and product roadmaps of vendors. When new leaderships come aboard at a vendor, organizations may need to re-evaluate the vendor’s goals and roadmaps. 

SEC data breach notification rule faces opposition: Several members of Congress are trying to overturn the SEC’s four-day data breach notification rule, which goes into effect on December 15. They argue the rule contradicts the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and adds additional, unnecessary regulations that will burden cybersecurity teams. The SEC’s rule adds a public disclosure of cyber incidents, which would publicly notify investors. Several organizations under this new regulation have also voiced disapproval, especially with making unresolved cyber incidents public knowledge, but proponents of the SEC’s rule said it leads organizations to take cybersecurity more seriously. 

Recently Added Articles as of November 23

What is 2024 going to look like? Well, it’ll certainly be focused on compliance as new third-party risk management guidelines are released and organizations prepare for pending AI regulations. And it’s important to evaluate third-party providers to protect your organization. Before you fill up with all the Thanksgiving food, be sure to check out this week’s news! 

Mitigating third-party AI risk with due diligence: As artificial intelligence (AI) continues to gain steam, organizations must be aware of the risks of third-party vendors that use or develop AI services. There are many different risks that can arise with third-party AI, like disputes over ownership of AI's output, inaccurate answers, noncompliance with laws and regulations, and breaches of sensitive data. Organizations should set an AI framework to ensure the correct safeguards are in place with AI technology. There should also be due diligence on the third party's data security and privacy practices, training data, AI development policies and procedures, and compliance. Specific risk questionnaires for AI are helpful to give third parties, too. Remember, that risks can change, so it's important to continuously monitor your third parties' AI usage and products. 

Remaining cybersecurity compliant in the healthcare industry: It’s extremely important for healthcare organizations to follow cybersecurity and privacy regulations to protect patient data. However, these complex regulations can sometimes be difficult to understand and follow. There are often misconceptions about what and who HIPAA applies to, which is health plans, healthcare clearinghouses, and healthcare providers. Any business associates that receive protected health information are also subject to HIPAA. Only a small number of digital health apps are regulated by HIPAA. Actually, the FTC takes on that job. State privacy laws may also impact healthcare, including breach notification laws. Healthcare organizations should remain aware of new or updated regulations and ensure response plans follow various laws and regulations. These plans should address not just compliance, but also prepare for any operational disruptions.  

MOVEit impact continues to spread: Even though the MOVEit breaches happened in May, the victim count is still rising. Another 4.5 million peoples' data has been impacted, now totaling 77 million people. At least 2,618 organizations have been impacted, although that number could continue to rise. This comes as several healthcare organizations reported new breaches. The state of Maine reported that 1.3 million residents' data was stolen – almost equal to Maine's entire population! Progress Software, which owns MOVEit, is facing a class action lawsuit, along with federal and state investigations. 

Forrester urges organizations to focus on third-party risk management in 2024 predictions: What will the 2024 risk landscape look like after a year of new technology and innovation? Forrester has predicted that at least three data breaches will be blamed on AI-generated code and an app that uses ChatGPT will be fined for mishandling personal identifiable information (PII). Some of these risks may be introduced by a third-party provider, so organizations must identify the risks and double down on third-party risk management in 2024. Forrester also predicted that 90% of data breaches will include a human element. Organizations should focus on training and awareness in 2024.  

A guide to evaluating third-party SSE platforms: Secure Services Edge (SSE) models can help protect against supply chain attacks that multiply with each new third-party service added. However, SSE platforms still need to be assessed for risk. This will help ensure informed business decisions can be made on SSE platforms and help identify the right controls to put in place for the risk. Organization should check an SSE platform’s compliance with applicable regulations, like GDPR and HIPAA. Evaluate the platform’s reputation and the formal incident response plan and procedures. Data security is extremely important for SSE platforms, so check for strong access controls and backup protocols. Put service level agreements in place to safeguard your organization and ensure the SSE platform has a place to address vulnerabilities.  

Tips for evaluating software vendors: As the software supply chain landscape becomes increasingly complex and riskier, it’s important to assess and monitor vendor cybersecurity practices. A software vendor should have certifications like ISO 27001 or SOC 2. Vendors should have security policies and procedures in place and be transparent about them. Incident response plans are also important to have, which should include business continuity and specific procedures. Keep these things in mind while evaluating software vendors and consider metrics important to your organization.  

Morgan Stanley fined and is ordered to maintain a vendor risk assessment team: Morgan Stanley will pay $6.5 million across six states after an investigation over compromising millions of customers’ information. The firm allegedly failed to decommission computers and erase unencrypted data in devices they later sold. The investigation found that Morgan Stanley failed to maintain vendor controls and hardware inventories. Morgan Stanley was ordered to maintain a vendor risk assessment team and strengthen its data security practices.  

CISA adds three new vulnerabilities to its catalog: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) logged three new security vulnerabilities to its catalog. These are: Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability, Sophos Web Appliance Command Injection Vulnerability, and Oracle Fusion Middleware Unspecified Vulnerability. The federal agency urged organizations to apply updates and patches to fix these.  

SEC requires third-party policies for clearing houses: The SEC has finalized its rules for clearing house governance and use of third-party providers by central counterparties (CCPs). CCPs will have to ensure that outsourced services don’t increase risks for the clearing house, its members, and their customers. Clearing houses will have to establish policies for usage of third-party providers.  

New ransomware could pose threat to healthcare organizations: The healthcare industry is being warned of another ransomware threat targeting the sector. BlackSuit ransomware, which is similar to another ransomware family that’s wreaked havoc, targets Linux and Windows systems. The ransomware group is new, so not much information is given yet, but it has focused on industries like manufacturing, healthcare, business technology, and government. Organizations must remain aware and apply safeguards to protect data.  

Survey finds gaps in Australian supply chain cybersecurity: Australian organizations have major cybersecurity risk management gaps, according to a new survey from top regulator Australian Securities and Investments Commission (ASIC). Small organizations lagged in supply chain risk management, but 69% overall indicated low or no capabilities in supply chain and third-party risk management. Fifty-eight percent (58%) don’t test critical third parties’ cybersecurity incident response plans. ASIC expects organizations to have oversight of supply chain cybersecurity risks.  

Credit card skimming is likely to rise with holiday sales: As Black Friday and Cyber Monday approaches, an anti-malware provider is warning about credit card skimming. Over the next few weeks, this type of identity theft is expected to rise. One particular campaign has picked up pace. It uses online skimming techniques to grab personal data from websites, particularly customer details and credit card information. 

NYDFS releases new cybersecurity requirements: The New York State Department of Financial Services amended its cybersecurity regulations. Reportable cybersecurity incidents now include those of third-party service providers and covered entities must implement access and risk-based controls. Senior governing bodies must oversee the cybersecurity risk management program, including understanding cybersecurity matters and regularly reviewing management reports. Organizations will have until April 2024 to comply with the new requirements. However, the cybersecurity incident notification requirements take effect on December 1, 2023.  

Retail Payment Activities Act finalized in Canada, including third-party guidance: Canada has finalized its Retail Payment Activities Act for payment service providers. This regulation requires a risk management framework, which must be approved by the board of directors, and testing is required. When a payment service provider uses a third-party provider, there must be policies and procedures for oversight of the third parties. These requirements do not take a risk-based approach. Payment service providers must assess their ability to deal with third-party operational risks and re-assess once a year and before entering into, renewing, extending, or substantially changing a contract with a third party.  

Organizations brace for passage of EU’s AI regulations: The European Union (EU) introduced the first artificial intelligence (AI) legislation and if it’s adopted, will impact organizations everywhere. The final text of this law could be agreed upon before the end of 2023. Most of the requirements in this law impact the providers that develop AI systems. This could include organizations that use third parties to develop AI. The law would also regulate organizations that import in the EU or distribute AI systems developed by another organization. And some users will have to be transparent about generative AI content. The proposed law takes on a risk-based approach, so that high-risk AI systems have the strictest requirements. These systems would require a risk management system, data governance practices, and human oversight. Organizations should anticipate risk assessments and data governance for AI and prepare as needed.  

Federal agencies warn organizations of a new ransomware threat: Federal agencies issued a cybersecurity advisory on a ransomware threat called Rhysida. The agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), urged organizations to follow cybersecurity best practices. Rhysida uses phishing attacks to gain network access and has targeted industries like healthcare, education, manufacturing, and government.  

Looking ahead to the AI regulatory landscape in 2024: 2024 will likely be a big regulatory year for artificial intelligence (AI), and there’s already several big dates coming in the U.S. In February, guidance for patent examiners in the Patent and Trademark Office will be released. In March, a public report on best practices for managing AI-related cybersecurity risks for financial institutions is scheduled to be released by the Secretary of Treasury. Then, in April, best practices for employers to mitigate AI-related harms to employees will be released. Finally, in July, guidelines and best practices for developing safe and secure AI systems are scheduled to be released. These releases could have significant impacts on AI’s future landscape and organizations should prepare for compliance considerations.  

Former FDIC chair expresses concern over interagency guidance released this summer: A former regulator chair is expressing worry over the third-party guidance regulators released over the summer, particularly its impacts on fintech partnerships. Former FDIC chair Jelena McWilliams said regulators don’t want to see banking as a service (BaaS) relationships thrive. The former chair said the guidance doesn’t give banks enough information to know where the line is for third-party relationships. The worry is that banks will choose to forego third-party relationships altogether because there isn’t specific compliance information, particularly for smaller banks.  

CFPB fines online lender for shady borrowing practices: The CFPB fined online lender Enova $15 million for withdrawing funds without borrowers’ consent, canceling loan extensions, deceiving borrowers, and failing to provide consumers with copies of signed authorization. The CFPB took action against Enova in 2019, but it has failed to comply since. Enova will now be required to stop offering some short-term loans, reform executive compensation, and provide redress to consumers.  

Recently Added Articles as of November 16

This week’s headlines saw several large third-party data breaches and ransomware attacks, emphasizing the importance of third-party cybersecurity and assessing software and technology vendors. On top of this, regulators are making cybersecurity a top priority, so it’s important to be prepared. Check out all of this week’s news below! 

New York governor proposes hospital cybersecurity requirements: After several cyberattacks at New York hospitals, the governor is proposing new cybersecurity rules. It would require New York hospitals to establish cybersecurity programs, assess cybersecurity risks, and implement protective controls. Incident response plans would also be required, including testing the plan. If hospitals use software applications, they would be required to outline secure practices to keep systems safe. The New York governor’s budget for next year includes funding for hospitals to upgrade systems. These proposed rules will have to pass through the council and have a 60-day comment period.  

Make continuous monitoring a cybersecurity priority: Continuous security monitoring can help protect against the growing threat of data breaches. This includes conducting risk-based vulnerability management across your organization’s network, including with third-party vendors, and external attack surface management to monitor external exposure and threats. Continuous monitoring grants a 24/7 view of all potential risks your organization may face.  

How to assess software as a service vendors: Software as a Service (SaaS) applications fuel many organizations’ operations and deliver critical services. However, SaaS also poses a lot of risks with vulnerabilities and open doors. Vendor risk assessments are crucial to managing SaaS vendor risk. Evaluate a SaaS vendor’s compliance with security and privacy protocols, the transparency of their security practices, and the vendor’s size and location. This will help identify the security risks so you know which controls to put in place. Implement data access controls to ensure SaaS vendors don’t access more than they need to.  

Denmark energy infrastructure experiences its largest third-party cyberattack: Denmark’s energy infrastructure experienced a series of cyberattacks, starting with a third-party vendor, in what would be the nation’s largest cyber incident on record. A report stated that hackers used zero-day vulnerabilities in Zyxel firewalls that a vendor used to protect networks. Many of the companies hadn’t updated firewalls, others opted out because there’s a charge for installation, and other companies believed the vendor was responsible for the updates. Threat actors identified vulnerable companies and launched a simulated campaign. Some breached companies avoided significant damage by isolating their systems. 

Software supply chain security is a top priority: Software supply chain security is a top priority for a majority of CISOs and developers, but most of the agreements end there, according to a new report. While developers believe they’re very security conscious, CISOs disagree. But it’s clear that software security is a critical component to risk mitigation and meeting regulatory requirements. This prioritization will likely increase in the next five years, which will impact strategic decisions.  

Consequences of healthcare data breaches and best practices to help prevent a breach: Healthcare seems to be an easy target for cybercriminals, particularly because of its outdated systems and protections for very valuable data. However, healthcare has an ethical and legal obligation to protect patient data and patient care. Cyberattacks disrupt operations, like delaying the release of important drugs, rerouting ambulances, or shutting down hospital systems. It’s important to have strong access management in place with third-party vendors and continually assess the access. And, be sure to patch vulnerabilities quickly, including in third-party software.  

Another victim of a massive healthcare third-party data breach is revealed: Northwell Health in New York was the victim of a third-party data breach. This breach stemmed from the medical transcription firm breach at Perry Johnson & Associates earlier this year. Last week, Cook County Health announced it was a victim of the PJ&A attack and 1.2 million patients were compromised. Cook County Health has since ended its relationship with PJ&A. It’s unclear how many people were impacted by the Northwell breach. Hackers are able to access patient names, addresses, birthdays, and medical records. PJ&A has since reported to the Department of Health and Human Services that almost 9 million patients were impacted, making this one of the largest healthcare data breaches on record.  

Millions of patients were impacted by healthcare data breaches this year: The healthcare industry is on pace to break the record this year for the amount of people impacted in data breaches. So far in 2023, 87 million patients have had health information breached. It’s important to have cybersecurity precautions in place with third-party vendors. This includes implementing data access controls with vendors and continuously monitoring vendors, especially those that deliver critical products and services. Include comprehensive contracts that prioritize cybersecurity and include data protection requirements and incident response plans.   

Questions to ask technology vendors before entering a partnership: Financial institutions are increasingly relying on technology vendors to provide services to its customers, but sometimes these relationships break down, often due to miscommunication. As an institution assesses technology vendors, ask how the vendor will use data and ensure they have the necessary resources. It’s also important to ask if the technology vendor will help meet customer expectations. This will help establish expectations and receive clear answers. Talk about the end goal for the partnership and how the technology vendor can complement your services. These questions can help set expectations from the very beginning.  

Large bank is impacted by a ransomware attack: The Industrial and Commercial Bank of China in the U.S. experienced a ransomware attack, which disrupted some systems. The impact of the attack appears limited, although there was brief market disruptions.  

CISA warns of a new high-severity vulnerability: The U.S. Cybersecurity and Infrastructure Agency (CISA) added a high-severity vulnerability to its catalog, with evidence of active exploitation. The denial-of-service vulnerability could launch massive attacks as it’s a Service Location Protocol (SLP). Federal agencies will be required to deploy fixes to secure their networks.  

Awaiting the SEC’s final climate-related disclosure rule: October passed with no final rule from the SEC on climate-related disclosures, meaning it’s likely to come in the new year. Organizations must begin preparing now, especially as California passed its own legislation. Having an ESG reporting framework in place can help organizations be prepared. To help, the Taskforce on Climate-Related Financial Disclosures has recommendations in place for one. Look to other regulations, like the EU, to understand best practices. Being prepared to meet reporting obligations is a crucial step as ESG regulations continue to develop. 

Federal government proposes new cybersecurity requirements for contractors: A proposed rule would implement new cybersecurity reporting requirements into the Federal Acquisition Regulation for government contractors. Security incidents, like discovery of malicious computer software, must be reported to the Cybersecurity and Infrastructure Security Agency within 8 hours of discovery. A report must then be submitted by the contractor every 72 hours until remediation is complete. If CISA or the FBI requests more information, the contractor must respond within 96 hours with all available information. Contractors would also need to have data storage processes and protection measures in place. Contractors would be required to develop and maintain a software bill of materials as well.  

Recently Added Articles as of November 9

This week’s headlines bring us news on the rise in third-party ransomware incidents, the dangers healthcare organizations face in third-party data breaches, and the CFPB’s proposed rule to regulate non-banking financial organizations. Check it all out below! 

CFPB proposes rule to regulate large non-banking financial organizations: The CFPB has proposed a rule to regulate large non-banking financial organizations, like digital wallets and payment apps. Non-bank entities that handle more than five million transactions per year would have to follow the same CFPB regulations that large banks and credit unions follow. This would ensure that non-banking financial organizations would have oversight and follow the same requirements. This would include organizations like PayPal and Venmo. The CFPB said complaints against some digital payment services have been growing. Comments on the proposed rule will be accepted until January 8, 2024.   

FBI releases notification on rise in third-party ransomware attacks: The FBI released a notification on trends in ransomware, particularly cybercriminals targeting third-party vendors to launch attacks. Ransomware attacks have specifically targeted casino services and organizations that use system management tools. Third-party gaming vendors have served as an attack vector to gain casino access. A ransom group have also initiated phishing attempts to get people to click a link to a system management tool, only to then gain system access and extort organizations. Organizations should prepare for cyber incidents with response plans and offline data backups that are encrypted. It’s also important to review the security posture of third-party vendors and anyone else interconnected with your organization.  

Agencies begin campaigning to strengthen critical infrastructure: The Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency, and the Federal Emergency Management Agency are encouraging critical infrastructure to strengthen resilience. The new campaign pushes for specific, time-sensitive actions to reduce the risk of cyberattacks, physical security threats, or natural disasters. The agencies are providing critical infrastructure stakeholders with tools and resources to assess risks and make actionable plans.  

Third-party vendors contribute to healthcare data breaches: It's clear that the healthcare industry is a top target for data breaches. The trove of sensitive data is extremely attractive to cybercriminals. Among healthcare’s weak links are third-party vendors. If the vendor that transfers files or sends emails doesn’t have the right data security practices, the entire hospital system is at risk. It’s important to ensure that all third-party vendors take cybersecurity seriously. Communicating standards and setting contractual expectations with the vendor can help mitigate this risk.  

New malware targets SEO searches: A new variant of GootLoader malware can avoid detection while gaining access to compromised systems. The malware uses search engine optimization (SEO) tactics to load malware onto a system. The campaign targets SEO themes, like contracts and legal forms, and then directs victims to compromised sites. Always use extreme caution before downloading content from websites.  

Third-party AI use becoming a bigger threat to financial institutions: With the emergence of artificial intelligence (AI), third-party relationships are becoming even more risky for financial institutions, according to a new report. Financial institutions must know what their third parties plan to do with AI or are planning to do. When evaluating third parties, consider what controls the third party has in place to mitigate AI risk. It’s also important to have internal policies addressing AI use.  

Mitigating child-labor risk down the supply chain: Child labor has increasingly gained attention and concern, especially with third-party supplier noncompliance. Even if it’s your supplier that has unlawful child labor, your organization could still face severe penalties. It’s important to have a full picture of your supply chain and assess child-labor risks with questionnaires, on-site visits, and audits. The contract can be a great place to mitigate this risk. Define standards and expectations for child-labor compliance and have corrective actions in the case of noncompliance.  

New UK law focuses on third-party fraud risk: A new UK law will put more pressure on financial institutions to perform third-party due diligence. The law introduces penalties for those who fail to prevent fraud, even if it originates with a supplier or third party. Financial institutions will have to ensure fraud prevention from anyone doing business on behalf of the organization. The law applies to large financial institutions with an annual turnover of more than $44.6 million, a balance sheet of more than £18 million, and more than 250 employees. This also includes any non-UK banks that have branches or subsidiaries in the UK. 

Climate-related risks are catching investors’ attention: Investors are paying more attention to climate-related risks with the organizations they invest in or own. With regulatory requirements on the horizon, like the SEC’s proposed climate disclosure rule, reporting compliance is going to become more important. Renewable energy has attracted more funding, as are energy storage and batteries. As investor interest grows, it’s important for organizations to have a climate-related disclosure plan. 

Microsoft to begin requiring multi-factor authentication: Microsoft will begin requiring multi-factor authentication with administrators using platforms like Enstra, 365, Exchange, and Azure. Users will be able to opt out of some policies, but Microsoft will increasingly require multi-factor authentication for specific interactions.   

Johnson & Johnson and IBM face lawsuit over third-party data breach: Johnson & Johnson and IBM are facing a lawsuit from a third-party data breach, alleging that the companies failed to protect patient healthcare information. A third-party platform that provided patient support for managing medications experienced a breach in August. IBM is the service provider for the platform. Patients were notified of the breach almost two months after it occurred.  

Okta hack attributed to personal employee Google account: The recent support system hack at Okta has been attributed to an employee’s personal Google account on a company laptop. A threat actor was able to gain access to 134 Okta customers’ files. The threat actor was able to gain access because the username and password of the Okta service account was on an employees’ personal Google account. Internal controls didn’t catch the breach for two weeks.  

Third-party data breach exposes information of 1.2 million: A third-party data breach at Cook County Health and Hospital System earlier this year exposed the personal information of 1.2 million people. The third-party provider of medical transcription services experienced a security incident and Cook County Health has since terminated its relationship with the provider. Impacted patients will be notified soon by mail.  

Okta employees impacted in third-party data breach: Almost 5,000 Okta employees had sensitive health information exposed after a third-party data breach. Okta services and customers weren’t impacted, but employee Social Security and health insurance plan numbers were compromised. This shows the importance of third-party risk management and ensuring even third parties that handle employee information are secure.  

Countries pledge not to pay ransoms: At least 40 counties have pledged not to pay ransom to cybercriminals. The FBI has long encouraged organizations to not pay ransoms in a ransomware attack. This can encourage criminals to keep deploying ransomware. It doesn’t guarantee the return of data. There’s no information yet on what the pledge included and if there are penalties if a ransom is paid.  

Analyst predicts regulatory trouble ahead for generative AI usage: Generative AI usage will lead to major data breaches and fines next year, according to an analyst’s predictions for 2024. And developers will face consequences for using AI to generate code that may be malicious. While there aren’t regulations in the U.S. governing generative AI, organizations are still responsible for handling personally identifiable information (PII) responsibly.  

ServiceNow misconfiguration could have endangered thousands of organizations’ sensitive data: ServiceNow recently announced misconfigurations in its systems that could lead to outside access to sensitive data. ServiceNow has fixed the issue, but organizations should remain aware of potential flaws in cloud-based platforms and put updates in place as they’re released.   

Recently Added Articles as of November 2

What a regulatory week of headlines! The Biden administration announced AI standards. Three banking regulators issued guidance on climate risks. The FTC will require data breach notifications. Beyond regulations, there’s a lot more third-party risk management news, so check it all out below.  

Small organizations can be particularly vulnerable to data breaches: Data breaches can be devastating to any organization as they may face reputational damage, recovery costs, and regulatory action as a result. These consequences can particularly cripple small organizations. A new report found that 1 in 4 small businesses have experienced a data breach in the past. It’s important to implement mandatory employee training and have strong cybersecurity practices. Third-party software can be a valuable tool to manage cybersecurity risks and stay on top of regulatory changes.  

Cloud concentration is a top emerging vendor risk: As more organizations rely on cloud-service providers, it’s easy to use just one vendor for all cloud needs. But a new Gartner survey named cloud concentration as a top emerging risk. For most organizations, if a cloud provider went down, the organization would face severe disruptions. This dependence can also present a compliance issue as regulators look at concentration risk. Other emerging risks include third-party viability, evolving sociopolitical expectations, generative AI, and differing data and privacy laws.  

New York bank is fined millions for poor third-party risk management practices: A New York-based bank must pay $14.5 million to federal regulators and $15 million to New York regulators for third-party risk management violations. Bad actors opened prepaid card accounts through a third party and then moved millions of dollars in direct deposits and unemployment benefits through the accounts. The bank will have to submit a plan to improve its third-party risk management program, which must include policies and procedures that ensure third-party compliance and an oversight program for third parties.

Biden executive order addresses AI use and standards: U.S. President, Joe Biden, issued an executive order addressing artificial intelligence (AI) threats and cybersecurity risks. AI organizations must perform tests on products and share the results with government officials before it’s released to the public. The order also sets industry standards developed by NIST for AI, like watermarks that alert customers when a product uses AI. These standards are suggestions, not mandates. Government agencies will also have strict oversight in how they implement AI, including government contractors. The Biden administration called on Congress to finally pass data privacy legislation as another step to keep infrastructure safe.  

Boeing is investigating a ransomware claim: A ransomware gang has claimed that it has gained access to sensitive Boeing data. LockBit has said it will publish the data if Boeing doesn’t respond. They didn’t share any samples of the data and Boeing is investigating to see if the claim is true. No ransomware incident has been confirmed yet.  

SolarWinds and its CISO could face more trouble from 2020 hack: The SEC charged SolarWinds and its CISO, Tim Brown, for allegedly misleading investors about cybersecurity practices. This occurred from October 2018 and continued until the December 2020 data breach. SolarWinds’ breach made headlines in 2020, as the third-party vendor provided services to many organizations, including federal agencies. The SEC charged that SolarWinds omitted and made misstatements about its poor cybersecurity practices and the rising risks. The SEC seeks to permanently ban Brown from being an officer or director of a publicly traded company and impose civil monetary penalties. SolarWinds and Brown have denied any misconduct.  

Consequences of a third-party data breach are far-reaching: Third-party data breaches have a number of consequences, like reputational damage, regulatory costs, and financial loss. It can also have devastating impacts on operations as the supply chain can be disrupted and systems can go down. Organizations should create an incident response plan that addresses data breach notifications and mitigates the damage of the breach. The cascading effects of a third-party data breach can also be mitigated with a strong compliance program with third parties. Your organization should ensure the third party’s cybersecurity practices align with the organization’s.  

Hospital settles lawsuit on third-party tracking data: A hospital operator will pay $12.2 million over the next five years after a data breach exposed patient information to third-party vendors. Patients filed a class action lawsuit against Advocate Aurora Health after the personal information of 2.5 million patients was exposed without consent. Advocate installed tracking technology, which transmitted data to third-party vendors. That technology has since been disabled.  

Law firms must follow cybersecurity practices to keep client data safe: Cybersecurity incidents are on the rise at law firms. This is because firms' sensitive data is increasingly attractive to cybercriminals. Firms can pay millions in recovery costs, which can be devastating, especially for the smaller firms. Additionally, the reputational damage from data breaches can also cause firms to lose clients. If using software at a firm, it should be quickly updated as needed to help prevent a breach. And a third-party audit can spot issues that need patched. Any third parties that access a law firm’s data should have thorough due diligence and be educated on best cybersecurity practices. For example, software vendors should have their security policies checked. Be sure to have an incident response plan in place so you can quickly respond in the case of a data breach, too.  

FTC to require non-banking institutions to notify of data breaches: The FTC amended its Safeguards Rule to require non-banking institutions to report data breaches and other security events to the agency. This would extend to mortgage brokers, auto dealers, and payday lenders. The FTC said companies with sensitive financial information should be transparent if compromised. The amendment requires organizations to notify the FTC as soon as possible and no later than 30 days after discovery of a breach that impacts more than 500 people. This requirement is effective 180 days after publication. 

Vendor access management is crucial to keeping organizational data safe: How much access do your vendors have to your data? To keep your organization safe from cybercrime, it’s important to implement vendor-privileged access management. This gives temporary or altered access to vendors so they can securely access your data without leaving your organization exposed to data breaches. Implementing access management reduces risk and allows for better vendor oversight.  

Ransomware increasing again in 2023: Ransomware is surging again in 2023, according to a new report. Cybercriminals are targeting supply chains to gain access to organizations. Cyber insurance claims are also likely to increase with this. Attackers are able to launch attacks faster – around just four days! They’re able to get sensitive data and extort organizations for more money. Cybercriminals have also taken to the web to threaten to publish data, putting pressure on organizations to respond quickly. It’s important to have a response plan in place and work with suppliers on strong incident response plans.  

Federal agencies release a cybersecurity toolkit for healthcare organizations: The Cybersecurity and Infrastructure Security Agency (CISA) launched a toolkit designed to help healthcare organizations improve cybersecurity. Healthcare organizations are often a target for cyberattacks due to the trove of personal information they hold. The toolkit includes best practices for cyber hygiene as healthcare organizations build their cybersecurity foundation.  

Threat actor targeting new employee accounts to trick help desks: A threat actor called Scattered Spider is impersonating new employees in an attempt to take over accounts. Microsoft disclosed the activities and called out its dangerous abilities with SMS phishing, SIM swapping, and help desk fraud. The threat actor gains access to privileged accounts and then tricks the help desk into resetting passwords and multi-factor authentication methods. This can escalate into a ransomware attack.  

September is the top month in 2023 for ransomware attacks: Known ransomware attacks increased in September, according to security researchers. Victims were listed by ransomware groups, and at 513, it broke July’s record of 502. Many of these attackers practice double extortion, where they steal data, forcibly encrypt the file, and then demand a ransom for the decryptor. Healthcare and life sciences were top targets of attacks. Ransomware looks to have a top-performing year for 2023 as attackers are launching successful attacks quicker.  

D.C. Board of Elections is the victim of a third-party ransomware attack: Voters in Washington D.C. may have had their data compromised in a third-party data breach. The D.C. Board of Elections was the victim of a ransomware attack against its third-party hosting provider. The entire voter roll was included in the hacked database, but little information is known on whether that database has been accessed. The investigation is still active.  

CFPB proposes rule on data rights for customers: The CFPB has proposed a rule that would give customers data rights similar to many state privacy laws. The proposed Personal Financial Data Rights Rules would allow customers to request information related to their account, including third-party bill payments. Consumer account data wouldn’t be allowed to be used for targeted advertising, marketing purposes, or to sell to data brokers. The access right excludes confidential business information and mortgages, auto loans, and student loans. The comment period runs until December 29.  

Banking regulators issue guidance for climate-related risks: The three joint regulators – the FDIC, OCC, and the Fed – developed joint guidance for large banks on climate-related financial risks. Banks will have to consider how climate change intersects with risk management and how it should be integrated into the risk management process. This includes considering climate-related risk in the third-party risk management process. The guidance only applies to financial institutions with more than $100 billion in total assets.