October 2020 Vendor Management News

As we enter the fall season, and National Cybersecurity Awareness Month, make sure you stay caught up on vendor management and vendor cybersecurity news with the articles covered below. 

Recently Added Articles as of October 29

It's getting spooky... from massive data hacks across the globe to scary security predictions for 2021, there's all sorts of creepy-crawlies to contend with. But, not to fear! We have plenty of ghost-busting, risk management tips, tricks and treats to balance it all out. Read on for more of the good stuff! 

BeyondTrust unveils 2021 security predictions: BeyondTrust released its annual forecast of cybersecurity trends emerging for the New Year and onward, covering everything from time hacks (no, the bad guys haven’t cracked time travel quite yet, but they have hacked time-based servers), the manipulation of machine learning training data and porch pirates to deepfake campaigns and weaponized AIs. If any of this sounds like the stuff of sci-fi nightmares, you’re not far off. The future is here, and it’s getting pretty scary. Of course, while much of this was already well on its way, we can safely blame COVID-19 for speeding it up. But, before we lose heart completely, let’s not forget the tools in armory. If ever there was a time for risk management, it’s now. Read on to learn more about the latest threats! 

OCC names true lenders responsible for third-party partners: A new rule introduced earlier this year has finally cleared up any remaining confusion around lenders and their third-party partners. The new rule states that the bank that loans money will be hence forth known as the “true lender,” and along with this newly minted title comes the responsibility for the actions of any and all third-party partners should they cross any federal banking regulations lines. While relationships with third parties can facilitate access to affordable credit, the legal waters around some of these third parties have become increasingly murky. After carefully considering the comments, the OCC is adopting a final rule to resolve this uncertainty. The rule specifies that a bank makes a loan and is the true lender if, as of the date of origination, it (1) is named as the lender in the loan agreement or (2) funds the loan. The rule also specifies that if, as of the date of origination, one bank is named as the lender in the loan agreement for a loan and another bank funds that loan, the bank that is named as the lender in the loan agreement makes the loan.

Compliance solutions to help prepare for audits: Compliance is the name of the game when it comes to the regulators, but the problem is… the guidelines always seem to be shifting. So, how to keep up? Over compliance professionals were surveyed to find out. The results, contained in the 2020 Risk and Compliance Definitive Benchmark Report, help shed new light on what organizations of all sizes, maturities and industries are doing to help their programs meet the needs of the quickly evolving compliance landscape. Some of the headliners include streamlined data access, well-developed policy and procedure management, confidential reporting and investigation, automation and technology adoption, just to name a few. 

Modeling tool guides CRC treatment strategies with more precision: While we work to keep up with the latest trends in risks associated with vendors, evaluating the risk associated with “models” they may provide, and our eventual reliance on them, brings the importance of “model risk management” or MRM to the limelight. This article dives into a modeling tool which could have significant impact on health and wellbeing, provided it functions as anticipated.  

Survey hints machine learning may stymie financial crime: Compliance Week tapped into the ICA’s network of 150,000-plus global regulatory and financial compliance professionals for the survey, which canvassed 364 compliance professionals—including 229 employed by financial institutions (63 percent of all respondents)—to determine the degree to which FIs are using Machine Learning. It highlights the intended and realized program benefits of ML implementation; top enterprise risks and pitfalls in adopting and integrating ML to fight financial crime; and satisfaction with results post-implementation. The results also offer insights into what kinds of impediments are holding organizations back from full buy-in.  

Report finds alarming rate of data security training decline: The 10th Anniversary Edition Data Protection Report from Shred-it, or once known as “The Security Tracker: State of the Industry Report,” uses its annual survey to track trends in both data protection practices and risks for both large and small U.S. business. This go-around, the survey uncovered some alarming data which suggests that nearly half (43%; up 21% from 2017) of C-suite executives and 12% (up 7% from 2017) of small business owners have experienced a data breach. The survey also points to the rapid work-from-home scaling due to the pandemic as a reason for the uptick in security issues. Worse, it seems nearly a quarter of consumers report they would stop doing business with a company if their personal information was compromised in a data breach. Beyond losing their loyalty, consumers would lose trust in the business (31%) and demand to know what the business is doing to prevent future breaches (31%). So, what to do? All signs point to better training and increased security procedures and policies. 

Deceptive VA loan consent order settled with Bureau: After the CFPB issued a consent order against Low VA Rates LLC, a mortgage lender and broker based in Utah for misrepresentation within its advertisements around credit terms, misleading rhetorical questions in connection with advertised mortgages misleading comparisons involving actual or hypothetical loan terms… shady dealings indeed. The order requires Low VA Rates to pay a civil money penalty of $1,800,000 to the Bureau and imposes requirements to prevent future violations. Not to mention, in addition to the $1.8 million civil money penalty, to prevent future violations, the consent order requires Low VA Rates to designate an advertising compliance official who must review its mortgage advertisements for compliance with mortgage advertising laws prior to use and comply with certain enhanced disclosure requirements. Once again, the Bureau comes to the defense of the consumer!

OSF notifies patients of a vendor security breach: OSF Healthcare, a not-for-profit Catholic health care organization in Illinois and Michigan, notified its patients of a potential data breach due to one of its vendors. An unauthorized person gained access to Blackbaud, Inc.'s backup database, who was being used by OSF for fundraising efforts. The database did contain some patient information, such as names, addresses, phone numbers, email addresses, DOB, etc., but social security numbers, financial account and credit card information were encrypted and not able to be accessed. 

Data hack in Finland distresses thousands: Tens of thousands of confidential, psychotherapy records were not only hacked, but leaked online. Many patients reported receiving emails with a demand for €200 in bitcoin to prevent the contents of their discussions with therapists being made public…and in some cases, were made public anyway, in this most recent, sadistic data breach. “We are investigating an aggravated security breach and aggravated extortion, among other charges,” said Robin Lardot, the director of Finland’s National Bureau of Investigation. He added they believed the number of patients whose records had been compromised numbered in the tens of thousands. The proof is in the pudding: no one is immune to data theft, and only highlights the increasing importance of information security protocols.

SoFi earns “conditional approval” to open a bank: This week the Office of the Comptroller of the Currency granted Social Finance, Inc. conditional approval to establish a full-service national bank, which will henceforth be called SoFi Bank, National Association. According to the OCC’s approval letter, the go-ahead was based on representations and commitments made by the proposed bank’s representatives and all other information available to the OCC. At this point, the agency is just waiting for SoFi to get a plan together… specifically a CRA plan (Community Reinvestment Act), and then the OCC will review again.

Recently Added Articles as of October 22

This week, data breaches are the name of the game, and some pretty big names are added to the ever-growing list of organizations bitten by cybersecurity negligence and plain ole bad safety habits. The result?  Hefty non-compliance fines. Want to know what to do if your organization suffers a data breach? Read on to learn more.

What you need to know if there’s a data breach: It seems every week another one bites the dust when it comes to cybersecurity issues, leaks and unlawful information exploitation. And now, failing to report a data breach just got a whole lot more complicated for CISOs and their organizations. Now, if failure to report looks suspiciously like a coverup or includes paying ransoms for retrieving sensitive data, it could lead to some pretty hefty fines, or even jail time. On October 1, the US Department of Treasury  released an advisory stating that paying a ransom could violate the Office of Foreign Assets Control (OFAC) against sanctioned ransomware operators while also running the risk of “misprison,” which pretty much means if you know a crime is being committed, but you don’t report it, you too are complicit.

The cost of non-compliance: The cost on non-compliance around data breaches often varies depending on both industry and the scope of the breach itself. So, curious what are most expensive data breaches to date? Coming in at number one is the Equifax breach which resulted in access to 150 million individuals' information. In the end, it cost them $1.4 billion. Clocking in at number two is British Airways, who was slapped with a $230 million fine; and at number three is Uber, who earned a $148 million penalty when a bad actor breached data of riders and drivers, and then Uber paid the criminal $100,000 to cover the breach up. Wanna find out the other heavy hitters? Read on for more.

Google sued by DOJ around anti-trust laws: The lawsuit filed by the Justice Department against Google this past Tuesday has massive implications, not just for this tech giant, but for the entire tech industry. The lawsuit against Google alleges that the company’s search and advertising empire violated federal antitrust laws, and caps off a year-long investigation concluding that Google wielded its digital dominance causing damage to both corporate rivals and consumers. In a nutshell, the DOJ is accusing Google of leveraging its monopoly with disregard (especially to consumers) and perhaps with a level of ill intent. This antitrust lawsuit marks the start, not the end, of the government’s antitrust fight with Google and could take years to resolve. Will the courts find Google in contempt of the Sherman Act and DOJ’s allegations? Buckle up, it’s gonna be a bumpy ride.

COVID-19's impact on security and telework: Many organizations, if not most, were forced to figure out how to shift their operations to a full-time remote status, and while many employees have embraced the change, it’s come with a mixed bag of pros and cons. One in three companies reported having lost or reduced visibility of attacks and compromises; 70% of organizations have experienced an increase in attacks or threat incidents to their systems and 35% of respondents said they had to reduce their cybersecurity budget due to the pandemic. The fact of the matter is, pandemic or no pandemic, bad actors never sleep and their techniques are constantly evolving. There is no better time than now to be the change that improves security for everyone, everywhere… no matter where they work.

NAFCU cries for national data security standard after rash of breaches: After a whole host of big names suffered data breaches this past week — from fintech company Robinhood, with almost 2,000 compromised market accounts, to Dickey’s Barbeque and Barnes & Noble, each with large numbers of personal consumer information exposed — NAFCU sent a letter to Congress urging action to ensure consumers’ information is properly protected in light of these breaches. “Unfortunately, retailers, and even fintechs such as Robinhood, are not held to the same data security expectations as depository institutions, which have faced rigorous cybersecurity exams for years under the Gramm-Leach-Bliley Act (GLBA),” the letter said. “Even more troubling, the U.S. Securities and Exchange Commission (SEC) issued an advisory last month which warned against precisely the sort of authentication weaknesses that may have played a role in the reported Robinhood breach.” 

Enterprises transform cybersecurity in 2020: The numbers are in, and this is what we learned: an overwhelming majority of enterprises have completely transformed their cybersecurity approach throughout the pandemic. Forty-eight percent of all organizations had to accelerate cloud migration due to the pandemic, with larger enterprises leading the way, while 81% of enterprises accelerated their IT modernization processes due to the pandemic and 32% of large-scale enterprises, over 500 employees, are implementing more automation using artificial intelligence-based tools this year. So there… take that, bad guys and data thieves!

Attacks against ATMs on the rise: Earlier this month, NCR, one of the world’s leading hardware providers for financial institutions, warned that it had tracked a wave of physical attacks against ATMs in the U.S. over the first half of this year. At first, attacks seem to only be in specific regions, but it seems now they’re expanding nationwide and have targeted devices from numerous manufacturers. "The attacks average only five or six minutes onsite with losses exceeding $120,000 per unit," NCR said in a security advisory. It seems the attacks also take three main approaches: forceful entry, explosives or completely removing the ATM altogether, but NCR says attackers will continue to devise new ways to target ATMs.

UK reduces British Airways data breach fine: After the largest data breach in UK history was levied against airline giant, British Airways, the Information Commissioner’s Office announced it would reduce the original fine amount of 184 million pounds to 20 million pounds, due to the economic impact created by COVID-19. Despite the reduction, the ISO didn’t spare the airliner a strict admonishment: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham in a statement. “Their failure to act was unacceptable and affected hundreds of thousands of people.”

OCC  $85 million civil money penalty: This week, the Office of the Comptroller of the Currency assessed an $85 million civil money penalty against USAA, Federal Savings Bank. It seems the financial group failed to properly establish and maintain an effective compliance risk management program and an effective information technology risk governance program which violates the Military Lending Act and the Servicemembers Civil Relief Act. Looks like USAA might be just another entry on that hefty non-compliance list here all too soon.

Recently Added Articles as of October 15

It's busy, busy this month it seems, jam-packed with enforcement actions against several giant companies (Morgan Stanley and Citi Group, just to name few), while cybersecurity continues to not only trend, but is causing quite a stir industry-wide as organizations, both big and small, are forced to adapt to work from home environments. So much so that experts are now having some tough security conversations, such as "should ransomware payments be banned altogether?" Want to know the consensus? Read on for that, and more industry gems in the headlines this week!

Risk and resilience in the financial sector: As technology improves and the digital world continues to expand, part of the deal is that we accept increased risk. It’s just how it goes. This expanding business and operational risk is especially relevant to the financial services sector and federally regulated financial institutions. In response, on September 15, 2020, the Office of the Superintendent of Financial Institutions announced a three-month consultation on technology risks in the financial sector with the publication of a discussion paper Developing Financial Sector Resilience in A Digital World: Selected Themes in Technology and Related Risks. The paper invites relevant stakeholders to participate in the consultation by making submissions on the questions posed in the paper by December 15, 2020.

Reasons the pandemic is making cybersecurity harder for credit unions: The work from home movement brought on by the pandemic created drastic changes for many; but perhaps none so much as the credit unions. “Work from home suddenly meant that many institutions had to significantly beef up their remote access options for branch staff and others that were used to working out of physical locations,” said John Meyer, senior director at Cornerstone Advisors. “We were impressed with how rapidly our credit unions responded to this challenge. Fraudsters, though, are finding ways to exploit the holes in the remote workforce.” For 2021, credit unions need to increase its member outreach through free cybersecurity awareness and training to help those new to the remote work environment.

Twitter hack calls for increased cybersecurity rules: Bigger certainly doesn’t always mean better… not when it comes to security anyways, and not for the tech giants. As companies grow larger, it seems the threat of attack grows, too. After an investigation into this summer’s hack on Twitter, the New York State Department of Financial Services (NYSDFS) found that while the company is indeed a giant, they were duped by a rather simple con. This “simple” social engineering technique, resulting in a number of high-profile Twitter account hacks (among them Elon Musk, Joe Biden and Apple), signals wider call for key social media platforms to be regulated on security. “The Twitter Hack demonstrates, more than anything, the risk to society when systemically important institutions are left to regulate themselves,” the post-investigation NYSDFS report stated. “Protecting systemically important social media against misuse is crucial for all of us — consumers, voters, government, and industry. The time for government action is now.”

Executives are silent about cost after major enforcement action against Citigroup: After regulators announced an enforcement action against Citigroup Inc., which will force the firm to clean up some long-standing issues, it seems Citi execs are still strangely silent. Among the list of things to improve was a firm-wide sprucing up of its risk management and internal controls. Word on the street is the firm hasn't been either prompt nor effective when it comes to correcting problem areas identified by the board in compliance risk management, data quality management or internal controls. The damage? $400 million to be exact. But after being hammered by analysts on what changes to expect, and when execs weren’t as forth-coming as one may hope… I suppose we’ll see if Citi Group is able to mop shop, or not.

CFPB settles with Nissan on illegal repossession practices: Yesterday, the Consumer Financial Protection Bureau issued a consent order against Nissan Motor Acceptance Corporation (Nissan), an auto financing subsidiary of Nissan North America, Inc, which provides auto loans and leases. The laundry list of transgressions include: wrongfully repossessed vehicles as well as the unlawful possession of personal property in consumers’ repossessed vehicles until consumers paid a storage fee; depriving consumers paying by phone of the ability to select payment options with significantly lower fees; and, in its loan extension agreements, making deceptive statement that appeared to limit consumers’ bankruptcy protections. The punishment? Nissan must pay a civil money penalty of $4 million, refund fees paid by consumers, credit any outstanding charges stemming from the repossession and pay consumers redress for each day Nissan wrongfully held the car.

California proposes changes to CCPA regulations: Whelp, it’s only been two months since the CCPA regulations were finalized and already people are looking for amendments. The California Attorney General’s office released a new set of potential changes, most significantly addressing “Do Not Sell My Personal Information” requests. The office has also recommended changes to the regulations related to providing notice when businesses collect personal information offline, proof required when an authorized agent submits a request on behalf of a consumer and a grammatical change related to providing notice of how to opt into the sale of children’s information.

DFS amps up attention to Financial Cybersecurity Regulations: In 2017, The New York State Department of Financial Services (or DFS) implemented cybersecurity regulations which gave New Yorkers a two-year period to get it together before the provisions would be considered set in stone. Some of these rules include comprehensive cybersecurity program for “Covered Entities” including appointing a chief information security officer, undertaking periodic risk assessments, maintaining a cybersecurity program that includes access controls, network security assessment, disaster recovery planning and attendant policies and procedures… just to name a few. Then in July, DFS commenced its first enforcement action under the DFS Regulations against First American Title Insurance Company, emphasizing just how serious it is about its intention to hold Covered Entities responsible for compliance with the DFS Regulations. Here’s the main thing: covered entities must develop minimum cybersecurity practices required to be met by the vendor, undertake due diligence of the vendor’s cybersecurity practices and reassess them.

Tech’s role in managing third-party risk: Deloitte's Julian Colborne-Baber offers due diligence insights for financial institutions while also reviewing top challenges for financial institutions dealing with third parties and supply risk challenges; how banks redefining their supply chain risks; and what tools can be leveraged to assess large-scale risks. Click to learn more from Colborne-Baber, who specializes in forensic advisory services and conducting financial crime investigations.

Execution elements to incorporate into your planning strategy: When it comes to creating a “plan of attack” for your organization, there may be a few things you tend to overlook. One is having a documented timeline of identified actions that support your strategy; two is premises and assumptions; and three is identifying obstacles and roadblocks. Read on for more tips to help focus and guide the execution of your specific strategies.

Hospital breach ends in $5 million settlement: After a massive data breach in August of 2014 impacted 6 million patients across the U.S., Community Health Systems, Inc. will be forced to pay $5 million in damages. While based in Tennessee, at the time of the breach, the organization owned, leased or operated 206 affiliated hospitals, including five West Virginia entities – Oak Hill Clinic Corp., Oak Hill Hospital Corp., Bluefield Clinic Company LLC, Greenbrier Valley Anesthesia LLC, Greenbrier Valley Emergency Physicians and Ronceverte Physician Group. The breach exposed names, birthdates, Social Security numbers, phone numbers and patient addresses.

DFPI granted increased refund authority: Under a new wave of legislation, the DFPI saw a little enforcement bump courtesy of a short bill which gives the department some extra authority under the California Financing Law (“CFL”), which has also been signed into law by Governor Newsom. The DFPI is permitted to require attendance of witnesses and examine under oath all persons whose testimony it requires relative to loans, assessment contracts, or business regulated by the CFL. The new law will also expand the DFPI’s authority when seeking relief on behalf of consumers from persons engaging in unlicensed finance lender, broker, PACE program administrator or mortgage loan originator activities.

Experts weigh in on the questions if ransomware payments should be banned: Last week, the U.S. Department of the Treasury's Office of Foreign Assets Control issued an advisory declaring that allowing ransom payments for anyone on "OFAC's Specially Designated Nationals and Blocked Persons List,” which also includes blocked regions such as Cuba, parts of Ukraine, Iran, North Korea and Syria, would be in direct violation of OFAC regulations. This opens up a whole new can of worms. Ciaran Martin, managing director at cyber venture capital investor Paladin Capital said, "If a victim pays a ransom to someone subject to U.S. Treasury sanctions, that's unlawful," Martin said. "First, there's a practical point: How are you supposed to know whether your attacker is on the U.S. sanctions list? And secondly, what's the policy outcome here? Why is it OK to pay someone who isn't on the U.S. sanctions list, a ransom for a criminal act of extortion?"

OCC assesses a $60 million penalty against Morgan Stanley: After Morgan Stanley failed to exercise proper oversight during the decommissioning of two data centers in 2016, and subsequently failed to adequately assess the risk of subcontracting the decommissioning work (read: exercising thorough due diligence in selecting a vendor and monitoring its performance) while also overlooking top-to-bottom inventory of customer data stored on hardware devices, it happened again in 2019. Once might be an accident, but twice… And, this time Morgan Stanley has to pay the piper.

NAFCU urge reforms to be included in NDAA: This week, the NAFCU joined with dozens of other organizations to plead with leaders of the Senate and House Armed Services Committees to include Bank Secrecy Act (BSA)/anti-money laundering (AML) and beneficial ownership reforms in the fiscal year 2021 National Defense Authorization Act (NDAA). The NAFCU pointed out, along with others, that AML laws haven’t been updated in almost 20 years and allow for dangerous loopholes throughout our financial system. "All of the bad actors we work to hold accountable have adopted increasingly sophisticated methods for laundering money—yet every one of them relies on secrecy as a common feature of their schemes," the groups wrote. At the same time, the NAFCU is also fighting the good fight against allowing big banks (like Wells Fargo and Bank of America) to be treated the same as credit unions when it comes nominal leases on military bases. The House and Senate are expected to soon convene a conference committee to hash out differences between the two chambers' bills.

Recently Added Articles as of October 8

It continues to be a busy news month with the OCC releasing their fiscal year 2021 operating plan. And, guess what? Third-party risk management makes the cut and will be a focal point. California continues to make strides in the privacy realm. Oh, and clothing retailer H&M probably should have taken a page out of their book because they received the second largest GDPR fine. All of that and so much more to be aware of in this week's news. 

Third largest U.S. bank is fined for faulty risk management systems: Citigroup received some very costly news this week. The bank was fined $400 million for faulty risk management systems. Federal banking regulators have asked Citigroup to fix "significant ongoing deficiencies". Data management, regulatory reporting and capital planning were a few of the areas that needed improvement. If it can happen to Citigroup, it can unfortunately happen to any organization. So, be sure you take a look at your risk management processes to ensure they're sufficient.

Interesting research findings released on third-party cyber risk management: Opinion Matters performed a research study, surveying more than 1,500 CIOs, CISOs and chief procurement officers at organizations with over 1,000 employees, to learn more about third-party cyber risk management. The findings may surprise you… or maybe not given the not-so-secretive hardships the pandemic has caused many businesses and their operations - likely some of your own vendors. Related to that, here’s an interesting statistic to note: According to the study, 80% of organizations experienced a cybersecurity breach that originated from their own vendor’s ecosystem vulnerabilities in the past 12 months. Study participants span across geographical locations such as the U.S., U.K., Switzerland and Singapore, only confirming that many across the globe have felt the need to shift priorities heavily this year and consider third-party cyber risk management more than ever.

Vendors experience challenging obstacles when it comes to protecting biometric data: When most of us are notified of an account compromise or a data breach, we make sure to protect our personal information and identity by resetting our passwords, security questions, pin numbers and any other precautionary steps we can take. But, what about when a breach happens, and your password is your face? Face recognition is becoming increasingly more popular, and for that reason vendors should be doing everything they can to protect biometric data at all costs, right? Well, you’d think, but it’s not as easy as it sounds. Even the Department of Homeland Security who is a strong vendor in the space, and is normally very successful at protecting data, has experienced biometric data theft. Biometric data has its positives, but it also has many kinks that still need to be worked out. We think this article will have you critically thinking about your vendors and their information security processes in a whole new light. Read on to learn more…

One fourth of organizations are PCI DSS compliant: Well if this isn’t a startling statistic… Verizon’s 2020 Payment Security Report found that only 27% of organizations across the world are Payment Card Industry Data Security Standard (PCI DSS) compliant, and even more shockingly, in the U.S. only 20% of organizations are. This has been a decade long struggle for organizations. What’s it going to take to get everyone up to speed?

Innovation and updating SEC regulations go hand-in-hand: The U.S. Securities and Exchange Commission (SEC) commenced in 1934, and since then many regulations have developed as well as been amended, as needed, to support the changes in the economy, global crisis', shifting priorities and circumstances. It’s fair to say the SEC has done a good job implementing regulatory changes, but now there’s a new they must consider: fintechs. There’s no doubt that fintechs bring technological advancements that automate processes and create efficiencies. And, these advances lead to a need for modernized rules and regulations. Why is this incredibly important? If a regulation doesn’t account for the digital world and technological advancements, there is a risk of not being able to utilize new technology to its full potential. The SEC is trying to make headway, but some have recommendations that could speed up the regulatory changes. According to Troy Paredes, a former commissioner of the SEC and founder of Paredes Strategies LLC, “the SEC should hire more in-house technologists, such as computer scientists, data scientists, cryptographers, engineers, developers, programmers, and the like. More technologists at the SEC—whether they are from academia or the private sector—could work closely with others at the agency versed in technology and with the SEC’s securities regulation and capital markets experts.” Troy says the SEC is “up to the task,” but feels more technologists on staff would help with these regulatory changes.

H&M receives the second largest GDPR fine: Clothing retailer H&M made a big oops – a mistake that will cost them over $41 million. In its Nuremberg service center, the retailer kept records on employees’ families, religions and illnesses. A major no and violation of the General Data Protection Regulation (GDPR). It seems data privacy is of the utmost concern these days and it’s certainly not an area to skimp on. 

Financial Accounting Standards Board’s long-awaited insurance contract standard is delayed: The insurance industry is experiencing a delay in rolling out new guidance due to the pandemic. The Financial Accounting Standards Board (FASB) has decided to push the effective date of its new contract standard for one more year – another effective date deferral to add to their list of many since the COVID-19 outbreak began. Instead of focusing on the soon-to-come contract standard, FASB will put more emphasis on conducting post-implementation reviews on other standards rolled out.

Proposition 24 could take the lead in California privacy measures: Andrew Yang, a former presidential candidate, is chairing the advisory board for Proposition 24. What exactly is Prop 24? Well, it may be the privacy model that sets standards for other states as the U.S. plays catch up with Europe. It’s a proposal to expand consumer right and increase fines. Companies seem to be finding loopholes to avoid requirements put in place by The California Privacy Rights Act of 2020 and The California Consumer Privacy Act of 2018. The proposition will make this more challenging by imposing higher fines on companies who violate privacy or illegally collect data. According to Yang, “I think this is going to be an opportunity for us to set a national standard. As soon as other states see that Californians have these data and privacy rights, they’re going to want the same thing.”

California makes the news again with Assembly Bill 107: Effective immediately, Assembly Bill 107 changes the name of the Department of Business Oversight (DBO). The former DBO will now be known as the Department of Financial Protection and Innovation (DFPI). This change has key takeaways to be aware of that can be found here. Some of these takeaways include UDAAP authority for DFPI, new penalty rules, DFPI board discretion to determine what is considered a “financial product or service” and more.

OCC released fiscal year 2021 operating plan: You’ll want to be sure to not miss out on this important update from the Office of the Comptroller of the Currency (OCC). A large focus on third-party risk in the new year will keep us on our toes as some of the 2021 supervisory strategies include: cybersecurity and operational resilience, compliance risk management associated with pandemic-related activities and proper oversight of significant third parties.

An advisory warning is issued by OFAC: The. U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) recently issued an “Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments.” This is a specific warning to organizations that send ransomware payments to malicious cyber actors on the behalf of victims of ransomware attacks... in other words anyone who falls victim to this. Doing so may mean your organization could pay some steep civil penalties.

Recently Added Articles as of October 1

The month of September was busy in the world of third-party risk, and it looks like October is going to be no exception. This week, we see a major data breach investigation come to a close in the healthcare industry – the second biggest HIPPA violation penalty. And, speaking of cybersecurity, it’s National Cybersecurity Awareness Month and CISOs speak out about the next biggest challenge. We learn why risk management importance is heighted during the pandemic and how identifying and managing risks are within our control. But, that’s not all in the news. Read on for more. 

Anthem settles data breach investigation for $39.5 million: Anthem has agreed to settle a 5-year investigation for $39.5 million. In early 2015, a cyberattack on Anthem's technology exposed nearly 79 million individuals' personal information. How did the hackers gain access to a big-name like Anthem's systems you may be wondering? An old tactic called spear-phishing. Another reminder to keep your employees informed and up-to-date on the latest cybersecurity training. 

Big data analytics and the benefits to risk management: Are you familiar with big data? As a refresher, big data is a way to analyze and systematically extract information from very large data sets that are too cumbersome for your average data processing. And, it seems this method could be a lifesaver for third-party risk management and improve an organization’s overall risk management strategies. Just how does big data analytics do this? It allows for organizations to predict threats and risks in advance, giving them more time to mitigate the risks before they have a negative impact. Sounds like a win-win. 

CISOs share the next biggest cybersecurity challenge: As technology advances, cybersecurity challenges change and evolve. Wondering what is keeping CISOs from getting a good night’s rest? Securing multi-cloud environments. Privileged access in the cloud is a major concern for them and there are a few reasons why: Identity Access Management (IAM) and Privileged Access Management (PAM) tools are lagging, PAM approaches are only dependable if they’re in a homogeneous cloud environment and PAM processes aren’t standardized… to name a few. Is this keeping you up at night, too? Read on for how to improve PAM in the cloud. 

Microsoft outage was not part of a coordinated campaign: Were you one of the ones impacted by the huge Microsoft outage Monday afternoon? Turns out, Microsoft’s outage was not planned. Per Microsoft, this was not part of a "broader coordinated campaign". Microsoft goes on to admit that there are always hackers out there trying to do the company harm, but this outage is a good reminder that sometimes service interruptions can be due to a mistake instead of a cybersecurity issue. Phew – good to see Microsoft was up and running again fairly quickly! 

COVID-19 vulnerabilities bring cybersecurity lessons: There’s no doubt that the COVID-19 crisis has created challenges in several areas of our personal lives, and that statement holds true for many businesses, too. One of the most challenging areas seems to be maintaining strong cybersecurity as hackers take full advantage of crisis vulnerabilities. So, what’s the secret weapon for defending against these cyberattacks? Believe it or not, your best defense is to stick to what you’ve always known. The fundamentals of preventing a data breach have not changed. And remember, always act as if you’ve already been breached. It’s not if a data breach happens, but when it happens. 

National Cybersecurity Awareness Month reminds us to stay alert: It’s that time of the year again – National Cybersecurity Awareness Month! The holidays are a time of cheer and laughter, but in the cybersecurity world we know that they’re also the time of the year that fraudulent activity and scamming increases. To help combat these issues, this article reminds you of the top three cybersecurity threats to watch for: phishing attacks, election and holiday scams and unsecure internal security. Here’s to spreading holiday cheer… and less breaches! 

Data breach leads to the second largest HIPPA violation penalty: If you haven’t taken the time to think about how costly a data breach can be… now is a good time to start. Premera Blue Cross, a health insurance provider, received the second largest HIPPA violation penalty over a data breach, $6.85 million to be exact – ouch! The breach dates all the way back to 2014, but after a long investigation the Department of Health and Human Services’ Office for Civil Rights (OCR) found Premera had “systemic noncompliance” which lead to a successful spear-phishing attack. Premera agreed to the penalty and to implement a corrective action plan. 

Risk management importance is only heightened during the pandemic: In recent months, we’ve seen layoffs, furloughs, businesses struggling to make ends meet, and worse, businesses closing. While the best option for a business at this time may seem to be cutting costs, risk management is not the area to do it in. “Risk management may come at a cost, but unmanaged risk is far costlier. And while risk management comes with a cost, research and science can support greater efficiency. With tools such as predictive analytics it is possible to pinpoint the highest priority risks and the solutions which are most likely to be effective,” shares Alex Senior Vice President, Division Manager Asia-Pacific at FM Global. “Risk mitigation and improvement are as vital in these trying times as they have ever been. Understanding exposures, having the right partners and making the most of data will ensure organizations come back stronger when we finally recover from the pandemic.”

Some things are out of our control – identifying and managing vendor risk is not: To say we’re in some strange and unpredictable times would be an understatement. While we can’t predict the future, there are some things within our control. One of those being our vendor risk management programs and the processes we implement to identify and manage risk. In this article, learn six steps to an effective vendor management program.

Guide 3 to be rescinded: Have you heard? The U.S. Securities and Exchange Commission (SEC) announced Guide 3, guidance that is over 30 years old, will be rescinded effective January 1, 2023. Guide 3 will be replaced with an entirely new set of rules as a subpart of Regulation S-K. But, it’s very important to callout that while Guide 3 isn’t rescinded until 2023, you’ll be required to follow the new rules beginning in January 2022. The new guidance will affect every publicly traded company. 

Understanding what risk management is and when software may help: Software Advice, a company that researches technology options, shares why vendor risk management is important and when software is needed. According to their team of advisors, who speak with risk managers often, if your revenue numbers are larger, that generally equates to an increased need for vendor risk management software. In addition, some industries hold more risks than others which creates an extreme need. How about you? Is managing vendor risk becoming a herculean feat that needs a little streamlining? 

CCPA may see an immediate amendment with Assembly Bill 713: As if CCPA wasn’t already a lot to get a handle on, now an emergency clause may require that a new bill, Assembly Bill 713, go into effect immediately. AB 713 will amend CCPA by exempting HIPPA deidentified information from CCPA. However, if this goes into effect, reidentified information is not exempt, meaning CCPA would apply. Will we see a new bill in effect today? 

The battle between states and the OCC: State regulators have begun to create a vision for fintechs and are evolving rapidly with technology advancements to keep up with these innovative companies as well. While doing this, state regulators aim to keep risk at the focal point while streamlining processes that will help both fintech companies and state agencies. The coined term for these initiatives is Vision 2020. But, it’s not that simple, and gets a little dicey as the Office of the Comptroller of the Currency (OCC) feels fintechs should not be governed only by state agencies as that could become too cumbersome to manage. Many beg to differ and find the OCC’s claims confusing. Why is this important to be aware of? Well, if the OCC gets their way, every state banking association will end up with their own regulatory requirements for fintechs and that bleed over into other areas, like privacy, cybersecurity and more. We’ll have to wait and see how this one unfolds… 

COVID-19 has increased overall vendor risk. Better protect your organization and download the infographic.