October 2021 Vendor Management News

Stay up-to-date on the latest vendor management news. Discover information to help improve or keep your third-party risk management program fresh. Below we've listed some notable articles to check out.

Recently Added Articles as of October 28

The proposed risk management guidance is getting some harsh feedback from advocacy groups and state attorneys general regarding “rent-a-bank” schemes.  New legislation in California is redefining personal information. Also, the CFPB makes the news as the regulator's Supervision and Examination Manual is getting an IT update and their director is keeping his promise to closely monitor big tech. Cybersecurity struggles continue to plague the healthcare industry and API vulnerabilities are discovered by an ethical hacker. We have some interesting headlines this week, so dive in to learn more!

Chinese payment manufacturer suspected of preinstalled malware: A Florida warehouse owned by Chinese payment terminal manufacturer, PAX Technology, was raided by the FBI, who were possibly tipped off about the machines containing malware. A major U.S. payment processor noticed that the machines were giving off unusually sized network packets that didn’t match the data they should’ve been sending. The terminals were supposedly used as malware droppers to collect information. The machines have already started to be pulled by a major financial provider in the U.S. and EU. The threat actor is unknown currently, but it’s likely that the software's supply chain has been damaged.

Cryptocurrency regulations in the works: FDIC Chairman, Jelena McWilliams, is working with the Federal Reserve and the OCC to establish clear guidance on how policies are to be applied to crypto assets. Specifically referring to stablecoins, McWilliams stated that they should be subject to tailored oversight. If they’re issued from outside the banking industry, they should also be backed 1-to-1 by liquid assets. Policy statements are expected to be issued in the upcoming months.

Malicious add-ons blocked by Firefox: An API that controls Firefox’s internet connection was found to be misused by add-ons, which were blocked from almost half a million users. The add-ons named Bypass and Bypass XM were discovered in early June, according to Mozilla’s recent blog post and were being used to redirect users from downloading updates. Firefox users are advised to run the latest version of Firefox 93 or Firefox ESR 91.2 and ensure that Microsoft Defender is running if using Windows.

Healthcare providers continue to struggle with security weaknesses: Despite the prevalence of incident response plans within the healthcare industry, research shows that almost half of providers don’t have recovery plans in place and more than half have previously experienced a data breach. Only about one-third of healthcare providers perform ongoing vulnerability assessments and 35% said the most recent breach took weeks to resolve. To get back on track with vendor management, healthcare organizations should be implementing stricter measures to limit network and user access, with the end goal being a zero-trust model. Organizations should also review all access rights for users and vendors and understand how to maintain resiliency before an incident occurs.

Non-bank partnerships criticized by AGs and consumer groups: “Rent-a-bank” schemes are coming under fire from 19 state attorneys general and consumer groups, who argue that these predatory practices of high-cost lending are causing harm to consumers and risk to banks. The two groups of opponents recently wrote comment letters noting Congress’ repeal of the OCC’s True Lender Rule this past June and urged additional guidance to discourage these partnerships between financial institutions and non-banks engaged in high-cost lending. The FDIC was especially criticized for its failure to prevent the six supervisee banks from renting their charters to non-bank lenders. The AGs letter can be found here and the advocacy group letter is here.

Security improvements needed for third-party healthcare vendors: Healthcare organizations continue to rely on significant third-party inventories, but are challenged with providing adequate vendor security management. The increase in outsourced technology services leads to more cyber risk, which requires more due diligence around security controls. Organizations can greatly benefit by performing a business impact analysis (BIA) which measures the significance of an unexpected event that can disrupt a critical business function or process. The results of a BIA can be used to build effective business continuity (BC) and disaster recovery (DR) plans. BC and DR plans are sometimes used interchangeably, but both have different objectives. A BC plan gives details on how an organization can continue operations through manual processes, while a DR plan focuses on recovering the computer systems that support operations. Healthcare providers can improve their vendor risk management by reviewing the basics of educating staff on security risks, implementing multi-factor authentication for accessing networks and establishing an up-to-date and practiced incident response plan.

Ethical hacker reveals API vulnerabilities: Unregulated APIs could leave millions of patient health records exposed, according to a white paper written by an ethical hacker. Alissa Knight spent almost one year gaining access to these records and many of the vulnerabilities she found were easily avoidable. One cause of these vulnerabilities can be blamed on the healthcare-specific “information blocking rule”. This essentially warns against electronic health record software vendors from intentionally blocking third-party access to their datastore. Further complicating the rule is that many companies developing or using these APIs aren’t considered a “covered entity,” and therefore, wouldn’t be subject to HIPAA regulations.

New IT section added to CFPB manual: The CFPB is making some updates to its Supervision and Examination Manual with the addition of a new set of procedures titled Compliance Management Review – Information Technology. The five modules outlined are Board and Management Oversight, Compliance Program, Service Provider Oversight, Violations of Law and Consumer Harm and Examiner Conclusions and Wrap-Up. Each of the modules details the IT function within the compliance program including the policies and procedures, training, monitoring and responding to consumer complaints.

Personal information gets redefined in California legislation: Earlier this month, Governor Newsom approved an amendment to the Information Practices Act of 1977 that will affect entities that own or license computerized data which includes personal information. The Act includes breach disclosure requirements as well as reasonable security practices. According to the recently passed Assembly Bill 825, personal information now includes genetic data, which is any data that comes from the analysis of a biological sample.

Big tech ordered to hand over payment information: Newly appointed CFPB Director, Rohit Chopra, is committed to keeping a watchful eye on big tech and protecting consumers, according to a recent series of orders. Amazon, Apple, Facebook and Google were just some of the recipients of these information requests. Chinese tech leaders Alipay and WeChat Pay will also be monitored by the Bureau. Three areas of focus for these orders are on data harvesting and monetization, restrictive access policies and prioritization of consumer protection. Director Rohit Chopra also released a statement along with these orders.

Strategic approach needed for financial cybersecurity risks: Cyberattacks are on the rise in just about every industry. In turn, finance professionals should be playing a larger role in mitigating these cybersecurity risks. Accountants and other financial roles can be valuable in estimating the financial impact of data breaches and helping to prioritize an organization’s most valuable digital resources. Client and customer confidence is a critical component of cybersecurity that should also be a top concern for the CFO. It’s also important to keep informed of regulatory guidance as it pertains to disclosures and investigation of breaches. In general, an effective cybersecurity program should be placed at the foundation of an organization’s operations.

Regulators’ proposed guidance will unify third-party oversight: With the rise of new partnerships between banks and fintechs, regulators are hoping to address these increasing risks with their proposed guidance, released this past summer. This guidance will take the place of the three separate regulations that emerged over the past couple of decades. The FDIC got the ball rolling in 2008 with their Guidance for Managing Third-Party Risk and 2013 saw the release of the Federal Reserve’s Guidance on Managing Outsourcing Risk and the OCC’s Third-Party Relationships: Risk Management Guidance. One of the key highlights from the proposed regulation is the requirement for vendor management and procurement processes to be established in a formal framework. It also emphasizes the importance of regulating fourth and fifth parties that store third-party data. Diversity policies and hiring practices of third parties are also a focus in the new guidance.

Recently Added Articles as of October 21

This week, the White House is feeling more pressure from tech leaders to improve America’s cybersecurity posture. One recent attempt was found in a “counter-ransom initiative” with 30 other countries. Speaking of ransomware, an attack on Sinclair Broadcast Group caused many affiliate stations to go dark. In regulatory-related news, the OCC released its 2022 operating plan and the CFPB made a few changes to its senior leadership team. Read on to discover the other stories making headlines in third-party risk management.  

The difference between contract management and contract administration: These two terms are often used interchangeably, but they actually refer to two different phases within the contracting process. Contract administration is carried out prior to the signing of the contract and includes tasks such as defining the scope and deliverables, establishing a timeline and understanding the financials and risks. Contract management takes place after the contract is signed and should include details of every stage including planning, implementation, pre-contract and handover. This process should also include the contract stage of defining when the work is completed, pre-renewal and the post-contract stage. Learn more in this article. 

Vendor causes a data breach: Tens of thousands of dental patients probably aren’t smiling after it was revealed that their protected health information may have been exposed. Professional Dental Alliance (PDA) revealed that their vendor who provides administrative and technical support was the victim of a phishing attack that took place between March 31st and April 1st of this year. A few email accounts of the vendor named North American Dental Management were accessed by an unauthorized user, according to a breach notice released by one of PDA’s affiliates. PDA is still investigating the incident and has stated they haven’t found any evidence that the information was misused. In response, PDA is offering two years of complimentary credit monitoring and identity theft services.

ABA gives feedback on proposed TPRM guidance: After the release of the proposed third-party risk management guidance, the American Bankers Association recently responded with their own comments. The ABA expressed their support for this interagency effort, while also providing several suggestions on how to clarify and improve the guidance. In particular, the ABA noted that the final guidance should be restricted to banks that have written contracts with a third party and receive services on an ongoing basis. They also stated that the guidance shouldn’t include ad hoc arrangements that are limited in how long they last.

Dark Reading’s survey reveals positive cybersecurity attitudes: Despite the constant headlines of cyberattacks, it’s encouraging to learn that many organizations are appropriately responding by investing more into their cybersecurity programs. The 2021 Strategic Security Survey by Dark Reading suggests that organizations are taking attacks seriously, but are still struggling with insufficient cybersecurity staff. Burnout and an increasing risk to data can result when staff is overwhelmed. Investing into cybersecurity is still reactive, occurring only after noteworthy events happen such as the attacks on Colonial Pipeline and JBS.

Government needs to step up on cybersecurity says Google CEO: Could there be a Geneva Convention for cybersecurity in the near future? Tech leaders are calling for the U.S. government to take a more active approach in combating cyberattacks and investing in innovative technologies. Google CEO, Sundar Pichai, said it’s time for the tech industry to create a Geneva Convention equivalent to establish international legal standards for our interconnected world. He argues that more needs to be done to encourage innovation, especially to compete with China’s increasingly advanced AI capabilities. Policies that provide work visas to overseas talent would help in supporting Google’s efforts to innovate. This call for government action reveals an interesting shift that’s been taking place in Silicon Valley, where tech leaders have historically favored a more libertarian approach to federal involvement.

Ransomware attack forces Sinclair affiliates off the air: The term “technical difficulties” takes on a more interesting meaning when the cause is related to a nationwide ransomware attack. A recent cyberattack on Sinclair Broadcast Group caused major disruptions to many of their 294 local broadcast stations across the country. News and NFL games were unavailable after hackers encrypted servers and workstations with ransomware. However, the master control was unaffected and allowed Sinclair to provide a national feed to the stations that were impacted. Sinclair is still investigating the situation to determine which information was stolen and issued a news release to the SEC two days after the incident was discovered.

Cyber detectives are playing offense without attacking: The Computer Fraud and Abuse Act of 1986 essentially states that the federal government is the only entity that can launch offensive cybersecurity actions; however, some cyber experts are using clever methods to legally work around this law. For example, some have pretended to be a customer trying to access stolen data. In doing so, this can persuade the cybercriminal to give consent to access the computer or database used in the attack. By obtaining consent from the hacker, experts can avoid violating the 1986 law. However, other experts aren’t fully onboard with allowing the private sector to launch their own cyberattacks, as this could potentially make them bigger targets for other hackers and countries. Making a mistake could also escalate any existing hostilities between the U.S. and another country.

OCC’s bank supervision plan released for 2022: The OCC has officially released its Fiscal Year 2022 Operating Plan which will be used by staff members to direct their priorities, planning and allocation of resources. Some of the strategies will include areas of cybersecurity, operational resilience and climate change risk management. Other areas of focus are credit risk management and compliance of the Bank Secrecy Act/anti-money laundering. The Semiannual Risk Perspective will also be released in the fall and spring.

White House meets with 30 nations to fight ransomware: Preventing the use of anonymous cryptocurrency and strengthening critical infrastructure were on the agenda at a recent meeting between the White House and 30 other countries. This “counter-ransom initiative” was held over two days and was intended to create strategies to combat ransomware with the help of countries such as Australia, Britain, Germany and India. Russia was notably excluded from the meeting, with the Biden Administration stating that their inclusion would distract from the discussions of common initiatives. While the White House has already mandated cybersecurity standards for government contractors, they’re struggling to do the same for private organizations who fear that mandatory reporting of attacks will cost them investors or customers.

New senior leadership for the CFPB: The CFPB is making some changes to their senior leadership with four new roles. Zixta Q. Martinez will now serve as the Deputy Director, overseeing the operations division. The Associate Director for Consumer Education & External Affairs will now be held by Karen Andre and Jan Singelmann will serve as the Chief of Staff. Lastly, the new Chief Technologist opening goes to Erie Meyer who was a founding team member of the Office of Technology and Innovation.

CFPB’s Supervisory Highlights teaches valuable lessons: Maintaining perfect regulatory compliance may not always be realistic, but examiners expect creditors to make reasonable attempts to avoid mistakes in their compliance management system. The CFPB noted some significant issues by auto financers in their Summer 2021 Supervisory Highlights. According to the CFPB, the first mistake of creditors is related to unfair charges by sending the request for proof of insurance to the wrong address. Simply mailing the notice to the address on file and hoping it reaches the intended person isn’t acceptable. The creditor should take additional steps to prevent this problem by checking the National Change of Address database or using a customer service representative to directly contact the customer. Inaccuracies in posting payment is another blunder that the CFPB found with creditors. For example, some may have posted a customer’s payment to the wrong account, after which the customer complained of late fees and negative credit reports. Failing to apply payments in the proper order and incorrect payoff amounts are other issues the CFPB highlighted. The lesson to be learned is that it’s always better to find and address these problems before the CFPB.

FTC breach notification may apply to health apps: The increasing use of health apps has resulted in many lawmakers struggling to define applicable legal and ethical standards. Health apps can potentially be required to comply with any number of regulatory guidelines, depending on their use of diagnosing or treating a medical condition. Utilizing protected health information would also bring in HIPAA and selling products would apply state privacy laws like the CCPA. The FTC’s Health Breach Notification Rule broadly covers vendors of electronic personal health records (PHRs), along with related entities and service providers. Apps or connected devices that sell or maintain PHRs are also covered by the rule. The first step that health app vendors should take is to determine if they’re in scope of the rule. If so, they can then move on to creating policies and procedures to address the rule’s requirements.

Navigating vendor relationships and vaccine mandates: It seems as though each day brings a new story about vaccine mandates. Almost half of U.S. states currently have vaccine mandates for healthcare workers, most of which also include their contractors and vendors. For organizations subject to vaccine mandates, there are a few tips to ensure your vendors are also complying. The first tip is to contact your vendors and use your state’s wording to ask for vaccine documentation. An additional short summary might also help achieve compliance. Organizations should also be clear about what they’ll accept as proof, whether it’s a photo or use of a health passport application. If weekly testing is an option, there should also be clear expectations about how your vendors will share negative test results.

Recently Added Articles as of October 14

As we get closer to the spookiest day of the year, we see frightening stories on killware threats and the losing cybersecurity battle against China’s AI capabilities. Cyberattacks are causing a huge price increase for cyber insurance premiums and a large data breach on gaming platform, Twitch, is raising alarms. Compliance is also making headlines this week with a reminder on FTC regulations and a CFPB complaint against a mortgage lender. Read on for all the details.

OpenSea flaw left doors open for cryptocurrency theft: A critical vulnerability has been patched in OpenSea, known as the largest non-fungible token (NFT) marketplace. The flaw could’ve been exploited to steal cryptocurrency funds, in which a token would be sent to the victim to open a new attack vector. If the malicious NFT was clicked, unauthorized transactions could be performed through a third-party wallet provider. A cybersecurity firm, Check Point Research, found the flaw, which was patched within one hour of being disclosed.

Threat of killware should raise alarms: With so much focus on the monetary loss of ransomware attacks, there’s another kind of threat that’s even more alarming. Killware is the name appropriately given to cyberattacks that can result in the loss of life. Secretary of Homeland Security, Alejandro Mayorkas, is reminded of the potentially deadly attack on a water treatment facility in Florida that was purely motivated by the desire to cause harm. Attacks on hospitals are another source of concern because vulnerable patients are at risk of life-threatening complications. Iran, Russia and China have all infiltrated critical infrastructure in the U.S., but there haven’t been many cases of them taking action.

Four zero-day bugs fixed in Microsoft's recent Patch Tuesday: A total of 74 vulnerabilities were fixed in Microsoft’s recent Patch Tuesday, with one being an actively exploited zero-day titled CVE-2021-40449. This exploit was being used to elevate privileges and take control of Windows servers. The three other zero-days are CVE-2021-41335, CVE-2021-40469 and CVE-2021-41338. Another fix addressed Windows Print Spooler vulnerabilities that were introduced in previous patches. The best course of action to protect against these various issues is to patch as soon as possible. Three to prioritize are CVE-2021-40469, CVE-2021-26427 and CVE-2021-40487 because many different Windows versions can be affected.

Pentagon official quits over U.S. and China cybersecurity battle: A top cybersecurity official at the Pentagon recently threw in the towel after coming to the conclusion that the U.S. can’t compete with China’s AI capabilities. In a recent LinkedIn post, Nicolas Chaillan stated that the primary reason for his resignation was the Pentagon’s reluctance to prioritize cybersecurity and AI, giving China a huge advantage. Chaillan believes that the U.S. is spending more on defense, but allocating it to the wrong areas. He plans to testify before Congress about the ongoing threat from China. Cybersecurity is a regulatory hot button, so we're interested to learn the outcome. 

The future of compliance: Award-winning author and compliance expert, Tom Fox, gives valuable insight into a few hot topics in this interview. Some of the key takeaways include the importance of data, the trending topic of ESG issues and why public opinion can be the greatest danger to organizations. He states that the speed of social media requires organizations to have policies in place to detect, prevent and remediate issues as quickly as possible. He also speaks to the effect of the pandemic on compliance and risk management, stating that all  data needs to be accessed by an organization's compliance team.  And as far as operating strategies go, risk management is business as usual. Utilizing data to manage risk is essential for organizations to thrive as they move forward.

Two FTC regulations that affect all creditors: Just in case you want to brush up on some credit compliance facts, the Federal Trade Commission has two regulations that affect every consumer credit sale and loan transaction. The first is the Preservation of Consumers’ Claims and Defenses that requires credit sellers and lenders to include a provision in credit contracts that saves the consumer’s claims and defenses against an assignee. This provision eliminates the separation of the duties and responsibilities between an originating creditor and an assignee. The second regulation is related to unfair credit practices such as the pyramiding of late charges and failing to notify cosigners. These are just two of a larger collection of regulations that cover everything from door-to-door sales, used vehicles and merchandise ordered through phone or mail.

Cyberattacks cause insurance premiums to soar: The costs incurred from ransomware and other cyberattacks are beginning to drive up the demand and costs of cyber insurance. Supply chain threats are also increasing the demand for cyber insurance because of the infamous attacks on SolarWinds, Accellion and Kaseya. It’s estimated that costs have increased about 50% year-over-year and organizations should expect see this trend continue. New business models are also emerging as a result of the increasing demand for cyber insurance. Some insurance providers are combining security service along with their insurance products and it’s predicted that insurance companies will eventually have to shift to technology focused operations, as they have to collect and analyze data at a much larger scale. Overall, cyber insurance providers are moving in the right direction and are becoming more open to sharing information to identify potential threats and weaknesses.

Reverse mortgage lender is accused of deceiving seniors: American Advisors Group (AAG) has been using inflated home estimates to deceive older home owners into taking out reverse mortgages. The CFPB filed a complaint against the lender, alleging that they violated a 2016 consent order regarding deceptive advertising. The enforcement action would require AAG to cease their deceptive practices and pay a $1 million civil penalty in addition to $173,400 in monetary relief to consumers.

Contractors accountable for breaches under DOJ initiative: The Department of Justice has officially launched the Civil Cyber-Fraud Initiative, with the goal of defending against new and emerging cybersecurity threats aimed at sensitive information and critical systems. The Deputy Attorney General stated that government contractors who hide breaches and fail to follow cybersecurity standards will be pursued by the agency, noting that these actions put us all at risk. The initiative includes a whistleblower provision which will allow private parties to assist in identifying and pursuing fraudulent activities without fear of retaliation. Some of the benefits of this act include reimbursements to the government at taxpayers for incurred losses after a cybersecurity incident and ensuring that organizations aren’t at a competitive disadvantage when they invest in these requirements.

Hacktivist led Twitch breach is cause for worry: Source code, creator information and internal data has apparently been leaked at gaming and streaming services leader Twitch. The Amazon-owned platform issued a brief statement on Twitter, confirming the breach, but details are still emerging on the extent of the incident. Other reports state that additional sensitive information was leaked which revealed how much Twitch paid some of its most popular streamers in 2019. The hacktivist appears to have been motivated by the site’s unsatisfactory response to hate raids over the summer in which trolls used bots to bully certain minority users with hate filled messages. Cybersecurity experts agree that this breach is as bad as it gets, with many wondering how a hacker was able to steal such a large amount of sensitive data without setting off any alarms. Even more worrisome is that this incident was labeled “part one” by the attacker, suggesting that it’s only going to get worse.

Remote employees and HIPAA guidelines: While remote work environments have proved to be beneficial for many organizations, they also come with challenges in staying compliant with regulatory guidelines like Healthcare Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). This article outlines a few recommendations to help ensure that remote employees remain compliant to HIPAA and HITECH. First, healthcare organizations should establish formal remote work policies with different requirements such as the requirement for employees to store hard copy personal health information (PHI) in a lockable file cabinet or mandating that PHI is destroyed when it’s no longer needed. There should also be appropriate requirements to implement equipment, software and hardware such as utilizing multi-factor authentication or restricting the use of personal devices for network access.

How to choose a worthy waste management vendor: Waste management vendors probably don’t get the attention they deserve, but it’s important to realize that they can be just as critical as any other vendor when it comes to compliance and sustainability issues. Different industries will have different waste management needs, most notably healthcare organizations who often need to dispose of hazardous waste. There are many things to consider when selecting a waste management vendor, such as compliance requirements, the conditions of the disposal site and the timing of processing the waste. Shared values and sustainability goals are also worth considering for organizations that want to achieve zero waste. Vendor costs and labor shortages are other factors that can affect the vendor selection process but the end goal should be creating a long-term partnership.

ESG gets a boost from the SEC with climate change disclosures: Environmental, social and governance (ESG) issues are continuing to gain traction, most recently from the SEC’s publication of a sample comment letter just last month. The letter focuses on climate change disclosures, although the SEC hasn’t released any new rules since the 2010 Climate Change Guidance. In particular, the letter highlights risk factors and management’s discussion and analysis, both of which should be linked to material climate change consequences when organizations make their disclosures. It should also be noted that the SEC is also closely watching corporate social responsibility (CSR) reports, although as of now aren't required to be disclosed to the agency.

Climate risk disclosures will prove challenging for some: Enhanced climate change disclosures are likely to challenge some U.S. organizations who still have inadequate knowledge of environmental issues. Some organizations are also inconsistent in how they view environmental consequences across their operations, while also coming up short on the staff needed to track important data. Environmental reporting that is both consistent and detailed is a wise strategy that allows investors and other applicable parties to evaluate climate vulnerability and risk. However, many organizations may find this reporting process difficult to handle without additional education and time to implement internal infrastructure.

Anti-corruption resources now available for metals technology industry: New guidance on gifts and hospitality and third-party due diligence was recently released by the Metals Technology Industry to provide best practices on anti-corruption compliance. The guidance on gifts includes four real-life scenarios of acceptable and unacceptable practices and outlines different approval procedures. The due diligence guidance covers practices for the onboarding stage and identifies risk indicators for scenarios such as vendor selection and how the third party is compensated and structured.

Proposed risk management guidance highlights antitrust risk: Banking organizations are seeing more collaboration between regulators after the recent Proposed Guidance was published by the Fed, FDIC and OCC. The guidance covers a variety of third-party risk management issues, including the adoption of processes that are appropriate to the level of risk and the allowance of organizations to work collaboratively if they use the same third party. However, the guidance also cautions that these shared activities are still subject to antitrust laws and directs the reader to separate guidance issued by the FTC and DOJ titled Antitrust Guidelines for Collaborations Among Competitors. It’s recommended that organizations seek the advisement of qualified antitrust counsel when engaging in collaborative activities with competitors.

Recently Added Articles as of October 7

October is Cybersecurity Awareness Month! To kick it off, this week we have a lot of headlines on the topic. Google is in the news as they’re preparing to enroll 150 million users in two-factor authentication by the end of the year. The tech giant is also seeing some controversy as it was revealed they’re complying with keyword warrants. In the regulatory world, OFAC recently released updated guidance on ransomware payments and the new CFPB director is expected to be more aggressive with enforcement actions. There’s a lot to unpack this week, so read on for more!

150 million Google users to be enrolled in two-factor authentication: Google recently announced its plans to boost security through the use of two-factor authentication. About 150 million users will be automatically enrolled in this method by the end of the year. Two million YouTube creators will also be required to use two-step verification. Google plans on adding a feature that will allow users to save their passwords from the app’s menu.

Google served with controversial “keyword warrant”: Google’s commitment to protecting user data is again in the spotlight. There are privacy concerns after it was recently revealed that the government requested search data related to a sexual assault victim back in 2019. Innocent Google users could potentially get caught up in an investigation if they just coincidentally searched for similar terms. A cybersecurity lawyer for the American Civil Liberties Union (ACLU) argues that this is a type of “mind reading” powered by Google and can ultimately threaten the First Amendment. It’s even more concerning that this is being done in secret, as it wasn’t supposed to be made public. In response, Google emphasized their rigorous process to protect user privacy while also supporting law enforcement.

Ethernet cables used in data theft: New research shows that a technique called “LANtenna Attack” is capable of using Ethernet cables to steal sensitive data from air-gapped systems and wirelessly sent to an attacker in another room. Researchers tested this method and found it to be successful at 200 cm. To protect against this vulnerability, it’s recommended to prohibit the use of radio receivers around air-gapped networks. Network interfaces should also be monitored for covert channels or jammed signals.

Fuel, energy and aviation targeted by APT hacking group: Advanced persistent threat (APT) group, ChamelGang, has been identified as the ones responsible behind the recent attacks aimed at stealing data from the fuel, energy and aviation industries. The attackers had been utilizing a penetration method through the supply chain and are believed to have started in March 2022. Attacks in August affected Microsoft Exchange Servers. A Russian aviation company was a victim of an attack in August and noted that these types of attacks can cause significant damage to finances and reputation.

Op-Ed argues against EU regulations that target U.S. tech: Despite the growing interest in stronger transatlantic relations, there’s a concern that the EU’s penchant for regulation will ultimately weaken the security of the United States. Proposed laws like the Digital Markets Act (DMA) and the Digital Services Act (DSA) are targeting U.S. tech companies, with the intention of breaking down their business models which would lead to more difficulty in securing systems and data. For example, the DMA would require the transfer of data without geographic restrictions or any security precautions. Another provision would require U.S. tech companies to provide international third-party service providers access to the same operating system hardware used by the U.S. The Biden Administration has responded by creating the Trade and Technology Council which will push back against actions that prevent the U.S. from competing with other nations like China.

New CFPB director expected to expand enforcement actions: The CFPB has a new leader in the house and financial institutions preparing for a more active regulator. Director Rohit Chopra was recently confirmed to the position by the Senate and is expected to practice “regulation by enforcement”. There will likely be an increase in enforcement actions against companies that don’t directly deal with consumers and corporate officers who oversee unlawful conduct. Chopra also has a history of going after larger violators and advocating for monetary relief from those that are outside of the regulator’s authority.

HIPAA compliance is not enough to secure data: It may come as a surprise to some, but HIPAA compliance doesn’t necessarily mean that protected health information (PHI) is secure. The gap between compliance and security comes from the fact that HIPAA regulations provide details on what must be done, but not how. This inevitably leads to different interpretations on what’s considered “reasonable” regarding how to protect PHI in email. Human error such as sending unencrypted emails or falling victim to a phishing scam can be just as risky as external threats. There are a few strategies that healthcare professionals can implement to enhance their cybersecurity. Continuous employee training, updating policies, email encryption and regular patching of vulnerable networks are a few practices that can better protect against these risks.

Ransomware guidelines from OFAC: As the number and sophistication of ransomware attacks continue to rise, OFAC released updated guidance on the potential risks associated with paying the ransom. While it’s understandable for victims to want to pay the ransom to preserve business operations and regain their stolen data, they should be aware of the regulatory risks if the payment is given to individuals on the agency’s black list. OFAC strongly advises against paying ransom and officially designated SUEX as a blocked person. To date, there haven’t been any OFAC enforcement actions related to ransomware payments, but there are two new mitigating factors that will now be considered. First, mitigation credit will be given as long as the organization took meaningful steps prior to making the payment. Second, victims that report the incident to the appropriate authorities will also receive mitigation credit.

Coinbase customers are robbed after a suspected phishing attack: At least 6,000 Coinbase customers were robbed after a phishing attack and multi-factor authentication flaw were used to gain access to accounts. The attackers obtained email addresses, passwords and phone numbers, but Coinbase confirmed that they weren't at fault and the incident was most likely caused through social engineering techniques. Coinbase recently warned that they were seeing an increase in successful phishing attacks, which were capable of bypassing spam filters. A flaw in the SMS multi-factor authentication (MFA) was also to blame, with many experts agreeing that this is an easily hackable solution. All stakeholders including management, buyers and users should be aware of the potential weaknesses in SMS-based MFA and cryptocurrency users in particular need to understand that they’re constant targets of cybercriminals.

A holistic strategy for third-party risk management: Research shows that 60% of organizations have more than 1,000 active vendors in their inventory. This large number of third parties and increasing prevalence of interconnected industries requires a more collaborative and holistic approach to manage risk. Organizations are encouraged to consider four suggestions to ensure they take this approach. First, they should create a standard set of cybersecurity requirements for third parties. They should also establish a process to evaluate suppliers based on their levels of risk. This can be done through a few different methods including cybersecurity ratings, internal assessments and industry certifications. Ongoing monitoring and revision of all third parties is another important recommendation, as is continuous engagement with supply chain stakeholders.

Risk mitigation strategies are still weak despite threat awareness: Third-party cyber threats continue to expose many organizations to risk, but they’re still facing challenges on how to mitigate it. A recent survey found that 95% of respondents are struggling to manage third-party risk because of weak strategies or technologies. A common theme in improving third-party risk management is approaching it with a holistic strategy to better prepare the entire cybersecurity environment. Organizations should treat their vendors as a part of their own brand and establish a strict set of cybersecurity expectations and guidelines. It’s also important to perform ongoing monitoring, as the cyber risk of vendors can change with new attack methods. Regular communication with all vendors and cybersecurity training for employees should also be prioritized.

Preventing supply chain attacks with vendor management: Attacks against supply chains show no sign of slowing down, so it’s important to learn how to protect against them. Organizations should first understand why supply chain attacks are especially difficult to prevent. On average, an organization will share sensitive information with nearly 600 third parties who all have different policies, some of which may sustain risk even after contract termination. Vendor management shouldn’t be delayed until after a contract is in place, so it’s important to begin at the screening stage. A thorough security policy should be required during vendor screening to ensure it includes information about disaster recovery and response procedures. Vendor management should also extend beyond screening by performing regular audits of third-party security controls.

Data breaches continue to burden the healthcare industry: Cybercriminals also aren’t slowing down on their attacks against healthcare organizations, as the industry is predicted to be victimized 2 to 3 times more than average. The combination of outdated systems and infrastructure, delays in adopting cybersecurity best practices and privatized health care networks all make for an appealing target for cyberattacks. With patient safety being a high risk, many attackers are assuming that ransom will be easier to obtain. This article highlights a few of the top stories this year related to cyberattacks on healthcare organizations, including the impact of ransomware and the increasing costs of data breaches.

Data brokers are a bigger threat to privacy than breaches: While data breaches often make headlines, it can be argued that data brokers pose a bigger threat to privacy. This podcast by DeleteMe CEO, Rob Shavel, covers why users should be more concerned with data brokers, who essentially are designed to monetize consumers’ personal information and provides some tips on how to prevent these brokers from selling that information. Some of the suggestions include how to be smart about social media, being aware of software privacy and automating the opt-out process through the use of a data broker removal service.

Valuable lessons from WPP enforcement action: The recent SEC enforcement action against multinational advertising firm WPP should serve as an important reminder to the consequences that stem from non-compliance. WPP was penalized for multiple deficiencies related to the Foreign Corrupt Practices Act (FCPA), including areas of third-party risk management, employee complaints and its failures in its internal accounting controls. More specifically, subsidiaries of WPP failed to conduct proper due diligence for its third parties that were found to be involved in bribery. The SEC also discovered that WPP employees supplied false documentation and that anonymous employee concerns weren’t taken seriously. A strong culture of compliance would’ve been beneficial in mitigating many of these risks, both within the parent organization of WPP and its subsidiaries.