October 2022 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of October 27

This week, experts are encouraging organizations to improve security controls and use third-party risk management best practices to identify and mitigate risks in the supply chain. As malicious actors continue to target vulnerabilities and security gaps, you should work to create more efficient risk management practices. Effective third-party risk management is more important than checking regulatory boxes, so don’t miss out on any of this week’s news to learn more!

Employers should review contracts following NLBR proposal: Last month, the National Labor Relations Board (NLBR) created a new proposal for joint-employment entities, which should encourage employers to review their contracts. The proposal states that two entities are joint employers if they share essential job terms such as wages and benefits. This means that both entities are responsible for cases such as legal charges against only one party. For organizations that regularly engage with third parties, experts suggest looking at your contract to see if you might be considered a joint employer under this proposal.

Organizations should monitor the supply chain for risks: According to a survey, 80% of respondents stated that they were notified of a supply chain vulnerability or incident over the past year. As supply chain attacks continue to target weaknesses and security gaps, it’s essential to monitor your suppliers for any risks that could harm your organization. Experts say that a lack of visibility into the supply chain opens opportunities for risks to cause severe damages which can affect your organization’s finances, reputation, and operations. Even open-source software can expose your organization to hidden risks, so it’s critical to assess your supply chain for any red flags and take appropriate action to improve security measures and protect your organization.

Vulnerability found in SQLite’s code: A vulnerability in SQLite’s database library, tracked as CVE-2022-35737, has been identified. This issue has been present since 2000 and has finally been patched in the 2022 version.

U.S. News and World Report develops health equity metrics: A 2001 report highlighted the different domains that affect the quality of a health system which can be used to rank hospitals, including safety, efficacy, efficiency, timeliness, and patient-centeredness. Because equity has been difficult to measure, it hasn’t been used in these rankings. However, U.S. News and World Report has recently developed metrics that can be used to measure equity. These are access, outcomes, and social determinants of health. Together, these can be used to help patients decide where they want to receive healthcare.

Understanding third-party risks in your supply chain: The supply chain can be home to many cyber, financial, ESG, and regulatory risks, so it’s essential to monitor for emerging threats and include the supply chain in your third-party risk management activities. You should begin by establishing clear communication channels with your suppliers and working to identify any potential vulnerabilities with risk assessments that thoroughly evaluate vendor risk. Be sure to continually monitor your supply chain, as new risks can emerge at any time.

Microsoft’s misconfiguration exposes customer data: Microsoft is working to notify affected customers following a recent incident which left private information exposed. Currently, Microsoft isn't disclosing what data was exposed during the incident, though experts believe that this information could be used by malicious actors, especially as it relates to Microsoft’s infrastructure.

Experts stress the importance of strong passwords to protect information: Experts with a vulnerability management firm have been studying a list of leaked passwords to gather insights on hacker methodology and techniques. In their findings, the experts found that hackers assume that users create weak passwords and that a striking number of users continue to use common or easy-to-guess passwords such as phone numbers and sequential numbers. To protect your information, you should regularly monitor your systems for any weak passwords and teach your employees the importance of password managers to make stronger passwords.

Federal authorities have identified hackers targeting the healthcare sector: Investigators with the FBI, CISA, and the Department of Health and Human Services have identified a group of hackers who are using ransomware to target healthcare organizations. These hackers, known as Daixin Team, use ransomware to steal patient information, extort their victims, and threaten to release the information online. Officials encourage organizations to follow best practices such as using multifactor authentication tools, training staff to identify and report suspicious activity, and updating systems with the newest patches and software.

FTC decision targets unfair and discriminatory practices: The Federal Trade Commission (FTC) recently came to a ruling in regards to unfair and discriminatory actions, in which dealerships were found to be charging people of color with additional costs. In their ruling, the commissioners stated that they're looking to defend consumers and that businesses should ensure that they develop and follow written policies to detect and prohibit discrimination.

Using third-party risk management to manage cyber risks: A recent survey highlighted that many cyber incidents targeting healthcare organizations were caused by third-party vulnerabilities. Weaknesses and gaps in your third party’s security practices expose your organization to cyber risks, so you should work to ensure that your third-party risk management program is ready to identify and mitigate any potential risks that could threaten your organization. By improving your security frameworks, updating your security policies to account for third parties, developing an effective incident response plan, and communicating with your vendors, you’ll be able to identify and mitigate the risks that threaten your organization’s security.

Concerns around cyber incidents continue to rise: It’s no surprise! Given the many recent cases of data breaches and malicious hackers, many organizations are concerned about cyber crimes that target their data, money, and operations. As officials caution organizations to improve security policies and procedures, a recent survey found that respondents were most concerned about increased risks of ransomware and child exploitation over the next several years.

Creating a more beneficial third-party risk management process: In some cases, organizations may view third-party risk management as activities to be checked off, without understanding the importance of mitigating vendor risks. Third-party risk management is essential to protect your organization from reputational, financial, and legal risks that could leave lasting impacts. To reap the benefits of third-party risk management, it’s important to perform thorough evaluations, understand the risks your vendors pose to your organization, and continually monitor for any emerging risks. By focusing on the quality of your third-party risk management program, prioritizing your vendor assessments, building stronger vendor relationships, and simplifying your risk assessments, you’ll be able to create a more efficient and beneficial vendor risk management program.

Breaking down the FDIC’s comments on crypto-assets: The Federal Deposit Insurance Corporation's acting Chairman Gruenberg, in a recent presentation at the Brookings Center, spoke on the future of crypto-assets. Chairman Gruenberg discussed topics including the impact of new innovations on the banking industry, the challenges that consumers face while using crypto-assets, and plans for regulating crypto-assets. He stresses that the FDIC will be taking a careful approach to regulations and bank participation in crypto-assets to protect against potential risks and address the dynamic nature of these assets.

Tips for reorganizing your teams: Experts point out a few best practice tips for organizations looking to improve efficiency and operations by reorganizing their teams. These tips include starting early, working with teams to determine their individual budgeting needs, acting with empathy during potential layoffs, and communicating your goals and reasons for restructuring with your employees.

Mitigating third-party data breach risks: As we’ve seen over the past year, hackers are able to exploit vulnerabilities in third parties to gain access to private networks and sensitive information, such as in the third-party data breaches that targeted Uber and Okta. It’s important to understand the gaps that may be present in your third party’s security, or in your supply chain, so that you can take the appropriate steps to mitigate the risk of third-party data breaches. You should be sure to limit access to privileged users, gain end-to-end visibility to understand who is accessing your data, and continually monitor your third parties for any new or hidden risks that could leave your data exposed to hackers.

What is an SBOM and how can it benefit you?: Supply chain and third-party risks pose threats to many organizations, especially in instances when it’s difficult to gain visibility and understand exactly where any potential vulnerabilities may lie. In some instances, a Software Bill of Materials (SBOMs) may be an effective solution, highlighting the ingredients of how specific software is made. In addition, software escrow agreements offer additional security assurances by confirming that the software is secure and available. When put together, SBOMs and a software escrow can verify that your software works properly and provides peace of mind in your software’s supply chain.

Health insurance provider fined for violating a cybersecurity regulation: EyeMed Vision has agreed to a $4.5 million settlement after being charged with violating New York’s cybersecurity regulations. In an investigation, it was found that EyeMed suffered a data breach, which exposed its customers’ private information. The data breach was the result of insufficient cybersecurity practices, including a lack of multifactor authentication and insufficient third-party risk assessments.

Recently Added Articles as of October 20

In the news this week, we’re looking at how third-party vendors can threaten your ESG compliance as well as how you can defend your organization against supply chain risks. Studies show that the global average cost of data breaches has increased in 2022, so it’s important to look at recent trends and best practices for identifying and managing risks that could compromise your organization’s security. You won’t want to miss any of the news, so be sure to peruse below!

Understanding third-party risks and the role in ESG compliance: As we look at new and updated ESG requirements and the ways that your organization may need to improve practices to comply, it’s critical to understand the role that your third-party vendors play in your ESG strategy. Especially as consumers and regulators have turned their attention to the supply chain, you need to know how your vendors produce the goods and services that they supply to your organization. You should assess your third parties to ensure that they follow ethical business practices and comply with the necessary ESG guidelines or your organization could face serious financial, legal, and reputational damages.

Data breach targets Mexican government and leaks sensitive information: The Mexican Protection Ministry recently fell victim to a data breach, which revealed sensitive information related to human rights investigations and other activities. The information exposed during the breach has highlighted the growth of the Navy’s influence and power over the past several years, among other records.

Using TPRM to mitigate the healthcare industry’s cyber risk: Over the course of the past several months, we’ve looked at how third-party data breaches have targeted healthcare providers throughout the industry. Malicious actors continue to exploit third-party vulnerabilities to infiltrate private networks and steal privileged information from healthcare organizations. So, what can you do to defend your organization? Experts suggest several third-party risk management best practices to protect against cyber threats, including performing robust vendor due diligence, determining your organization’s risk tolerance, creating minimum security standards for your third parties, and establishing a dedicated third-party risk management team.

Vulnerability found in Microsoft Office 365: Researchers have identified a vulnerability in Microsoft Office 365’s email encryption system which, when exploited, may allow hackers the ability to read message content. Microsoft has stated that they have no plans to fix this vulnerability, so users should avoid the message encryption tool and switch to other platforms for encrypting messages.

The average cost of data breaches increased in 2022: A report looking at the global average cost of data breaches has highlighted that the costs have risen from $4.24 million in 2021 to $4.35 million in 2022. This sharp increase in cost highlights the importance of defending your organization from cyberattacks, including ransomware and data breaches, which cost organizations millions of dollars in operational and restorative expenses. To protect your organization, you should follow best practices such as  including implementing a zero trust security model, encrypting your data stored in cloud technology, testing your disaster recovery and business continuity plans, and using secure tools to identify and mitigate risks to your cybersecurity.

Focus on sustainability urges manufacturers to follow ESG standards: Many manufacturers are being forced to take a closer look at exactly how their products and services are made and whether they comply with ESG regulations. As consumers turn towards more sustainable and ethically sourced products, manufacturers need to update their practices and comply with regulations to keep up with demands from regulators and customers alike.

How to defend your organization from supply chain risks: Even as many organizations have tightened their security measures against the risk of cyberattacks, experts state that supply chain risks continue to pose serious threats to many organizations. When it comes to protecting against third-party supply chain risks, your organization needs to perform robust third-party risk management. By assessing your vendors’ security plans, integrating multifactor authentication tools, obtaining cybersecurity insurance, and performing penetrating testing and assessments on your vendors' tools, you can begin to mitigate the risks that threaten your organization.

New proposal allows federal credit unions to expel problematic members: The National Credit Union Association has proposed a new amendment to the Federal Credit Union Act which would allow federal credit unions the ability to expel credit union members who are deemed problematic. In the past, federal credit unions have faced many obstacles when trying to expel members who were found committing fraud or otherwise disruptive behaviors. This new proposal will make the process easier for federal credit unions when certain steps and conditions are met.

White House will update regulations for select areas of critical infrastructure: The White House has targeted the healthcare, water, and emergency communications sectors as the next areas of critical infrastructure to receive updated minimum security standards. In response to recent cyberattacks, ransomware, and data breaches, the government is looking to fill in vulnerable gaps in areas of critical infrastructure which could be exploited by malicious actors. In addition, organizations should expect to see new guidelines from the Cybersecurity and Infrastructure Security Agency (CISA)  by the end of this month.

California State Legislator rolls out new employer guidelines for 2023: As 2023 inches closer, the California State Legislator has rolled out a series of new laws and updates for employers to follow in the new year. These updates include timeline extensions for the COVID-19 Supplemental Sick Leave and COVID-19 Notice Requirements as well as a new Mandatory Bereavement Leave, which gives eligible employees at least five days of paid bereavement leave. The new laws also issue the creation of a Fast Food Sector Council and prohibit employers from taking adverse action against an employee who leaves a job because they feel unsafe. Employers should be sure to read further into these new laws, which will go into effect in 2023.

OCC releases goals for the 2023 fiscal year: The Office of the Comptroller of the Currency has released its primary goals, priorities, and objectives for the 2023 fiscal year. These goals and priorities focus, in many instances, on addressing and managing risks that threaten the financial sector. These include increasing focus on strategic and operational planning to determine whether banks are stable, performing required assessments and complying with regulatory standards, and monitoring third parties and the ways that institutions manage their third-party vendors.

How to manage third-party contractor risk: In a recent survey conducted, nearly half of responding organizations stated that they believe that they'll hire the same number or more contract workers in the next two years. However, contract workers present risks to your organization, which need to be managed to ensure your organization’s safety and security moving forward. When it comes to managing third-party contract workers, experts suggest tracking key training points during the onboarding process to ensure worker safety, identifying any hazards, and gathering feedback on your organization’s risk posture. Remember that your organization is liable for workplace incidents, so safety should be among your top priorities when dealing with third-party contractors.

Experts identify recent cybersecurity threats and trends: Today, cybersecurity is a hot topic across all industries. No organization is safe from cyber threats, especially as hackers continue to develop more sophisticated campaigns and methods for attack. As malicious actors continue to exploit vulnerabilities, steal sensitive data, and disrupt operations, it’s critical to learn the best ways you can defend your organization from mounting threats. Several best practices include utilizing multifactor authentication tools, updating your software, educating your employees on how to identify and report suspicious activity and phishing attacks, and implementing endpoint detection tools.

Third-party risk management activities for financial institutions: When it comes to mitigating third-party risks, robust due diligence is essential to give banks and financial institutions a full picture of exactly what they should expect from their vendor relationships. When dealing with third-party vendors, regulators are encouraging banks to ensure that protections are in place to protect sensitive information, identify any present risks, and conduct activities such as contract negotiation, ongoing monitoring, due diligence document collection, and independent reviews.

Recently Added Articles as of October 13

Regulators are making waves this week as the CFPB considers regulations for buy now pay later loans, FinCEN requires beneficial ownership information, and President Biden signs an executive order for an EU - U.S. framework on data transfers. As lawmakers continue to update guidelines for improved security, it’s important to build stronger third-party relationships and understand the risks posed by your vendors. There’s plenty of news to read this week, so check it all out!

Rising cost for cyber insurance may create increased security risks: Though the number of cyberattacks and data breaches continues to climb, many organizations may be unable to afford cyber insurance because of rising premiums. In the wake of recent cyberattacks, cyber insurance is critical to helping an organization restore operations following an incident, though the increased demand has driven up the premiums. Organizations who go without cyber insurance may face increased risk, as their partners may require insurance or an incident may leave irreparable damages.

OCC shifts focus for 2023 amid inflation concerns: When discussing its focus for 2023, the OCC stated that it plans to assess financial institutions for the stresses of economic concerns amid rising inflation and threats of a recession. The OCC will be turning its attention to assessing the ways banks perform while under economic stress alongside training policies, risk-based examinations, and governance structures. With resilience as a key priority, the OCC will look at the ways banks have modernized and implemented new technologies, including relationship with fintech partners.

Understanding phishing-resistant MFA tools: When you hear best practices for cybersecurity, odds are that you’re told to implement multifactor authentication (MFA) tools. But, the truth is that MFA tools aren’t a fail-safe and hackers can still infiltrate your network. To negate human error with MFA tools, phishing-resistant MFA uses advanced controls to minimize or remove the need for human intervention. However, just as with regular MFA, phishing-resistant MFA tools have flaws which can be exploited.

Data helps inform business decisions in the supply chain: Supply chain disruptions from earlier this year have led to increased attention into how organizations and vendors meet rising ESG concerns. In turn, organizations have searched for ways to gain better insights and transparency into their supply chain – and data may be the key. By looking at operational data within the supply chain, organizations may be able to learn more about exactly where their vendors’ products and services come from and how well their vendors follow ESG compliance standards. This data can also help your leadership make informed decisions about which risks need to be addressed, and what steps you can take to manage these risks.

CFPB limits adverse information resulting from human trafficking: The Consumer Financial Protection Bureau (CFPB), as part of its goal to create a process for human trafficking survivors to report financial information, has released its final rule. This new guideline prohibits consumer reporting agencies from reporting negative credit report information. As human trafficking victims suffer severe financial damages, the CFPB seeks to help survivors restore their finances. Its guidelines require all consumer reporting agencies to have processes in place for survivors to report their experiences and for reviewing documentation.

When is it time to offboard your third-party vendor?: We often talk about how you and your vendor can work together to build a stronger relationship, but how do you know when it’s time to offboard your vendor? What signs are there that it’s time to end the relationship? When answering these questions, experts pointed out several red flags, such as when the vendor fails to provide product support, when you notice reoccurring issues after already working to communicate the error with the vendor, when they’re causing problems that affect your organization’s operations and services, and when you lose faith in your vendor’s ability to meet performance standards.

FinCEN’s updated rule requires beneficial ownership information submission: In its efforts to improve transparency, a new rule issued by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) will require certain domestic and foreign entitles to submit beneficial ownership information. The department stated that these submissions will be helpful in identifying malicious actors and threats to national security. It’s important for the affected organizations to carefully review the new rule to ensure proper compliance.

President Biden signed an executive order for new data transfer framework: Last week, President Biden signed an executive order to implement a framework between the European Union and the United States, which will set new safeguards for intelligence gathering. The framework promotes trust between the U.S. and the EU by promising data security and privacy.

Southeast supply chain could take two months to recover from Hurricane Ian: Experts project that it could take from one to two months for the Southeast’s supply chain to make a full recovery following damages caused by Hurricane Ian. The hurricane caused severe damages to Florida’s rate of deliveries, with the average number of shipments between Florida and the rest of the country dropping significantly. Did the hurricane impact any of your vendors? You may want to gather a list and determine any that may affect operations. 

CFPB considers best ways to regulate buy now pay later loans: The CFBP has noticed an increase in the number of consumers using buy now pay later loans, which isn’t currently regulated by the federal government. As more consumers use buy now pay later loans instead of credit cards, the CFPB has identified several growing concerns, including a lack of consumer protections and the gathering of consumer data. Currently, the CFPB is considering the best ways to regulate the industry and manage any risks.

Best practices for mitigating risks associated with temporary staff: When it comes to hiring temporary employees, your organization can face many security risks in your efforts to expand your staff to meet seasonal demands. Recent studies conducted found that only just over half of businesses have been verifying individuals before allowing them access to private information, while many organizations also stated that they don’t restrict access after the offboarding process. When hiring temporary staff members, you should follow proper onboarding processes and adopt a zero trust model, which will help ensure your organization’s security and only the correct access to the right individuals.

Healthcare security tools are targeted by hackers: The Department of Health and Human Services stated that healthcare providers are at risk of being targeted by malicious actors through unsecure security tools. These legitimate tools used by healthcare organizations to defend their sensitive data have been turned against them to find vulnerabilities in the organization’s infrastructure, leading to supply chain attacks and data breaches. The detailed report by the Department of Health and Human Services has detailed exactly which tools have been exploited.

North Carolina prohibits ransomware payments, but may not discourage cyberattacks: Following a string of ransomware attacks, North Carolina passed a law that made it illegal to pay malicious actors to recover data, with the goal of restricting incentive for hackers to launch attacks. However, many experts remain unsure if this will be enough to discourage hackers from targeting organizations in North Carolina. Instead, experts advise the state to improve security measures, which could help defend sensitive data and infrastructure.

FTC Safeguards Rule requires third-party oversight: To comply with the new requirements to the FTC Safeguards Rule, which will go into effect in early December, many dealerships have turned to third-party providers to help streamline processes for compliance. However, the FTC requires that dealerships must have a designated employee to oversee the third-party activities. In addition, the rule places responsibility on the dealership for any incident and for maintaining compliance. As the new regulations draw closer, it’s critical for impacted businesses to review and ensure that they’re properly following the guidelines.

How to protect your data from third-party risks: With the rise of new technologies, organizations are facing increased threats from malicious actors who target third-party vulnerabilities to steal sensitive information. When it comes to protecting your data, you can’t be too careful. That’s why it’s critical to understand exactly who handles your data, why your data is being used or accessed, and how. By asking the right questions, including security clauses in your contract, and evaluating the software bill of materials (SBOM), you’ll gain a better understanding of present third-party risks and take the proper steps to mitigate the risks.

Best ways for lenders to create effective third-party risk management processes: For many institutions, third-party risk management can be overwhelming. It’s important to create a strong foundation with your vendors to build trust, identify which vendors are best for you, and to mitigate any risks that could threaten your institution. You should identify any red flags in the early stages of getting to know potential vendors, ask questions to determine the vendor’s experience and capabilities, communicate your expectations, and monitor your vendors on an ongoing basis to ensure that your vendors meet your standards and so you can identify any new or hidden risks.

Uber’s ex-Chief Security Officer found guilty of concealing data breach: A jury found Uber’s former Chief Security Officer guilty of failing to disclose a data breach that affected the organization in 2016. In a statement discussing the 2016 breach along with other incidents, the FTC found that the former CSO executed a strategy to avoid notifying the proper agencies of the breach, therefore obstructing justice. This is the first time a senior company executive has been charged criminally over a data breach and sets a precedent that organizations need to follow regulations and act accordingly when dealing with data breaches.

Regulators urge caution for bank-fintech partnerships: Following the OCC’s comments on the relationship between banks and fintechs, financial institutions should take proactive steps to build trust and follow regulations. For some financial institutions, these types of third-party partnerships may be new, so it’s important to create solid foundation of trust with their fintech vendors by educating organizations on compliance standards and communicating on a regular basis. As regulators continue to look towards the finance and technology industries, it’s important to work together to comply with regulations and create safer relationships to mitigate any future risks.

Third-party data breaches pose serious security risks for organizations: We’ve heard about many recent third-party data breaches over the past several months, including a recent breach targeting Doordash. Hackers have learned to search for vulnerabilities in vendor security, which allows them to gain access to privileged accounts and to steal data from private networks. So, what can you do to protect your organization? When working with third parties, you need to mitigate risks that affect your security and data protection by assessing your vendor’s security policies, monitoring who has access to your sensitive data, and including security provisions in your contract to hold your vendors accountable.

Recently Added Articles as of October 6

We’re kicking off National Cybersecurity Awareness Month this week by looking at ways you can mitigate third-party cyber risks to defend against data breaches and protect your organization’s sensitive data. As Microsoft investigates server vulnerabilities, and researchers identify a new malware attack, experts urge you to look internally to educate your employees, who are, in many cases, the weakest link in your cybersecurity policy. Check out all this and more!

Human error may be among your greatest cybersecurity risks: We’ve discussed many cyberattacks over the past several months, and many of these have been successful through social engineering tactics and human error which pose significant threat to security programs. No matter how robust your software and firewalls are, experts point towards human error as the weakest link in your organization’s security. To combat this, it’s necessary to educate your employees, including those on your security team, to continually reinforce best practices. The way to begin mitigating and managing cyber risk is to ensure that your employees understand how to identify and report suspicious activity.

Experts detect a vulnerability in Packagist’s software: A vulnerability has been found in Packagist’s software which could have led to software supply chain attacks if discovered by hackers. As more eyes have turned to the supply chain’s weaknesses, experts are evaluating the vulnerabilities found in software and open source code to stop severe third-party cyberattacks. Thankfully, experts have not detected any evidence that hackers exploited the vulnerability, which has been patched since its discovery.

Data offers insights into ransomware attacks targeting the public sector: The news of cyberattacks over the past several months has shown that no organization is safe from the threat of cyber risks and security incidents. The public sector is no exception. While the public sector has fewer reported ransomware attacks, a research study highlighted that in 2021  there was a spike in the number of attacks against government organizations when compared to previous years. During these attacks, only 1 in 5 organizations were able to stop the attack before their data was encrypted and these organizations were less likely to have a backup of their data. No matter what industry your organization is in, it’s clear that no one is entirely safe from the threat of cyberattacks, so it's essential to maintain a robust risk management strategy and security policy.

Tech budgets are expected to rise in 2023: As news of recent cyberattacks and third-party data breaches continue to come in each week, many organizations have started to pay more attention to their IT budgets and best practices to protect their organization. JP Morgan Chase recently explained its choice to invest $14 billion into its IT budget, which includes items such as data security and predictive analytics, among thousands of apps and software. Even as many organizations seek to cut costs, the rise in tech budgets highlights the importance of innovation and modernization. As technology continues to evolve at a rapid rate, it's essential for organizations to stay updated with the latest products to maintain security and efficiency.

Hackers exploit the Chrome app to create phishing pages: Malicious actors have been discovered using Chrome’s Application Mode to create phishing pages which look like desktop applications to steal user credentials and passwords. Since it's harder to detect these fake pages, you should remain cautious of unknown websites and only give your credentials to trusted parties.

Steps to mitigate third-party cyber risks: Third-party data breaches lead to severe consequences for many organizations including legal fines, revenue loss, and reputational damages that make it difficult to recover. To manage third-party cyber risks and data breaches, it 's important to work with your vendor to improve security measures, educate employees on best practices for data security, and implement software and tools for identifying and defending against malware. By assessing your vendors through robust due diligence and ongoing monitoring, you can ensure that your vendors maintain updated security policies and identify any vulnerabilities before an incident occurs.

Microsoft assesses server vulnerabilities: Microsoft has been made aware of two zero-day vulnerabilities in its Microsoft Exchange Server, tracked as CVE-2022-41040 and CVE-2022-41082. Since these vulnerabilities were discovered, researchers have been investigating its servers for any possible risks and areas of weakness that could leave the system open to exploitation.

Understanding vendor risks to healthcare organizations: Your patients’ information and data privacy should be among your healthcare organization’s top priorities. However, third-party vendors pose significant risks to healthcare organizations, especially as hackers target vulnerabilities in vendor security, leading to third-party data breaches. Several key steps you can take to manage these risks and protect your organization against the threat of a third-party data breach include limiting third-party access to privileged systems and creating a comprehensive vendor inventory. In today’s threat landscape, it's critical to perform robust third-party risk management activities to identify potential risks and protect your patients.

Best ways to mitigate cyber threats to real estate agencies: Cybersecurity is a necessary tool to protect your customers’ sensitive information. As the real estate industry continues to modernize and turn to technology for data storage and other key activities, there are several best practices that you should keep in mind to protect your organization from risks that could lead to severe financial and reputational consequences if not effectively mitigated. Experts suggest staying updated on the latest types of cyberattacks such as phishing and ransomware, using multifactor authentication tools, training your employees, and vetting your vendors to reduce the risk of third-party data breaches or attacks.

Federal agencies announce upcoming guidelines for resolution plans: The Federal Deposit Insurance Corporation and the Federal Reserve released a statement last week announcing upcoming guideline updates for resolution plans. These updated guidelines will help larger institutions create resolution plans in the case the institution must file for bankruptcy. These guidelines will be very valuable for the select group of banks, which haven’t received guidance in the past. In addition, it was also announced that there were no vulnerabilities found in a resolution plan for Truist Financial Corporation.

Experts identify new malware targeting vulnerable devices: Researchers with Mandiant have detected a new malware campaign that infects vulnerable devices and allows hackers the ability to transfer files and execute commands. The infected devices are vulnerable to attacks because they lack endpoint detection and sufficient response systems. Experts encourage organizations and users to implement security policies and techniques, as malware attacks continue to evolve and become more sophisticated.