September 2020 Vendor Management News

Stay on top of vendor management industry updates this fall with our expert complied list of news and resources. 

Recently Added Articles as of September 24

This week, a third-party data breach impacting several companies is the result of a ransomware attack on a shared third-party vendor. And, in a surprising twist, some of FinCEN's sensitive bank documents are leaked, showing just how important cybersecurity protocols are. It can happen to anyone. We learn the importance of a risk-aware culture, some clarification on the CCPA, third-party risk oversight management expectations and much more. Read on... 

Virginia Museum of Fine Arts announces third-party breach:  Remember the Minnesota healthcare ransomware attack? Well, the same Blackbaud data-breach also exposed the information of members and donors of the Virginia Museum of Fine Arts. While information such as credit card, bank account and social security numbers wasn’t affected, compromised data may have included names and contact information.

Leak exposes FinCEN bank reports: It seems someone leaked thousands of sensitive bank documents from FinCEN to pop, online media site, BuzzFeed, which then supplied that information to International Consortium of Investigative Journalists. Here’s what we know so far: the documents contain some potentially embarrassing information for several financial institutions, including JPMorgan Chase, HSBC, Standard Chartered Bank, Deutsche Bank and Bank of New York Mellon, who may or may not have been aiding the exchange of money for some sordid individuals. Apparently, this has been a year in the making, and Buzzfeed, along with the ICIJ, have been sorting through some 25,000 documents. Curious about what other juicy details will be unearthed? We certainly are. But in all seriousness… data security is no joke. If it can happen to a regulator, it can happen to you, and if you don’t want your dirty laundry aired, it’s best to make sure the necessary security protocols are in place.

Online learning pays $10 million in FTC settlement: Just this month, the Federal Trade Commission (FTC) announced a $10 million settlement with ABCmouse. The online learning company allegedly violated the FTC Act as well as the Restore Online Shoppers’ Confidence Act, or otherwise known as, “ROSCA.” The charges were unfair or deceptive acts or practices under the FTCs provisions around affective commerce. Meanwhile, under ROSCA, it’s illegal to automatically charge a consumer for products sold online unless the seller clearly outlines the terms of the transaction before asking for billing info. Basically, in the case of ABCmouse, they were more than a little fishy about the autorenewal component of their learning subscriptions, offering “free trials,” but failing to clearly explain that past the free trial period the membership would renew… indefinitely. 

Security experts warn against TikTok use: The access to Chinese-created app that took the internet by storm, sending everyone from tweens to grandmas into a wild fit of choreography, has recently drastically reduced in the U.S. where it has a staggering 100 million users. Starting Sunday, downloads of TikTok would have been cut off from any app store operating in the U.S. over national security concerns. Users that already have the app installed would still be able to use it, without refreshes or updates, until Nov. 12, when a complete ban was set to go into effect. “Social-media applications are important platforms for public discourse and influence, but we have seen numerous incidents where these platforms can be abused to any number of ends,” said Saryu Nayyar, security expert and CEO at global cybersecurity company Gurucul. He continued, saying, “Analysis based on Artificial Intelligence and Big Data can make even mundane information useful in the right hands.” I mean, really, whatever happened to the good, old “dance like no one’s watching?"

Final CCPA format clarifies $25 million threshold: Just last month, on August 14^th, the Office of Administrative Law approved the California Department of Justice’s final (whew, long-time coming) California Consumer Privacy Act regulations and filed them with the California Secretary of State. This helped some businesses, who were uncertain whether the $25 million revenue threshold was related to revenue generated only from California State sales and California residents, or total global revenues. California’s Attorney General’s Office helped clear that whole matter up and explained that the limiting the threshold to only apply to revenue generated in California or from California State residents wouldn’t align with the overall intention of the CCPA regulations. Okay, shesh — can’t ligitation be a little more plainspeak? So, who and what does CCPA apply to? Here’s the latest: the CCPA applies to businesses that: 1) do business in the State of California; 2) collect California State resident personal information; and 3) satisfy at least one of the following thresholds: Have annual gross revenue of over $25 million; buy, receive, sell or share the personal information of 50,000 or more consumers (a “consumer” is defined as a California resident), households or devices for commercial purposes each year; or derive 50% or more of annual revenue from selling consumer personal information. Make sure you stay tuned for more updates. We all will surely need them!

Homeland Security warns against Windows vulnerability: As if this year wasn’t already rough enough, Homeland security now has a major threat server threat to deal with. The Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive which warned government agencies to install a patch for a “critical” Windows Server vulnerability known by Secura as Zerologon. This overlooked flaw in the Netlogon Remote Protocol allows attackers with network access to “completely compromise” Active Directory services on a network without using a sign-in, which could have some pretty dire consequences if a hacker was indeed able to break in. Apparently, the security hole isn’t all that difficult to use. It takes “about three seconds in practice,” according to Secura.

Steps to create a risk-aware culture: In this industry, we know the biggest challenge is maintain a level of vigilance when it comes to risk management. It can be tough keeping up that watchdog mentality, which is why no one can do it alone. It’s crucial to create a risk aware culture to support the endeavor on an enterprise level. The good news is the Internal Revenue Service launched a brand-new channel for employees to confidentially raise concerns and risks to agency leadership. The IRS boasts one of the most mature enterprise risk management (ERM) programs in government—and now they’re spreading their wealth of knowledge in order to help organizations everywhere promote a stronger risk-aware culture.

Why Theranos missed risk warning signs:  John Carreyrou, the acclaimed author and Pulitzer-prize winning journalist whose investigative reporting blew the lid off the Theranos scandal in 2015, explained to third-party risk professionals at Compliance Week’s Third-Party Risk Management Virtual Summit on Friday that the mistakes made by the bankrupt blood-testing company’s business partners were entirely preventable—had they done their proper due diligence. Enticed? We thought so, read on to learn more.  

Third-party data breach exposes health care info: Hundreds of thousands of patients and donor information from at least four different health care providers in Minnesota may have been exposed in a recent ransomware attack and the state’s second-largest data breach. The third-party responsible for maintaining the safety of the data is a company called Blackbaud, which specifically manages a number of non-profit databases. More than 200,000 patients and donors from Allina Health hospitals and clinics and more than 160,000 patients and donors at Children’s Minnesota have been notified of the possible data breach. Don’t forget… when a breach happens, no one remembers the third party, they remember the company. All the more reason to beef up cybersecurity measures in the coming year.

CEO of Cyberfraud prevention slapped with fraud charges: Oh, the irony. It seems the CEO of NS8, a cyberfraud prevention and protection company, may have gotten too many ideas from the tricksters his company was built to fight and turned to the dark side. Just months after the firm secured some major funding from the U.S Justice Department and the Securities Exchange Commission ($123 million to be exact). Adam Rogas was arrested and charged with securities fraud, fraud in the offer and sale of securities, and wire fraud. Each carry a maximum sentence of 20 years in prison — ouch. A good reminder to do your due diligence… even on the “experts.”  

Brockmeyer talks third-party risk oversight expectations: The former chief of the Securities and Exchange Commission’s Foreign Corrupt Practices Act (FCPA) unit, Kara Brockmeyer, was the keynote speaker at Compliance Week’s Third-Party Risk Management Virtual Summit on Thursday. Her two-sense? Brockmeyer stressed the need for vetting and monitoring, not just around onboarding, but “throughout the lifecycle of the relationship.” “She also said, “the amount of due diligence varies dramatically on the amount of risk that a third party represents to the company.” Brockmeyer suggested the pandemic has created a good opportunity “to automate your monitoring system as much as possible.” Interested in hearing more? We suggest reading on for more pearls of wisdom around fourth parties and staying compliant.  

What you should know about California's new financial protection agency: California is poised and ready to unleash a set of legislation which will revamp the existing financial protection regimen. What’s included you ask? A powerful, new Department of Financial Protection and Innovation (DFPI). Other highlights will include a vast array of persons involved in making or servicing consumer financial products and services, the prohibition against engaging in unlawful, unfair, deceptive or abusive acts or practices (UDAAPs) with respect to consumer financial products or services, as well as provisions around enforcement, licensing and of course, fintech. 

Recently Added Articles as of September 17

The two big C's: cybersecurity and compliance are still in the spotlight this week as over 46,000 veterans are exposed in a VA hack and Michigan weighs an enhanced data breach notification law. Industry-wide, organizations are reflecting on ways to strengthen compliance programs. Read on to find out how! 

31 days to more effective compliance: Have you ever wondered if a board of directors is part of a compliance internal control? Jury’s out and the answer is yes! The 2020 FCPA Resource Guide helps clarify questions such as this one, stating compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Read on for more answers to those burning compliance questions.

Streamline privacy approach for better compliance: Compliance is a moving target, and as policies continue to shift, so must organizations if they hope to remain within specific guidelines and regulations. Now that the California Consumer Protection Act (CCPA) deadline has come and gone, organizations are on their own to ensure they comply. Recent polls suggest more than one-quarter (27%) of respondents have either some, very little or no confidence that their organization is able to keep all of their employees' and customers' relevant data secure and protected. So, what can be done to improve the margins? For starters, compliance professionals suggest adding additional third-party security layers, automating risk assessments, operationalize risk management and above all: simplify.

The Compliance Life Podcast chats CCO skills: The Compliance Life Podcast sits down with DeAnna Nwankwo, who served as Corporate Compliance Officer for Core Laboratories from 2003 to May 2020, spear-heading both ethics and compliance activities. In this second episode, we take up the some of the skills, tasks and roles that Deanna had as a CCO. She believes one of the key things that any CCO can and should do is to engage in and preach integrity. Listen in to hear more around the skills, tasks and role that Deanna has undergone as a CCO.

Why “low-impact” breaches can still have high-impact damage: As cybersecurity issues increase, we are increasingly seeing more data breaches, regardless of industry and in varying sizes and scope. The recent Staples Data Breach, in particular, shed some light on “low-impact” security breaches. Of course, sensitive data and personal information can be incredibly dangerous if exposed or stolen, but truly all personally identifiable information (PII) can cause serious damage in the wrong hands. One of the largest risks to an organization who has suffered a breach is reputational damage. A recent study found that 81 percent of consumers would stop engaging with a brand online after a data breach. To customers, it doesn’t matter the “sensitivity” of the data stolen; instead, it comes down to trust.

NYDFS new servicer vendor management expectations: The New York Department of Financial Services originally proposed what the Mortgage Bankers Association described as first major update to Part 419 since its inception nearly 10 years ago just last year. These changes include Section 419.11, which imposes significant vendor management expectations on financial services companies servicing borrowers located in the state of New York. With an effective date of June 15, 2020, time’s up for servicers to ensure their vendor management programs and processes meet NYDFS expectations.

Michigan weighing enhanced data breach notification law: Data security and privacy continue to be top of mind — not only for organizations, but for legislators as well. In late May, Washington D.C. and Vermont did some serious spring cleaning when it comes to their data breach notification laws, including expansion of the definition of personal information, and heightened notice requirements. Now, Michigan may follow suit. The amendment would help keep Michigan up to snuff with other states considering the significant uptick in data breach concerns.

The importance of a strong compliance partnership: When it comes to audit and compliance, while many functions are completed separately, it seems the best results come from tackling internal audit and compliance as a team. There are many opportunities to work together and maintaining ongoing communication is crucial in order to build a strong compliance program. So, who’s responsible for what? Typically, audit is responsible for design, monitoring and operation of an organization's accounting controls. Compliance and Internal Audit overlap in mutual interests in a variety of subject areas including financial authorization, contract pricing and charitable donations (to name a few). When it comes to compliance, in a nutshell: teams get it done better, and faster.

Cyber loss and severity on the rise: Without a doubt, the pandemic has created an environment for many organizations that is unusually susceptible to attack. Rain or shine, one thing is guaranteed: bad actors never sleep. The changes organizations have undergone to facilitate remote work have given cybercriminals a whole new host of opportunities to exploit vulnerabilities and incite fear. In fact, since the beginning of the pandemic, there's been a 47% increase in the severity of ransomware attacks, on top of a 100% increase from 2019 to Q1 2020 and a 35% increase in both funds transfer fraud and social engineering claims.

FBI blames bank attacks on "credential stuffing:" Hold onto your hats (and your data), because there's another cyber threat on the loose: credential stuffing. This is a type of automated attack where hackers take collections of usernames and passwords that leaked online via data breaches at other companies and try them against accounts at other online services. The FBI believes this nasty tactic is responsible for a rash of recent bank attacks. Many of these attacks targeted application programming interfaces (APIs) since these systems are "less likely to require multi-factor authentication (MFA)" and are less monitored than user-facing login systems. Just another cautionary tale warning against the dangers of poor data security.

OCC chief goes too far re-envisioning national bank charter: Acting Comptroller of the Currency, Brooks is adamant around redefining federal banking regulation from one focused on entities to one governing activities. Many feel that Brooks’ goals are nothing more than a renewed fintech charter, a new payment charter and a robust national bank reconstruction. In a nutshell, what Brooks is proposing is revolutionary, and whenever there’s a revolution, typically things can get messy. What will the outcome be? Only time will tell.

Why cyber resiliency is the silver bullet: Industry-wide organizations are confronted with the ever-increasing concern around cyber threats, and the healthcare industry is no different. The 2020 Blackbaud incident is one of the best examples of just how devastating the impact of a seemingly simple breach can have when it impacts a vendor. In Blackbaud’s case, they're a cloud computing vendor providing services to a range of nonprofits, healthcare systems and hospitals. In this instance, the hospital paid a ransom in hopes the critical data would be destroyed. Organizations are only as strong as their weakest link which makes it crucial that both organizations and their vendors are on same page when it comes to cybersecurity. “Data is the new oil,” said Baffle CEO and Cofounder Ameesh Divatia. “It needs to be harnessed and refined… But organizations need to make sure the data doesn’t become asbestos, a liability.”

Veterans exposed in VA hack: On Monday, the Department of Veterans Affairs said that around 46,000 veterans had their data leaked, including social security numbers and other personal information. According to the department, after some initial investigation, it seems the hackers accessed the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols. The access point seemed to stem from the Financial Services Center and the department is taking steps to alert veterans who information may be compromised, including next-of-kin for those who have passed.

California passes debt collector licensure legislation: California has been pretty busy these days when it comes to legislation. And now, California is ready to enact a law, requiring licensure of persons who are engaged in the business of collecting (either on behalf of themselves or others) when it comes to debt from consumer credit transactions with California consumers. As of now the Bill has been approved by both chambers and is just waiting for the Governor’s John Hancock. On September 29^th, Ballard Spahr plans to give a webinar on the details of the recent bill, along with two others California bills recently passed.

Recently Added Articles as of September 10

This week, cybersecurity and compliance seems to be top of mind as two more companies flag data security events, and so much of the industry continues to be in flux due to the pandemic. There's also a nugget or two around strengthening supply chain management and bolstering third-party risk management with one very important, often under-utilized resource. What, or should I say who, is it? Read on to find out more!

Imperatives for effective third-party cyber risk management: If we’ve heard it once, we’ve heard it a dozen times. If you fail to plan, you plan to fail; and managing cyber risk is definitely no exception to the rule. Tricksters and ne'er-do-wellers are becoming increasingly more sophisticated, and with our world more vulnerable than ever, it’s a deadly combo. According to Deloitte’s latest 2020 Third Party Risk Management Global Survey, around half (50 percent) of respondents said that the financial impact of failure across a third-party or subcontractor has at least doubled in the past five years. So, what can be done? One, create a budget for cybersecurity; two, automate; and three, really own the risk.

Compliance into The Weeds podcast covers FinCen: Compliance can be a tricky beast. It’s often dependent on industry and region, and it’s ever-changing. It can also be incredibly inaccessible. This week, Compliance into The Weeds takes a deep dive into two recent pronouncements by FinCen on customer and PEP due diligence, asking the question: Is the guidance so vague it actually hurts the efforts of a compliance practitioner? Take a listen and find out for yourselves!

Lessons learned from Equifax data breach: In the realm of data breaches, the Equifax event (exposing critical personal information of 147 million people) was among the worst we’ve seen in recent years. In fact, Equifax settled the 2017 data breach and agreed to pay $1.38 billion, which includes $1 billion in security upgrades. Three years later, as the world continues to change and, in many ways, becomes more vulnerable, organizations are forced to think about the takeaways. The truth of it is, there are no short-cuts. Creating realistic risk management frameworks for vulnerability assessment results is one of the top ways to maintain your security posture and reduce your attack surface," said security engineer Charles Ragland. "Evaluating the difference between vulnerable and exploitable systems and making decisions based on business needs and risk tolerance is crucial for organizations to prevent an Equifax-style attack."

NorthShore University health system flags potential breach: It wouldn’t be a complete Third-Party Thursday round-up without your weekly reminder to shore up your vendor risk management. For this installment, it’s the NorthShore health system which has reported that the personal information of about 348,000 people may have been exposed in a breach involving one of the health system’s vendors earlier this year. Luckily, no medical records or financial information were accessed, and it seems overall, the criticality of the data leaked has a low risk of harm. The vendor, Blackbaud, said it stopped the attack before it was locked out of its own system, but the cybercriminal accessed some data. Blackbaud said it paid a ransom to ensure the stolen copy of the data was destroyed.

How CFOs can support data security: The real “secret” to managing data security and mitigating risk is cohesion. It’s understanding what protections are in place, if the budget is adequate and what’s working… and what’s not. But that only works when everyone is on board… including the board, senior management, which also means CFOs, and their teams. When an organization is able to work in concert with their counterparts in information security and data privacy groups, CFOs play a crucial role in when it comes to helping define those considerations, which in turn drives the need for a clear understanding of the organization’s cyber risks. The moral of the story here is it takes a village to raise a successful risk-management program.

OCC comments on payment oversight: The acting head of the Office of the Comptroller of Currency suggested that when it comes to large global payments, states should defer to the authority of the federal regulator for supervision. This comes in the wake of an ongoing struggle between the OCC and the state regulators who oversee fintech (who seemingly want more and more access to banking systems.) “It's important we have a dual banking system,” said Comptroller Brian Brooks, “But there are also gigantic global enterprises that are only regulated by the states as a vestige of history. There's no reason that they should be regulated by the states at all, and the law, we don't believe, requires that." What do you think? Should the states give it up, or does the big, bad federal government have enough on its plate?  

How to manage supply chain risk: The volatility in the market caused by COVID-19 along with wide-spread regulatory changes has driven organizations of all stripes to quickly re-evaluate their complex global supply chains. Supplier risks are changing right along with everything else, bringing new issues to the forefront, and the vast majority of organizations struggle to assess risk beyond their primary supplier. Now more than ever, it’s important for businesses to create a risk mitigation plan, to leverage digital tools, refresh inventories, simplify where needed and diversify production in order to build more resiliency within supply chains. Bottom line: having a strong method in place helps avoid business disrupting events.  

OCR recommends IT inventory for HIPAA: In its Cybersecurity Summer Newsletter, the Office of Civil Rights (OCR), published a list of best practices for building an IT asset inventory list. The goal? To help improve HIPAA Security Rule compliance, which in today’s digital age, the OCR has found some issues around locating ePHI (that’s electronic Personal Health Information). Essentially, if an organization doesn’t know what IT assets it has or where its ePHI is, how can it effectively assess the risks associated with those assets and information and protect them?

The pandemic affects pharma industry compliance: Unfortunately, even in times of crisis, there’s always someone looking to cash in on an opportunity, and big pharma is no exception. Of course, with the pandemic, right now the focus is on products that will better help diagnose, treat and/or prevent COVID-19, which also means anyone who has the ability to make that a reality knows the demand alone can have them sittin’ pretty. This is where price gouging laws coming into play. In terms of pricing for products that relate to the novel coronavirus, bipartisan Senate and House bills propose prohibiting market exclusivity for taxpayer-funded COVID-19 drugs and would not only empower but require the federal government to mandate affordable prices. Looks like we might see some huge shifts in the regulatory environment for big pharma moving forward.

American Payroll Association user data stolen: The bad guys are at it again. This time it was the American Payroll Association who reported that user information was stolen after attackers unleashed a skimmer on its website. According to APA, information that was compromised during the attack included user login information and payment card information along with information such as first and last name, address, gender, date of birth, email address, job title and role, primary job function (along with details on to whom the user ‘reports’), company name and size, employee industry,and payroll and time and attendance software used at work. Unfortunately, it’s just one more news story that bolsters the cruciality of ongoing cybersecurity and testing.

Regulatory agencies issue interagency statement around natural disasters: The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration along with state regulators banded together to recognize the impacts of both Hurricane Laura and the California wildfires that have ravaged the U.S. this summer. The statement was issued to help financial institutions add some extra padding to their disaster recovery and business continuity planning by providing appropriate regulatory assistance to affected institutions. Despite the challenges, the statement also encouraged institutions operating in the affected areas to meet the financial service needs of their communities by providing information around lending, temporary facilities, regulatory reporting requirements and details about CRA and investments.

OCC releases CRA Evaluations: Fall is right around the corner, the trees will begin to change and school is back in session, which means… report cards! But it’s not just the kiddos who are getting graded. This week, the Office of the Comptroller of the Currency (OCC) released a list of Community Reinvestment Act (CRA) performance evaluations, which included national banks, federal savings associations and insured federal branches of foreign banks. Of the 20 evaluations made public this month, 12 are rated satisfactory, seven are rated outstanding, and 1 is rated needs to improve. The list is public, so you can see for yourself!

NCUA examination and vendor oversight audit: In a recent report, the NCUA Office of Inspector General said that third-party oversight would help protect the industry's Share Insurance Fund. The audit also notes that the last four NCUA board chairmen have advocated amending the Federal Credit Union Act to provide the agency with more oversight authority. In addition, the ICBA is calling for expanded oversight of CUSOs and third-party vendors as part of its "Wake Up" campaign spotlighting the risky practices, costly tax subsidies, and irresponsibly lax oversight of the nation’s credit union.

CFPB releases guide to financial well-being: After quite a bit of research and development, the CFPB developed a set of questions to help measure financial well-being. The hope is that the scale will help users to better assess a person or organization’s financial well-being before providing a service, track changes to financial well-being over time, and measure the extent to which programs are improving financial well-being. The CFPB Financial Well-Being Scale is a free tool and consists of 10 questions and a scoring method, which could really come in handy when assessing vendor risk.

Recently Added Articles as of September 3

It seems data protection and cybersecurity are still top of mind for organizations everywhere. Brazil sent shockwaves across the globe when it issued an overnight privacy law enactment. Meanwhile, Herbalife and Morgan Stanley shell out beaucoup bucks for data security and bribery schemes. That's just a taste! Read on for more. 

Compliance or security?: Spoiler alert: this is a trick question. While compliance and security have different rules and different objectives, both are incredibly important. Really, it’s all about balance. “You want to do the right thing and do the right thing well,” said Commerzbank Americas CISO, Tom Kartanowicz, “compliance is doing the right thing, and doing the right thing well is security.” Better security enables better compliance, so really, one can’t really function optimally without the other. The real secret is to get out ahead of regulations to ensure that compliance is ahead of prescribed timelines and in line with the security infrastructure of your organization.

Data security best practices for telework: With the variety of social engineering and cyber tactics out there, it’s become increasingly important to strengthen data security protocols. Now, it’s not simply a “best practice,” but in some instances a legal requirement. Read on for more details around remote work guidelines and legislatures regulators will enforce on data security.

Reasons the board should understand cyber risk: As technology improves, so must our security practices. Hackers and bad actors have become a larger and larger risk for organizations and industries of all sizes, shapes and kinds. As they threaten the security of more businesses, it’s become apparent that informed decision-making around cyber risk needs to be a top-to-bottom endeavor… meaning the board needs to be involved. Becoming literate in cyber risk doesn’t mean that all executives need to become technical experts, but enough knowledge is critical to establish a culture focused on prioritizing cybersecurity.

Morgan Stanley slapped with a $5 million data breach suit: Whelp, it seems another big name pays the piper for failure to follow proper security protocol. A $5 million lawsuit seeking class action status has been filed against Morgan Stanley, claiming the financial organization failed to properly safeguard personally identifiable information when the company discarded old computer equipment and exposed private customer data including social security numbers, passport numbers, contact and financial information.

The year of “the pivot:” No one can deny that 2020 has been an animal of year and all of us have had to learn how to adjust. Organizations especially, have had massive impacts to their life as most workforces have been forced to go fully remote and cybersecurity concerns are at an all-time high. So, what can organizations do to be more agile and resilient? First, locate your assets and determine value. This will help you budget. Then, pinpoint potential threats and review your newly migrated tech environment. With this tri-fold approach, hopefully, the rest of the year will be a little less of a struggle.

Herbalife settles FCPA charges: A long known multi-level corporation that develops and sells supplements has finally agreed to pay $123 million after a long-pending investigation. The DOJ and SEC found that Herbalife had conspired to violate the boards and records provisions of the FCPA. How exactly? The bribery scheme was executed by Herbalife executives to ensure that Herbalife secured direct selling licenses, avoided government investigations and oversight and suppressed negative coverage by government-owned media outlets.

SEC refreshes business, legal and risk proceedings: Change is inevitable, and as the world continues to shift, so must we. This is the SEC’s attitude as well, who recently amended its Item 101 Regulation S-K. Among some of the key changes are a more principles-based focus on material item disclosures, an expansion of human capital measures and objectives, updated environmental regulations and the ability to elect to update the full description if its business is included in a single prior registration statement or report that is incorporated by reference using an active hyperlink. The changes also include Item 103 legal proceedings and Item 105 risk factors. The new rules are effective 30 days after publication in the Federal Register and apply as of that date.

Survival of the fittest: As we all settle into a new sort of normal, most of us are taking some time to revisit how we operated before and thinking about what needs to continue on, and where there’s room to trim a bit of fat. The same goes for credit unions. So, for those financial institutions looking to not only survive, but thrive, offering more value and achieving higher revenue goals (pandemic and all) start by having a clear understanding of your consumers options in times of struggle and what sort of solutions you may be able to offer. Then, develop a reliable revenue source to support service growth and improvements, and train! it’s more important than ever to implement tools and resources that can boost your performance results.

FTC seeks feedback on proposed FCRA rules: FTC requests comments on FCRA rule amendments: The Federal Trade Commission issued five notices of proposed rulemaking (NRPMs) pertaining to the following rules: Address Discrepancy Rule, Affiliate Marketing Rule, Furnisher Rule, Pre-screen Opt-Out Notice Rule and Risk-Based Pricing Rule. With consumer privacy being the talk of the town these days, and a focus on regulations like CCPA and GDPR, it’s not surprising to see concentration on the Affiliate Marketing Rule which gives consumers the right to restrict the use of their information gathered from an affiliate. You have 75 days to comment on the proposed rules once published in the Federal Register.

Barclays announces new climate policy: At the end of March, Barclays announced a new climate policy to help bring its lending in line with the Paris Agreement on climate change. This came after pressure from shareholders to phase out its financing of fossil fuel companies. The bank had been singled out as a being way behind the 8-ball when it comes to its environmental policies. Elsa Palanza aims to be a "net zero bank" by 2050, meaning its own carbon emissions and financing projects will be at zero by that time, and Barclays plans to invest £100 billion in green finance by 2030.

Utah pathology email breach has mass affect: The Utah Pathology Services has announced that someone hacked the account of an employee and attempted to steal funds from Utah Pathology. Luckily, the breach was discovered quickly, and the attempted fraud was unsuccessful. While no evidence of misuse has been uncovered, the compromised email account contained patient information, including: gender, date of birth, mailing address, health insurance information, phone numbers and email addresses.

What is integrated risk? The truth is, the scope of risk management is bigger than ever before and traditional risk management is ill-equipped to serve digital-first organizations, because it considers risk in isolation. Integrated risk is defined as “a set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique sets of risks.” With the right technology and approach, integrated risk helps meet the unique challenges of our ever-increasing digital world.

Banking industry profits in pandemic: While 2020 has been a rollercoaster, it seems the banking industry has proven its mettle. The FDIC reports that the banking industry is now seeing $18.8 billion in profits, which makes it the 42^nd consecutive quarter in which the industry has reported profits…at least someone seems to making it out of this unscathed.

Brazil effectuates privacy law immediately: This past Wednesday, the Brazilian Senate approved an amendment allowing the General Personal Data Protection Law to go into immediate effect. You might be thinking, what’s the big deal? Well, the decision reverses a vote Tuesday from the Chamber of Deputies to delay the implementation of the LGPD to Dec. 31, 2020. "The whole scenario is quite unprecedented and definitely against legal certainty," GCA Advogados Partner Ana Carolina Cagnoni, CIPP/E, CIPP/US, said, noting, however, that the decision on when the Brazilian law would come into effect has been long and drawn out." It is an unprecedented law in an unprecedented year." Man-oh-man…just when we thought 2020 didn’t have any more surprises.

Mini-CFPB bill is a crowd pleaser: On Monday night, the state Senate of CA approved the “mini-CFPB bill” which will strengthen enforcement powers over financial services companies. However, it also limits the effects of the expanded authority on banks and auto lenders. “Depending on what happens, it could be the most powerful year ever for consumer financial protections in California,” said Richard Cordray, former CFPB director.

Zero-day Safari browser flaw increases cyber-risk: It seems some security defects within Apple’s Safari Web Share API create a mechanism that leaves vulnerabilities open to hackers. The issue was discovered by security researcher Pawel Wylecial and affects both macOS desktop and iOS smartphone/tablet users. While the issue was reported all the way back in April, it seems an update won’t be expected until April 2021. Faced with a further long delay, Wylecial went public with his findings about a security flaw he warns could be harnessed in social engineering attacks…. good on ‘em! But here’s the bad news: The vulnerability could be abused to trick Apple system users and bamboozle local files or steal browsing history; however, in most (but not all) scenarios, the filename of documents handed over will be displayed.

Do you know the areas of your vendor's cybesecurity plan that you need to review? Download the infographic.