September 2021 Vendor Management News

Stay up-to-date on the latest vendor management news. Discover information to help improve or keep your third-party risk management program fresh. Below we've listed some notable articles to check out.

Recently Added Articles as of September 30

As the trillion-dollar infrastructure bill moves through Congress, we see a breakdown of the proposed cybersecurity funds. The SEC issued a sample climate change comment letter and Congress is pressured to pass fines related to reporting cyber incidents. FinSpy malware is putting Windows systems at risk. And interestingly, a private network company is getting pushback for promoting an ex-spy to a senior role. Read on for all the details!

CCFPL violation leads to first enforcement action: Debt collector and buyer, F & F Management Inc. (F&F), is the recipient of the first enforcement action from the California Department of Financial Protection and Innovation (DFPI) for violating the Consumer Financial Protection Law. F&F is accused of leaving automated messages with false representations and threats, stating that they would contact the consumer’s employer or lying about starting legal proceedings. They're also accused of a practice called “debt parking” in which they placed debts on consumer credit reports without first attempting to communicate with them. The DFPI is seeking penalties totaling $375,000 according to the desist and refrain order.

Windows systems vulnerable to FinSpy malware: Windows devices that use a UEFI (Unified Extensible Firmware Interface) bootkit are at risk of being infected by FinFisher surveillanceware, a toolset intended only for law enforcement and intelligence agencies. The software is capable of obtaining sensitive information like user credentials and file listings and can also record keystrokes and collect emails. UEFI loads the operating system itself, so threat actors are able to control the entire boot process and bypass any security defenses.

Application security is at a higher risk from outsourced software: Cybersecurity teams are continuing to analyze their software security in the aftermath of notorious supply chain attacks. As a result, they've identified a few of the top risks they’re facing. According to respondents of a Dark Reading survey, most IT professionals see that the greatest risk is attackers who have strong knowledge of vulnerabilities to their systems. The second highest risk involves developers who aren’t well trained in security practices. Outsourced applications and insecure infrastructures are other risks that continue to be top of mind.

Remote working is linked to cyberattacks: As many organizations continue to support remote or hybrid working environments, they’re also facing an increase in cyberattacks and other vulnerabilities. A recent study found that 74% of business-impacting cyberattacks were related to remote work technology like cloud apps and personal devices. IT managers are struggling with a lack of visibility into remote networks and an expanding software supply chain. The same study found that at least two-thirds of security leaders are planning to invest more in cybersecurity over the next couple of years, with most saying that they’ll prioritize vulnerability management and cloud security.

Game plan for the $2 billion Congress cyber investment: Within the massive $1 trillion infrastructure bill recently passed by the Senate is $2 billion designated for cybersecurity in the areas of transportation, energy and water utilities. State and local governments would also benefit, receiving close to half of the proposed funding. While the total amount seems large, the funds would be very fragmented and spread over several years. Another $100 million would be allocated to a CISA cyber response and recovery fund that would help both public and private organizations in the aftermath of a cyberattack. Some experts believe this can be used as an incentive for organizations to improve their cybersecurity programs, as access to the recovery funds would require certain steps to be taken in advance.

Financial benefit of a federal privacy law: Privacy laws continue to pop up in various states across the country, but some experts would prefer to see standalone national legislation or laws incorporated into the infrastructure bill. Implementing the California Consumer Privacy Act is expected to cost $55 billion, so one can imagine the growing cost as other states enact their own laws. Congress could potentially build upon existing data protection laws, such as HIPAA and CAN-SPAM, foregoing the need to start from scratch. A single set of federal data privacy laws should include the qualities of fairness, balance, enforceability, transparency and singularity.

Former UAE mercenary hacker will keep senior role: Employees at private network company, ExpressVPN, are voicing their disapproval after it was revealed that their recently named chief technology officer (CTO) had previously used his skills to help the United Arab Emirates spy on different targets such as human rights activists and journalists. The Department of Justice (DOJ) has since deferred prosecution against CTO Dan Gericke and two other individuals, after they agreed to pay a fine and hand over any future classified work. Despite the confidence ExpressVPN has in Gericke’s commitment to their mission, many employees are questioning the effect this will have on the organization’s reputation.

Sample climate change comment letter released by the SEC: The views stated in the SEC’s 2010 interpretive guidance have been highlighted in a sample comment letter regarding climate change disclosures. The comment letter focuses on three areas of disclosures from SEC filings, CSR reports and other materials and how an organization’s controls and procedures apply to these disclosures. In addition to these points, it’s also recommended to evaluate procedures related to providing third parties with ESG and CSR information. An example given is the use of “green bonds,” which may be used to fund projects related to climate change.

Proposed fines for failing to report cyber incidents: Cybersecurity officials are calling for Congress to pass legislation that would fine organizations who don’t report cybersecurity incidents to the federal government. Cybersecurity and Infrastructure Security Agency (CISA) director, Jen Easterly, is just one of these officials, emphasizing the importance of timely and relevant reporting that would help identify the scope of these attacks. Legislation about cyber incident reporting is currently in the works and is expected to be introduced soon, although there continues to be debate around how quickly reporting should be required. Many industry groups argue that the proposed timeline of 24 hours is not long enough to report an incident.

Fee collections from software provider leads to a CFPB violation: Credit Repair Cloud and its CEO have been accused of violating the Telemarketing Sales Rule by encouraging credit reporting companies to charge advance fees and engage in telemarketing their services. They supposedly provided telemarketing scripts and software that assisted the collection of the fees, while also consciously avoiding the knowledge that their clients were charging consumers before delivering reports. As a result, Credit Repair Cloud is facing multiple penalties including disgorgement, permanent injunctions and civil money fines.

Importance of social issues in ESG: Climate change and sustainability are increasingly getting more attention within the ESG discussion, but perhaps it’s time to turn the focus on social issues like forced labor and building an ethical culture. The media and activists have highlighted the forced labor practices in the Xinjiang region of China, increasing the pressure for regulators to take action. The Xinjiang Supply Chain Business Advisory was updated on July 13, 2021, and states that organizations and individuals who remain connected to Xianjiang supply chains or investments are at risk at violating U.S. law. Organizations can implement some best practices to ensure they’re committed to ESG, while also reducing their legal risk. This includes developing an ESG policy that clearly prohibits forced labor and ensuring suppliers follow the same guidelines. Performing a supply chain assessment and educating internal and external stakeholders on forced labor are also practices that can help build a strong ESG program.

Recently Added Articles as of September 23

Wells Fargo continues to face scrutiny over its recent consent order and the OCC issued another cease and desist order against MUFG Union Bank. The effective date for the CFPB Debt Collection Final Rules has been moved up and health apps are required to comply with the Health Breach Notification Rule. And, a troubling new report shows that healthcare ransomware attacks have increased mortality rates. Read on to see what’s making headlines this week.

Third-party cyber risk is not a top concern for organizations: Many organizations recognize third-party cyber risks, but are still not prioritizing mitigating strategies, according to a recent study. The aptly titled study, “Why Isn’t Your Organization Prioritizing Third-Party Risk?” highlighted some of the shortcomings. Most organizations were finding challenges with strategies or technology when managing third-party risk and didn’t have a high level of concern with cyber risk unless they experienced an incident. Both organizations and their vendors are exposed to cyber risk with the constant exchange of confidential information and should therefore set strict expectations for their cybersecurity standards.  

Healthcare ransomware attacks are linked to higher mortality rates: Multiple stories have reported on the increasing costs associated with healthcare ransomware attacks, but a new survey by Ponemon Institute reveals that these attacks can also be a matter of life or death. Almost 25% of surveyed healthcare providers stated an increase in mortality rates that was related to ransomware. Complications and delays in medical procedures were also attributed to ransomware attacks, along with longer inpatient stays and the increased need to transfer patients to other facilities.

Four tips to comply with privacy laws: Organizations are still struggling to comply with the patchwork of state privacy laws, which is leaving many consumers vulnerable to data breaches. Privacy laws are continuing to evolve, and many organizations are spending thousands to remain in compliance. This article outlines four tips to achieve success in data compliance. First, use clear consent methods highlighted in compliance frameworks. In other words, you need to get a clear “yes” from a consumer to obtain their data. Second, protect your customers’ safety by prioritizing your reputation. It’s not enough to be mostly or nearly compliant with data privacy laws, as any type of non-compliance can lead to potential legal actions or penalties. Third, assess whether your current data collection and retention processes need to be improved. Perhaps this could include consulting with a third-party provider to obtain a different solution. Lastly, recognize the shortcomings in global privacy compliance. The U.S. is falling behind in data compliance compared to the EU and other parts of the world, so it’s time to make some improvements.

Fitness tracking data breach affects 60 million: Data from Fitbit, Apple, Microsoft and Google was breached after a third-party vendor database was misconfigured. A cybersecurity researcher discovered the breach on the vendor, GetHealth, which is used to run employee fitness incentive programs. Some of the sensitive data included display names and locations along with general fitness data. Fortunately, fitness tracking data doesn’t have the same level of risk as other medical records and would likely be sold to unethical marketing firms.

GDPR guide on data breach reporting: EU citizens are protected under the General Data Protection Regulation (GDPR) Act, which gives some guidance on how organizations should report personal data breaches. The act defines personal data as information that’s related to a natural, identifiable person and can include things like names or health records. A personal data breach is an incident that results in the loss, destruction, unauthorized disclosure, alteration or access of an EU citizen’s personal information. Once an organization becomes aware of a data breach, they must report it within 72 hours to the authorized supervisory authority as well as all affected individuals. Notifying individuals can be done through a statement that announces the occurrence of an incident. The GDPR also outlines the information that should be reported after a data breach, including the types of information that was affected, the severity of number of records and people affected, recovery time and when the incident occurred. Organizations also must identify any remediating and preventative steps that are taken.

Exercising your right to audit third parties: The Biden Administration’s anti-corruption memorandum should serve as a helpful reminder for organizations to exercise their third-party audit rights. The right to audit is often found in vendor agreements, but it’s the responsibility for organizations to leverage it to maintain compliance with anti-corruption laws. Organizations should begin by evaluating their third-party risks and performing periodic risk assessments. These assessments could reveal certain findings, like payment abnormalities, which might indicate things like bribe payments or donations to “politically exposed persons.” Organizations should consider a few factors when deciding to audit their third parties such as the availability of human and monetary resources, operational or regulatory material impact and if the objective of the audit aligns with the right to audit clause.

CFPB debt collection rules no longer delayed: The CFPB’s Debt Collection Final Rules will go into effect on November 30, 2021 after the agency formally withdrew its proposal to delay the date. This decision was based on the agreement from most industry commenters who say they’re prepared to comply by November and the extension would only serve to reduce certainty on regulations and be an increased burden to smaller organizations. This recent development joins other regulatory updates such as the extended comment period on the banking agencies proposed guidance and the release of the fintech guide for community banks.

Breach notification rules apply to health apps: The FTC issued a policy statement which confirmed the requirement that health apps and other connected devices are to comply with the Health Breach Notification Rule. Whether the apps are collecting information about glucose levels, heart health or fertility, they’re responsible for securing consumer data and contacting them in the event of a breach. The statement also noted that apps and devices are required to comply if they collect data from multiple sources, such as directly from a consumer and through an API that enables syncing.

Wells Fargo is still struggling with operations: The recent consent order given to Wells Fargo is a stark reminder that the banking giant still has some issues to resolve. The OCC noted that the bank remains in violation of a 2018 consent order for being too slow in meeting regulatory expectations. However, Wells Fargo seemed to satisfy the 2016 CFPB order related to its retail sales practices. The bank recently announced that this enforcement action had expired, indicating that they had resolved those issues. With the OCC still on their back, it’s unlikely that Wells Fargo will be released from the 2018 consent order anytime soon.

The Fed is pressured to break up Wells Fargo: Senator Elizabeth Warren is again calling for the break up of Wells Fargo, after the announcement of the $250 million civil penalty from the OCC. According to Warren, the Federal Reserve should require Wells Fargo to separate its traditional and non-banking activities. The OCC’s acting head official, Michael Hsu, also chimed in, stating that the bank’s failure to meet the OCC’s requirements is “unacceptable.” The civil penalty against Wells Fargo adds to the already astronomical settlement of $7.25 billion that will settle regulatory and legal disputes. In response to Warren’s letters to the Fed, Wells Fargo issued a short news release to address the ongoing concerns.

Ransomware attackers are using multiple methods: Organizations aren't only facing more expensive and frequent ransomware attacks, they’re also facing multiple extortion methods such as data theft, denial-of-service and outright harassment. Threat actors are more often using double extortion in ransomware attacks, in which they’re encrypting critical data and stealing it as a threat to leak it publicly if the victim doesn’t pay. There’s also been an increase in collaboration between ransomware gangs who are tempting others to join them. Compromising business emails and installing cryptocurrency mining tools are other threats that continue to rise. And, it was noted that advanced persistent threat (APT) groups are often backed by state actors.

Recently Added Articles as of September 16

Regulators have been taking action recently, with a $250 million fine against Wells Fargo and the continued investigation into the SolarWinds breach. A recent study found that some Fortune 500 companies are lacking in IT security, while cyber liability insurance providers are having to play defense. Apple users should make sure they update their devices to patch vulnerabilities and there’s a new partnership between BitSight and Moody’s. Read on to discover what else is making news this week.

Nearly 25% of Fortune 500 companies have exploitable IT vulnerabilities: Recent research from cybersecurity platform, Cyberpion, revealed some interesting findings on the IT infrastructure of Fortune 500 organizations. Almost 75% of their IT infrastructure is external, with 24% of that containing a known vulnerability or being considered at risk. The average number of cloud assets came to 951, with 25% of them failing to pass at least one security test. External attack surface management (EASM) has emerged as a new concept that is quickly growing and should be included in a broader effort to address and manage internal and external vulnerabilities. With an extensive surface area of third-party and fourth-party vendors, organizations need to be aware of how to protect this wide IT environment.

Cybersecurity lessons from The Art of War: Sun Tzu’s legendary work, “The Art of War," has been embraced by cybersecurity experts for its relevant guidance on how to engage in battle through preparation and managing conflicts. The ancient treatise is over 3,000 years old, but its lessons can still be applied today to protect against cybersecurity risks. One of the memorable highlights is “Know thy self, know thy enemy”. In other words, it’s important to identify critical assets to better understand the associated risk and prepare for potential attacks from the enemy. Strategy is also a important component of any cybersecurity response, and should be well documented in an incident response plan. Finally, Sun Tzu’s teaches that it’s better to “Subdue the enemy without fighting”. Implementing security controls and understanding the capabilities of attackers are essential to protect the complex cybersecurity ecosystem.

Hackers targeting cyber insurance carriers: In an ironic new development, cyber liability insurance providers have found themselves needing to defend against cyberattacks. Providers are putting the pressure on their policyholders, often implementing certain conditions like stricter security practices to receive cyber insurance coverage. The cost of cyber insurance continues to rise, in large part because of an increase in ransomware attacks. Policyholders are asked to confirm that they’ve adopted specific security measures like multifactor authentication and developing a plan to restore their systems. Until Congress enacts federal legislation to address cybersecurity, organizations are urged to review guidance provided by the National Institute of Standards and Technology.

Apple’s latest update patches zero-day vulnerabilities: If you’re an Apple user, you’ll want to make sure you download the latest iOS 14.8 update. Two vulnerabilities were discovered in CoreGraphics and WebKit and Apple noted that they may have been actively exploited. The detailed update notes can be found here.

New partnership between BitSight and Moody’s raises $250 million: Two leaders in the cybersecurity ratings industry and credit ratings industry have joined together to evaluate the ongoing cyber risks of corporate America. BitSight will acquire Visible Risk, a New York based firm that specializes in quantifying cyber risk. The deal comes at an ideal time, with the increasing threat of cyber breaches and ransomware attacks that are facing many organizations. Moody’s investment makes them BitSight’s largest shareholder and will enhance their product offerings.

Self-taught cybersecurity consultant nets $1 million during the pandemic: Boyd Clewis’ hard work during the pandemic paid off well, as his training academy for cybersecurity practices earned him an impressive $1 million. Clewis has a unique background without a degree, but plenty of cybersecurity experience. His knowledge comes from YouTube and Google and has qualified him to teach over 300 IT professionals through workshops and bootcamps. One of his areas of focus is his understanding of the PCI DSS (Payment Card Industry Data Security Standard) framework. After establishing a lucrative business, he’s paying it forward and aims to help aspiring entrepreneurs grow their earnings.

Due diligence falls short during COVID-19: New research by Swiss Security Solutions LLC reveals that only 44% of organizations have performed third-party due diligence during the pandemic. The creation of new third-party relationships brought about challenges as organizations aimed to prevent supply chain disruptions. The survey found that 65% of organizations took shortcuts with due diligence checks to face the pressure of increasing revenue and profits during the pandemic. (Note: The link takes about 1 min 30 seconds to load due to EIN Presswire's site)

Security response to 9/11 attacks has increased cybersecurity risk: In the 20 years since the 9/11 terror attacks, the airline industry has made significant efforts in enhancing physical security procedures. However, director general of the International Air Transport Association states that it’s time to shift focus on emerging security threats like cyber risks, drones and insider vulnerabilities. Airline systems are fortunately not a target for most threat actors because of the required access and expertise, not to mention the risk of loss of life. One potential vulnerability is found within conversations between pilots and air traffic controllers, which aren’t encrypted or confidential. A common best practice among airports is to perform phishing training on employees to improve the cybersecurity environment.

SEC SolarWinds investigation worries executives: As the SolarWinds investigation continues underway, the SEC is asking for organizations to submit documents on data breaches that occurred since October 2019. The request has made several corporate executives nervous, as they consider the possibility of liability related to other unreported incidents. The SEC maintains that their intent is to discover other breaches related to SolarWinds and organizations wouldn't be penalized if they share the data voluntarily.

The healthcare industry continues to face cyberattacks: As healthcare organizations continue to be under resourced from the pandemic, they’re also trying to fight the ongoing threat of cyberattacks. Two recent incidents have highlighted this continuing struggle. LifeLong Medical Care of California recently disclosed a ransomware attack that hit their third-party vendor, Netgain, resulting in the exposed data of over 115,000. Another ransomware attack struck Desert Wells Family Medicine from Arizona, who responded with an incident response team to help assess the situation and remediate the damage. Researches point out the troubling fact that many midsize hospitals have not adapted to this increased threat.

Research findings lead to greater focus on TPRM: Deloitte’s annual third-party risk management survey reveals some significant shifts on how organizations are responding to the pandemic and supply chain risk. Over half of the survey’s respondents are looking into a greater investment in their TPRM program, especially as it relates to their supply chain. Moving forward, two key priorities are streamlined TPRM monitoring and managing information in real-time to stay on top of supply chain risks. Digital risks continue to grow, and insourcing is revealed to be an operational challenge because of cost pressures.

Banking agencies caution against antitrust laws in proposed guidance: According to the proposed risk management guidance, banking organizations are welcome to collaborate with each other when using the same third party. Activities like due diligence, contract negotiation and ongoing monitoring can be collaborated on to improve risk management and lower cost. However, federal banking agencies are clear to remind organizations that these activities must comply with antitrust laws such as the Antitrust Guidelines for Collaborations Among Competitors put forth by the FTC and DOJ. It’s advised to seek guidance from qualified antitrust counsel because of the complexities found within antitrust issues.

The saving grace of cyber liability insurance: The costs that stem from a cybersecurity incident can quickly add up, with organizations having to foot the bill for expensive repairs and legal fees. Cyber insurance can offset these costs, covering things like investigative services and the expenses needed to recover data and identities. Customer notifications, settlement costs, regulatory fines and even ransom payments can also be covered by cyber insurance. Organizations that store or process sensitive information would greatly benefit from cyber liability insurance and the cost of coverage varies depending on the cyber risk exposure. It’s important to note that data breach insurance covers the incurred costs after the exposure of financial data, while cyber liability insurance is more broad and helps in the general response and recovery of cyber incidents.

Wells Fargo’s unsafe lending practices lead to a $250 million fine: Wells Fargo is in hot water for violating a 2018 consent order issued by the OCC. The agency handed over a whopping fine of $250 million, in addition to a cease-and-desist order. Wells Fargo is prohibited from using certain third-party residential mortgage servicers and must ensure that borrowers aren’t transferred from their loan portfolio until a method of remediation is found. The OCC has accused the bank of failing to establish a program that mitigates the loss of home lending. Wells Fargo previously came under fire for the infamous fake accounts scandal of 2016, which resulted in an asset cap of $1.95 trillion and a $3 billion settlement to resolve criminal and civil investigations.

SEC turns attention to cybersecurity threats: If your organization’s cybersecurity practices leave something to be desired, now is the time to make improvements. The SEC’s recent fines against Pearson PLC and First American Financial Corp. show that the agency considers cyber vulnerabilities to be a significant business threat, along with natural disasters and threats to the supply chain. To remain in compliance, there are a few best practices to consider. First, organizations should create a disclosure committee with the involvement of senior level employees. Timeliness is another important factor to consider in disclosure notifications and better visibility into processes is critical to understand vulnerabilities. Regular forensic assessments of cybersecurity systems should be performed and prepare to disclose incidents even before they’re fully understood.

Recently Added Articles as of September 9

Ransomware attacks continue to make headlines, both in an FBI flash alert and a class action lawsuit against a hospital. Regulators have extended the deadline for banking organizations to submit comments on risk management guidance and the CCPA is leading to more enforcement action. But, that's not all this week. Read on for more details!

CFPB files lawsuit against an online lender for deception: LendUp Loans is in hot water after violating a 2016 order, in which they continued to engage in deceptive marketing regarding the benefits of repeat borrowing. LendUp is also accused of failing to provide timely notices regarding denied loan applications. The CFPB is proposing enforcement actions, including injunction, damages to consumers and imposition of a civil money penalty. The full complaint against LendUp can be found here.

Venminder recognized in 2 Gartner papers and G2 report: Venminder received highest scores allocated for the "VRM Solution and Vendor Risk Assessment Data" Use Case and was the only solution provider, among the 18 vendors evaluated, to rank in the top 3 for all use cases in the 2021 Gartner® Critical Capabilities IT VRM Tools report. Venminder was also recognized as a Challenger in the Gartner® Magic Quadrant™ for IT Vendor Risk Management Tools report.  And, that's not all of the big news for the company this past week. They have been identified as a Leader on G2 with a #1 ranking for Best Relationship as well.  

Class action suit filed after a hospital pays ransom: Sturdy Memorial Hospital in Massachusetts is learning the hard way that paying a ransom after a breach isn’t always the smartest choice. After a ransomware attack impacted over 35,000 in February, the hospital admitted to its patients that it paid a ransom in exchange for the stolen data. However, the plaintiffs behind the class suit apparently weren’t satisfied, stating that the payment doesn’t guarantee the security of their information. The FBI and CISA agree that paying ransom makes no guarantee of the safe return of stolen data and, unfortunately, often encourages hackers to continue these types of attacks.  

Comment period extended for risk management guidance: Banking organizations will now have an extra month to provide comments on the regulators’ proposed guidance, as the deadline is now extended until October 18, 2021. The guidance is intended to create better alignment among the agencies and help organizations manage third-party risks, with special focus on fintechs.

How to prepare for a cybersecurity assessment: A single cyberattack can quickly create a ripple effect and impact many organizations throughout a supply chain, so it’s important to understand the risks from all sides. Investing in a strong internal cybersecurity program can help prepare for a successful cybersecurity assessment that may be requested from a customer. If presented with a questionnaire, organizations should carefully review it to determine their position against the controls that are outlined and answer with confidence and accuracy. Customer agreements may now include legal language surrounding regular assessments and organizations may be expected to conduct risk assessments on their vendors as well.

FBI issues warning on ransomware group: A recent FBI flash alert is warning organizations about hacking organization, OnePercent Group, which has been deploying ransomware attacks through phishing emails. The group utilizes the IcedID1 banking trojan and attempts to extort ransom through telephone or email. OnePercent hackers will typically release a portion of the stolen data, or a “one percent leak,” and threaten to sell the rest if ransom isn’t paid. The American Hospital Association took notice of this alert and released their own statement, urging healthcare organizations to remain alert.

Ransomware attack on a highly anticipated video game: Details are still emerging on the ransomware attack that hit video game developers back in February. Cyberpunk 2077’s developers, CD Projeckt Red, had previously announced that hackers had gained access into their internal network and demanded a ransom payment, which they refused to pay. The stolen data was ultimately sold to an outside source for up to $7 million and resulted in a delay of the Cyberpunk 2077, 1.2 patch. The attack was allegedly in response to the poor reception of the game, by which many consumers were disappointed. Experts are seeing a rise in these types of “double-extortion” threats where hackers will auction off the stolen data if the victims don’t pay. 

New Mexico healthcare provider warns of a hack: Over 600,000 patients may have been affected by a recent cyberattack targeting UNM Health, as announced in a statement last month. Electronic medical records weren’t affected, but names, addresses and health insurance information may have been compromised. The incident was first discovered in early June and UNM health is offering a year of free credit monitoring to affected patients.

Healthcare employee emails are hacked and 98,000 are impacted: CareATC of Oklahoma recently announced it suffered a third-party data breach after two employee email accounts were compromised in June. Over 98,000 individuals were impacted, with social security numbers, names, usernames, passwords and financial information being exposed. In response to the breach, CareATC stated that they have mailed notification letters to affected individuals and will be conducting additional employee training. Organizations in all industries are encouraged to review the CISA fact sheet which provides helpful guidance on preventing ransomware attacks.

Updates on Confluence vulnerability: A critical remote vulnerability was detailed in a recent Atlassian post, as it's related to the Confluence Server and Confluence Data Center. Organizations who haven't yet patched this vulnerability are urged to take immediate action and patch on an emergency basis. Active exploitation has been observed since September 2, and there’s concern that the implementation of ransomware may be on the way.

Supply chain security in executive order: With the increase in supply chain attacks, business leaders are continuing to review the Biden Administration’s executive order, which details software supply chain security. The executive order outlines several action items, specifically in three areas found within NIST guidelines. Those areas include criteria to evaluate the security of software, security practices of developers and suppliers as well as details on new tools or methods to demonstrate security practices. Another important finding in the order is setting standards on the definition of critical software. Software can be deemed critical if it meets one or more attributes such as performing a function that’s critical to trust or if it has direct or privileged access to networking resources. While the executive order covers a lot of the basics, the software industry will ultimately be responsible for developing these security practices against supply chain attacks.

Tips for ransomware insurance recovery: Although paying off a ransomware attack is often discouraged, some cyber liability insurance policies can cover these payments along with other accrued costs related to investigations and legal services. Organizations should consider the details in their cyber insurance policies which usually require prompt notice and prior consent to pay the ransom. It’s also important to review all insurance policies, as more than one may be able to respond to the incident. Since ransomware attacks may occur through third-party vendors, insurance policies often state that the insurer has subrogation rights against legally responsible parties, while other require vendors to be pre-approved. Most insurers will also require organizations to conduct due diligence ASAP and ensure that the ransom payment won't conflict with OFAC.

CA cracking down on CCPA enforcement: The California Consumer Privacy Act (CCPA) has been subject to enforcement since July 1, 2020, and CA’s new Attorney General has begun increasing focus on noncompliance. The Office of the AG released enforcement examples back in July and noted that 75% of violators had achieved compliance within 30 days. Special areas of focus for violations included failures to do the following: provide required notices, state whether personal information was sold in the last 12 months and provide a clear and functioning “Do Not Sell My Personal Information” link. Other violations included related to failure to include CCPA consumer rights notices in privacy policies and failure to provide consumers with effective opt-out methods.

Shoddy breach disclosures come under fire: Regulators are cracking down on inaccurate and deceptive breach notifications, while Congress continues to debate mandatory breach reporting. The SEC recently came to a settlement against five financial organizations who were less than truthful in their breach notifications to their clients. Another settlement with publishing leader Pearson came after the SEC found them to be misleading investors over the extent of a 2018 breach. Pearson had referred to the real breach as a hypothetical risk in its semiannual report and ended up paying a $1 million fine. A proposed bill would require government agencies and contractors to report breaches within 24 hours of detection, but is facing opposition from industry groups who say they need at least 72 hours for reporting.

Excerpt from The Guide to Cyber Investigations: Cyber risk is an ongoing threat that will only continue to become more sophisticated and costly. Therefore, it’s critical for organizations to develop an appropriate insurance program to protect against these risks. The second edition of The Guide to Cyber Investigations covers some important clauses of cyber policies including the costs of breach responses, privacy liability, network interruption and ancillary cover. The guide also details the immediate steps which should be taken within the first two weeks of discovering a cyber incident. Organizations should give notice to insurers under all policies that may apply and track all breach-related costs. It’s also important to discuss any required consents with the primary insurer and develop a legal plan to maximize recovery.

Recently Added Articles as of September 1

As we begin a new month, cybersecurity threats continue to make the news. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides a factsheet on ransomware attacks and lists single-factor authentication as a bad practice. Hackers are going after outpatient healthcare facilities and there’s a story on what went down with the T-Mobile hack. The Fed is facing more pressure on climate change issues. Also, some of the top tech leaders have announced their investment in US cybersecurity initiatives. These stories bring to mind the importance of due diligence, so we also have a story on how to simplify the process. Read on to learn more!

Fintech due diligence guidance for community banks: This past week, the Federal Reserve, FDIC and OCC published guidance on fintech due diligence, with special attention given to the six key areas of experience and qualifications, financial condition, regulatory compliance, risk management and controls, information security and resiliency of operations. Each category provides relevant considerations and where organizations can find needed information. The use of the guide is voluntary, but worth a read for organizations who want to review several examples of other approaches to take if they can’t obtain certain information. The full publication can be found here.

Cybersecurity in a hybrid environment: As part of organizations bringing their employees back into the office, new threats will start to emerge as a hybrid workplace takes shape. Human error is often the leading cause behind cyberattacks, with many remote employees practicing poor security habits such as failing to scan downloaded files or falling victim to phishing scams. Building a strong internal IT department is the beginning of a good strategy to protect against cybersecurity risks. Overall, employee education and communication is key and organizations need to ensure that information is handled securely, both in a secure office and an unsecured home environment.  

CISA calls out single-factor authentication as a bad habit: Multi-factor authentication is consistently identified as a best practice within cybersecurity programs, so it should come as no surprise that the CISA has officially added single-factor authentication as a significantly risky habit. Weak passwords often give cybercriminals a way into a system when multi-factor authentication isn’t in place. This bad practice is added to a list which includes using unsupported software or default password and credentials.

Hackers targeting outpatient facilities: Healthcare data breaches are nothing new, but a recent report shows that criminals are shifting their focus to outpatient facilities instead of hospitals. The report also shows that business associates were the victims of 43% of healthcare breaches, which confirmed a three-year increasing trend. Targeting these outpatient facilities may often result in the same protected health information found in hospitals. To ensure their security, healthcare organizations are encouraged to prioritize education, cybersecurity investments and regular patching of vulnerabilities.  

Fast facts about the T-Mobile hack: Details are still emerging on the recent T-Mobile breach that affected over 50 million customers. Cybercriminals gained access to consumer information like names, addresses and social security numbers, but financial information wasn’t compromised. The breach was apparently conducted by a 21-year-old American who now lives in Turkey; however, it’s unclear if he had any accomplices. T-Mobile is working with a cybersecurity firm, Mandiant, to address its servers’ vulnerabilities. The company has offered free access to ID theft protection services to affected customers.  

Microsoft cloud customers warned of a vulnerability: Thousands of Microsoft cloud customers were recently warned of a vulnerability that would allow intruders to read, change or delete their databases. The vulnerability is in the Cosmos DB database and customers are urged to create new keys. Microsoft doesn’t have the ability to change them itself. A security company called Wiz was awarded $40,000 for finding and reporting the flaw.  

CISA factsheet on ransomware attacks: As a response to the constant threat of ransomware attacks, CISA released a fact sheet with guidance on how to prevent and respond to these types of breaches. A few examples of “good cyber hygiene” include implementing multi-factor authorization and cybersecurity best practices found in CISA’s Cyber Essentials and the CISA-MS-ISAC Joint Ransomware Guide. Antivirus and anti-malware software should also be updated and user and privileged accounts should be limited through appropriate policies and controls.

CA Attorney General issues a reminder of breach notification: The healthcare industry is being reminded of their obligations surrounding data breach notifications, which may include requirements under both federal and state laws. Organizations that are subject to HIPAA may also have obligations under state or general data security laws. Minimum requirements often include keeping systems updated, utilizing virus protection, providing regular security training and regular testing of data backup and recovery plans. The bulletin from the Attorney General can be found here.

ESG investing launches government investigation: Deutschebank owned DWS Group is being investigated after reports that they misrepresented the extent of its “green-friendly” investments. This investigation should only be perceived as an example, as there still is a standard pattern of government enforcement in the ESG investment area. However, it does show that government investigators such as the Justice Department and SEC are examining ESG investments more closely and any potential enforcement action should reveal a trend moving forward.

Record setting fine for robocalls: Another battle has been won in the ongoing war against robocallers. The FCC proposed a penalty of over $5 million for a lobbyist and political consultant group who violated the Telephone Consumer Protection Act (TCPA) by making over 1,000 pre-recorded calls without the individuals’ consent. The group made calls in August 2020 and September 2020, in which a recording attempted to discourage voters from submitting their ballots by mail. They’re also facing pending litigation related to these claims.

The Fed feels pressure on climate change: Climate change and sustainability continue to be hot topics in the regulatory environment, with the Federal Reserve facing increasing pressure from activists to withdraw funding towards environmentally harmful industries. Carbon-heavy industries, like construction and plastics, could potentially face more limiting terms on loans if activists make enough progress on their efforts. Although it’s unknown whether these strategies will actually be implemented, it’s important to stay on top of these developments and plan how to respond.

Possible U.S. penalties halt Nokia’s 5G project: Nokia cut ties with industry group O-RAN Alliance after discovering that it included Chinese firms who are on the U.S. restricted entity list. O-RAN was the main group developing a new 5G design that would level the playing field for smaller companies competing for contracts on specialized services. However, the group’s inclusion of three firms that have close ties to the Chinese military would cause serious penalties from the U.S., who forbids organizations from conducting business with these restricted entities without special licenses. Nokia may be safe for now, but other tech firms like Facebook, Microsoft, Intel and Cisco are still at risk for violating U.S. entity rules.

Microsoft hack isn't about spying: The Microsoft Exchange hack back in January may have had more a more alarming purpose than simply stealing emails. Experts now believe Chinese hackers stole information to help develop better artificial intelligence, perhaps around speech or facial recognition. The severity of the hack led to a response from the Cybersecurity and Infrastructure Agency who released an emergency directive back in March. The Biden Administration created a taskforce to address the incident and the FBI was also called in to help. One of the key lessons learned from the hack was how the widespread connection between large and small organizations can ultimately leave everyone vulnerable. In other words, a vulnerability at a small organization has the potential to affect a much larger organization.

New investments for U.S. cybersecurity: A recent White House Summit brought together tech leaders like Google, Amazon and Microsoft to discuss new initiatives that will improve the security of the United States technology supply chain. The Biden Administration issued a press release in which it was revealed that the initiatives will serve both private and public organizations. The release also announced an official inclusion of natural gas pipelines within the Industrial Control Systems Cybersecurity Initiative. Microsoft plans to chip in $20 billion to design advanced security solutions, while Google will invest $10 billion towards activities such as expansion of zero-trust programs and training 100,000 Americans in IT support and data analytics.

Simplifying the due diligence process: Just over a dozen members of the Forbes Business Council have provided some tips to help alleviate the daunting due diligence process that many organizations face. Some of the tips include educating stakeholders on the problem, gathering a team of subject matter experts (SMEs) and identifying what’s needed for success. Organizations can also simplify the process by assigning at least one person to check each deliverable and immediately addressing key logistics. And, perhaps the easiest method to take is to simply outsource the due diligence process completely.

Three notable breaches in 2021: This article highlights some top contenders of the most significant third-party data breaches we’ve seen this year. Attacks on software supply chains and other third-party services are on the rise because they can affect many more individuals at one time. The award for the largest ransomware attack on record goes to information technology firm Kaseya. This attack affected over 1,500 organizations, many of whom had to completely shut down. A third-party vendor of Audi and Volkswagen had left data unsecured between August 2019 and May 2021, affecting over 3 million customers and potential buyers. And, while the attack on Accellion occurred in December 2020, the aftermath has extended well into 2021, earning it a spot on the list. Vulnerabilities in their file transfer appliance were exploited by hackers. Lawsuits have already begun pouring in which is understandable for organizations who suffered reputational damage because of the breach.

Consumer distrust in data security: While organizations are increasingly relying on third-party vendors to supplement their capabilities, consumers aren’t so trustful of their data security. A recent study revealed that 83% of respondents believe that data systems have become more vulnerable to cyberattacks. Organizations must work to rebuild consumer trust by investing in technology that helps reduce third-party cyber risk and modernizing their strategy so they’re not relying on legacy security controls. Data monitoring and least-privilege access principles are also important practices to implement.

Proposed settlement for a debt collector: The CFPB has proposed a settlement to resolve a lawsuit against debt collector Fair Collections & Outsourcing (FCO) after it failed to establish policies to investigate consumer disputes and investigate reports of identity theft. FCO is also accused of notifying consumers of debts without reasonable basis. The proposed penalty is $850,000 and a requirement for FCO to create specific policies and procedures around these issues.

FINRA notice gives an onboarding and supervising reminder: Broker-dealers are encouraged to review FINRA’s Regulatory Notice 21-29 which provides questions on different areas for organizations to consider, including making the decision to outsource, performing due diligence, onboarding vendors and supervising the outsourced functions. The notice also outlines four main categories to review within third-party relationships: supervision, registration, cybersecurity and business continuity planning. Readers can learn more about recent violations found in technical controls, books and records and vendor supervision.

A vendor is identified in Morgan Stanley breach: The culprit of a 2016 Morgan Stanley data breach incident has finally been named. Triple Crown was the outsourced provider tasked with decommissioning the financial giant’s data center, after which the data was found to be mismanaged. As a result, Morgan Stanley was hit with a $60 million fine from the U.S. Treasury Department for its failure to perform proper oversight and monitoring of their vendor. When the incident first came to light, Morgan Stanley shifted the blame to Triple Crown, claiming it breached its contract with Morgan Stanley by selling devices to a third party and fraudulently claimed they were destroyed. The case is still not over, as Morgan Stanley is considering legal action against its service provider.

New Wisconsin insurance cybersecurity law: The insurance industry in Wisconsin will now have new data security requirements surrounding consumers’ nonpublic information. The Wisconsin Insurance Data Security Law (Act 73) was signed into law on July 15 and contains requirements for cybersecurity event notifications, risk assessments, implementing an information security program and promptly investigating cybersecurity events. However, licensees should carefully review exemptions of applicability. Full details of Act 73 can be found here.

FDIC considers the future of remote exams: After the pandemic shifted banking exams into a remote experience, the FDIC is asking for feedback to develop better long term practices for off-site monitoring. The FDIC published an official request for information to determine what worked well in off-site exams as well as how those tactics could be used in future examinations, especially related to communication and new technologies. This request for information comes at a slight contrast to the OCC’s efforts to bring back on-site exams last summer.