September 2022 Vendor Management News

Stay up-to-date on the latest vendor management news happening this month. Check out the articles below to stay in the know.

Recently Added Articles as of September 29

In this week’s news, we look at new methods of cyberattacks that hackers have been using to infiltrate private networks including attaching malware in a PowerPoint and using GIFShell attacks to target Microsoft Teams users. As regulators continue to update guidelines and tighten security measures, it's important to create a strong partnership with your vendors and assess their resilience against today’s evolving threats. Don’t miss out on any of this week’s industry news!

MITRE announces new framework for defending against cyberattacks: In response to the rise in cyberattacks targeting 5G and wireless networks, MITRE has developed a new framework, titled FiGHT. This framework encourages thorough risk assessments for security teams to identify threats to security and to take the proper steps to mitigate those risks. As hackers continue to develop more sophisticated attacks for new technology, your organization should stay updated on the latest frameworks and guidance to safeguard against any possible threats.

Australian telecommunications provider is targeted by ransomware attack: An Australian telecommunications provider, Optus, was the victim of a large-scale cyberattack. During the attack, which was caused by a vulnerability in the provider’s security measures, a hacker gained access to the personal information of nearly 10 million people. Of those who had their information stolen, authorities have stated that 2.8 million people remain at risk of identify theft and fraud, though authorities are continuing to work with Optus to protect the public and identify the malicious actors responsible.

Microsoft releases Windows 11 feature to secure passwords: In its increased efforts to improve security, Microsoft has released a new feature in Windows 11, called Defender SmartScreen, which will improve password security. When a user types a password into a website, SmartScreen will verify whether the website is secure and trusted or will send security alerts in cases of suspicious websites. This feature is meant to protect against phishing websites and other sophisticated hacking methods.

Ukraine’s government warns of cyberattacks targeting critical infrastructure: Earlier this week, Ukraine’s government officials sent out a message that warned of upcoming cyberattacks launched by Russia, which will target the country’s critical infrastructure as well as that of its allies. Since the beginning of the war, Ukraine has been targeted by many cyberattacks against a variety of its important systems including the power grid, electricity providers, and think tanks.

Expert discovered 85 apps engaged in fraud campaign: As many as 85 apps from the Google Play and Apple Store have been identified as engaging in a fraud scheme. These apps were downloaded, collectively, over 13 million times. In previous schemes, the apps hid advertisements from users or displayed advertisements without context while the latest campaign has become more sophisticated by running for-profit click ads. You should be sure to avoid downloading apps that appear suspicious and avoid third-party app stores as these could contain malicious content.

Third-party apps create vulnerabilities in SaaS software: Though SaaS applications, such as Salesforce and Microsoft, contain robust security measures, it isn’t always enough to ward off hackers. Instead, third-party add-ons that contain vulnerabilities open the system up for attack allowing criminals to infiltrate accounts and steal sensitive information. This highlights the importance of understanding the connections that exist in the supply chain and performing ongoing monitoring to regularly assess applications for any new or emerging threats that could pose significant risks to your organization.

New cyberattacks use compromised PowerPoint download to deploy malware: A series of recent cyberattacks have been targeting victims using a download for what appears to be a PowerPoint slideshow, which then deploys malware when the victim interacts with an infected hyperlink. The hackers have been targeting government officials across Europe. When it comes to protecting your organization and data, it's important to avoid interacting with any links or suspicious downloads and to educate your employees to identify potential cyberattacks.

Experts note emerging trends that affect data privacy: The way that organizations store and collect data has changed significantly over the past several years. To maintain data privacy and protection, regulators and legislators have continued to propose new laws and amendments to meet our needs. Experts have noticed several key trends that will affect organizations and the way that data is created and stored. These trends include increased risk resulted from data that is stored incorrectly, the potential for a national privacy law to centralize regulations, and international agreements to standardize the way that data moves across borders.

Federal Reserve Board proposes new guideline updates to improve risk management: The Federal Reserve Board recently released a series of proposed updates to its financial market utilities guidelines. These proposals have been created with the goal of improving several key areas of risk management, including updating provisions related to incident management, the review and assessments of operational risk management policies, and third-party risk management. These proposed amendments are currently open for comment.

How to protect your organization from operational risks: As the market continues to become more competitive, you need to ensure that your organization can maintain operations, even in the face of supply chain disruptions, cyberattacks, and inflation. It can feel overwhelming at times, especially as the third parties that provide key products and services offer additional risks. However, by assessing your vendors’ business continuity plans and determining their level of resiliency and security, you can take a critical step towards understanding any issues that may arise in the future. It's crucial to plan so that your organization can understand the risks and take steps to mitigate and manage the risks.

Telecommunication networks face increase risks to cybersecurity: Telecom networks are facing an increase of inherent cybersecurity risks resulting from new frameworks that incorporate cloud services, wireless networks, and open source software. These third-party services have exposed telecom networks to new risks which will need to be thoroughly assessed and managed to ensure security and efficiency. In response to these inherent risks, the National Security Agency and the Cybersecurity and Infrastructure Security Agency have released guidance for navigating some common risks.

Third-party data breaches pose serious threats for organizations: As part of a survey conducted earlier this year, over half of respondents stated that their organization was the victim of a third-party data breach in 2022, with many stating that these incidents were caused by unnecessary third-party access. In today’s threat landscape, privacy should be among your top concerns and restricting access is only one way to improve cybersecurity measures. In addition to restricting access to privileged accounts, you should also perform thorough third-party assessments to gain visibility into exactly what risks your vendors present, what vulnerabilities may be present, and how you should proceed to protect your organization.

The importance of creating a partnership with your vendor: When it comes to managing your relationships with third-party vendors, it's important to maintain a channel of clear and effective communication. This will help you establish expectations and understand key goals that will strengthen the relationship and benefit all parties. To maximize vendor relationships, you should ask questions and work with your vendor to reach common goals and maximize the benefits resulting from the partnership.

Understanding third-party cloud vendor risks: With the recent rise of organizations that have turned to cloud vendors, it’s necessary to understand the types of risks associated with cloud vendors and what steps you can take to mitigate these security risks. By giving a cloud vendor access to your sensitive data, you increase your information’s exposure to malicious actors. By implementing robust third-party risk management activities, you can gain visibility into your vendor’s security controls, how they access and use your data, and any vulnerabilities or dependents that make impact software performance.

Hackers evade detection using Microsoft Teams GIFShell attack: Experts have identified a new cyberattack method used by hackers. This type of attack, called GIFShell, targets compromised devices and contacts Microsoft Teams users with a GIF that contains malware. The malware isn't identified by security protocols when contained in the GIF, allowing hackers to infiltrate the network without detection. Microsoft is currently researching ways to mitigate attacks in the future, but organizations should ensure that security measures are in place by using automated systems and disabling external messages.

OCC fines PNC Bank following alleged regulatory violations: The Office of the Comptroller of the Currency announced that it is fining PNC Bank over $2.6 million after discovering alleged violations to the Flood Protection Act. In the alleged violation, it was stated that PNC Bank did not enforce flood insurance on its homeowners, which goes against regulations. And, when they did this, they let a third-party vendor extend the time period due to insufficient flood coverage. PNC Bank has since agreed to pay the fine.

Recently Added Articles as of September 22

In this week’s news, we’re diving into regulation updates as the Department of Justice calls attention to individual and corporate responsibility while the White House addresses foreign investments. Meanwhile, experts caution smaller businesses about the threat of malicious hackers, and major companies, including Uber and American Airlines, have been targeted by cyberattacks. There’s plenty of news this week, so check it out!

American Airlines suffers data breach: In July, American Airlines became the victim of a data breach in which a successful phishing campaign gave the hackers access to employee email accounts. It's unknown whether any customer information was compromised during the incident, but American Airlines has since stated that it is working to improve data security and other measures to protect against future attacks.

Vulnerability in Oracle Cloud Infrastructure is identified: Experts have identified a vulnerability present in Oracle Cloud Infrastructure’s systems which violated cloud isolation and may have exposed users to malicious parties. Cloud isolation vulnerabilities make it possible for hackers to gain unauthorized access to private information and jeopardizes a user’s security. Oracle has since patched the vulnerability.

Biden administration addresses foreign investments risks: President Biden signed an Executive Order that will require The Committee on Foreign Investment in the United States (CFIUS) to perform an increased number of reviews on foreign investments and look closer at the impacts of foreign investments on the supply chain. This Executive Order follows a trend of rising concerns about the impact of foreign investments on the U.S. economy, supply chain, and national security. Additional legislations are under consideration, as CFIUS works to determine additional steps to protect the U.S. from malicious actors and risks associated with foreign investments.

Market pressures drive organizations to outsource services: According to industry experts, the threat of inflation and economic troubles may lead to many organizations turning to third-party services to drive down costs and improve efficiency. In response to looming threats, experts have noted a recent uptake in outsourced services, particularly for cloud service providers and other digitized services. This move to digitized services and automation may improve efficiency, cut costs, and decrease the need for human labor for certain tasks.

Open-source software creates new cybersecurity risks: It’s no secret that today’s market is extremely competitive. To keep up with growing demands, many companies have turned to third-party code to cut down on time and resources spent on creating new code. While this type of code, called open-source code, has improved efficiency and made it possible for developers and software providers to meet their customers’ needs, this code can be a hiding spot for malicious code, ransomware, malware, bugs, and other vulnerabilities that can pose serious threats to your organization.  Software Bill of Materials (SBOM) are one tool that can provide critical transparency into understanding whether the code is secure and help identify any risks found within the code.

Cyber criminals target smaller businesses: Across the board, no matter your organization’s size, it’s only a matter of time before your organization will become a cyberattack target. However, experts have noticed that small businesses may be even more likely to become a victim of a cyberattack as hackers will target these businesses who lack the resources and intensive security of larger organizations. As the number of data breaches and cyberattacks continues to grow by the day, it's important for all organizations to remain vigilant and updated on the best ways to identify and defend against attacks.

Uber becomes a victim of a social engineering cyberattack: A hacker launched a social engineering attack that successfully tricked an Uber employee into revealing their password. The hacker managed to gain access into Uber’s private systems. This incident highlights the importance of educating your organization’s employees to identify and report suspicious activity and phishing messages... and be sure to verify your vendors are doing the same!

How to mitigate risks in fintech-bank partnerships: Last week, we dove into the OCC’s comments that warned financial institutions of the risks associated with digitization and their relationships with fintech vendors. As the OCC expresses their concerns, it's important to understand the risks associated in these partnerships and how you can protect your institution. While fintech vendors can improve the bank’s efficiency, a bank must have effective third-party risk management processes in place to maintain a healthy relationship, or risk financial, reputational, and compliance threats. When looking to partner with a fintech vendor, financial institutions should perform thorough due diligence to determine whether the vendor has the necessary compliance, regulatory, and security policies in place.

Experts suggest vendor consolidation to improve security: According to a recent Gartner survey, many organizations are beginning to consolidate their vendors with the aim of improving their security posture and eliminating unnecessary complexities that come with managing a larger number of vendors. As many organizations make this shift to see increased benefits, experts warn that the consolidation process may take time to deal with the costs and resources necessary to switch vendors.

Microsoft executive urges organizations to update security measures: During a recent conference, a Microsoft executive shared his concerns regarding outdated security practices and urged organizations to stay updated on the latest software and cybersecurity practices to defend against the modern threat landscape. As technology continues to evolve and hackers develop more sophisticated campaigns to infiltrate private networks, it is crucial for organizations update their security policies.

U.S. Department of Justice issues new guidelines for corporations and individuals: The DOJ recently released a series of updated guidelines with the goal of improving enforcements on both the individual and corporate levels. The guidelines include provisions that increases incentives for anyone who identifies corporate misconduct, outlines individual accountability, and sets new metrics for assessing corporate compliance. In today’s market, it's important to stay updated on recent regulations so that you can protect your organization from legal and compliance risks.

Healthcare organization agrees to a $12.25 settlement following cyberattack: In early 2020, Ambry Genetics was the victim of a cyberattack that affected over 200,000 of their patients. In a lawsuit filed following the attack, it was stated that Ambry Genetics could have prevented the attack if the organization had adopted more effective security policies and addressed any vulnerabilities. The lawsuit has led Ambry Genetics to take a closer look at its vendor management processes, including training its employees on best practices and performing more effective vendor assessments.

Mitigating third-party risks caused by the Great Resignation: The Great Resignation has caused many disruptions for all organizations. What impacts have the Great Resignation had on your vendor relationships and your organization’s security? To protect your organization from the risks associated with departing employees and the shift to remote work, experts suggest adopting a zero trust model to ensure that employees don’t take sensitive materials when they leave work, restricting access to private data, and performing ongoing monitoring activities to assess your vendors throughout the relationship. In other cases, organizations may decide to automate systems, which could improve cybersecurity measures as well.

Microsoft releases patch to remedy system flaw: Microsoft has released patches to its software to address several vulnerabilities, including a zero-day flaw that hackers have exploited in the past. Users should ensure that they are running an updated version of the system to remedy these weaknesses.

Recently Added Articles as of September 15

In this week’s news, we cover how you can create stronger vendor relationships, CISA’s new proposed mandates for protecting key infrastructure, and the reasons why some smaller financial institutions have been unable to meet reporting requirements. There’s plenty to catch up on,  so you don’t want to miss out!

OMB releases new security standards for federal software use: The White House and the Office of Budget and Management (OMB) recently released a series of guidelines outlining how federal agencies should strengthen security within the software supply chain. These guidelines will require federal agencies to utilize third-party software in accordance with minimum security standards and receive self-attestation from the software provider before the service can be used in their department. In addition to the self-attestation, agencies may receive other proof from the software provider that the service complies with minimum security standards.

How to create strong vendor relationships: What steps can IT companies take to create a strong vendor relationship? From the earliest stages of your vendor relationship, it's important to develop an open communication channel to set the foundation for a healthy and productive partnership. Other tips for developing a strong relationship with your vendor include performing thorough due diligence activities to vet your vendor in the pre-contract stage, providing direct and constructive feedback, communicating your needs and expectations, and providing clear communication about any changes within your organization that will impact your vendor.

Identifying vulnerabilities in cloud data security: A recent analysis of the tactics that hackers use to access private data highlighted that, on average, malicious actors can infiltrate cloud data with only three steps. When using cloud vendors, you should work to assess what controls are in place to protect your sensitive information and defend against cyberattacks and third-party data breaches. The report explained that several of the largest weaknesses to securing your data are neglected vulnerabilities in networks that aren't patched and organizations that don't utilize multifactor authentication tools.

Healthcare organizations should work with vendors to improve security: As hackers continue to infiltrate private healthcare networks and steal confidential patient data, experts urge healthcare organizations to improve their cybersecurity and third-party risk management practices. As many recent data breaches have been the result of a vulnerability in the organization’s third parties, a few important steps that these organizations should take is to limit access to sensitive information, securing third-party access to private networks, and using automated workflows. By implementing automated tools to verify and limit access to sensitive data and restricting access to only the relevant stakeholders, healthcare organizations can begin to defend against hackers and third-party data breaches.

Understanding how SOC 2 reports mitigate security risks: When assessing a vendor that has access to your sensitive data, it's important to ensure that the vendor has the proper controls to protect your private information. A SOC 2 report evaluates how well your vendor’s controls comply with the 5 Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Especially as third-party data breaches target all organizations, SOC 2 reports are a critical tool for assessing your vendor’s controls looking for weaknesses and vulnerabilities which could leave your organization exposed to hackers. When performing due diligence, a SOC 2 report is often a must.

Hackers breach private networks through phone systems: Officials have identified a group of hackers that are exploiting a bug labeled CVE-2022-29499 to infiltrate secure networks and deploy ransomware. This vulnerability in Mitel devices have given these hackers access to corporate networks, but Mitel has since released a patch to address this weakness.  

How APIs create third-party risks: As new technologies and developments are made and integrated into your organization’s network, it's critical to understand and identify any risks that may be posed to your organization. OpenAPIs allow users the ability to standardize API coding and software, offering universal access to understand and use the software for individual use. However, this may open your organization to major risks from malicious actors, as the standardized code leaves vulnerabilities to data breaches and malware for example. To protect your organization from risks associated with OpenAPIs, you should only allow trusted users to access the network, perform assessments to identify potential risks, and determine what information can be accessed through the software.

Some small banks struggle to meet regulatory requirements: Though new technologies and regulations have continued to progress, update, and change, some small banks have been unable to keep up with the rising demands. Experts have noticed that several small institutions lack the resources and expertise to perform routine exams. A report for the GAO highlights that some small banks and institutions lacked the ability to send documents to regulators. In response to challenges that have continued to aggravate since the pandemic, the GAO report urges the OCC and the Fed to develop possible solutions.

CISA calls for tighter security to protect infrastructure: Amid rising concerns regarding cyberattacks, the Cybersecurity and Infrastructure Security Agency (CISA) is urging companies in the tech industry to improve security measures during the design stage for their products. By implementing stronger security measures, CISA hopes to secure essential infrastructure and essential services against the threat of cyberattacks and data theft.

CISA announces updated incident reporting requirements plans: To protect organizations and the U.S. government from data breaches and security vulnerabilities, CISA has announced its plans to issue a request for information (RFI), in which the public will be able to submit comments on new mandates. The proposals will require organizations to report cybersecurity attacks, data breaches, and ransomware payments to CISA, which, in turn, will help federal authorities respond to attacks accordingly.

How an internal audit can drive your third-party risk management: Starting a third-party risk management program can be daunting, especially for small organizations. Where do you begin? How can you protect your organization from threats such as data breaches and regulatory violations? In these cases, an internal audit can be a useful solution for developing an effective third-party risk management framework to match your needs, assess the gaps and vulnerabilities that could expose your organization to third-party risks, and preparing your key stakeholders for reporting activities. As third-party risk management processes seek to protect your organization and develop healthy vendor relationships, internal audits can assess your readiness and capability for the program.

OCC focuses on fintech vendor relationships: The OCC has recently commented on the state of digitization in the banking industry and the way that fintech has changed the space. In a statement, Acting Comptroller Hsu observed that all banks, no matter their size, are at increased risk of threats, such as fraud, and that it's important for the OCC to regulate the relationships between banks and fintech vendors to protect their customers and ensure that transactions are carried out safely. While there is potential for hidden risks resulting from these partnerships, the OCC is working to find ways to mitigate the risks and create solutions.

Payment Card Industry Security Standards Council updates regulations: To improve privacy and transaction security, the Payment Card Industry Security Standards Council has released updated requirements which will go into effect in March of 2025. One of these new regulatory requirements is for businesses to set up payment scripts with a tighter security which will help ensure that customer data is protected and that transactions are made safely. To protect your organization and avoid unnecessary fines or lawsuits, it's important to stay updated on the latest developments and comply with guidelines such as the Payment Card Industry Data Security Standard.

Recently Added Articles as of September 8

This week, we look at recent cyberattacks, including a ransomware attack that targeted the Los Angeles Unified School District and a third-party data breach that compromised Keybank's customers' sensitive information. We learn regulators have issued lawsuits against companies found in violation of laws including the General Data Protection Regulation. Check out the latest articles for more.

School district in Los Angeles suffers cyberattack: Over the Labor Day weekend, the Los Angeles Unified School District suffered a ransomware attack which has affected the district’s email, attendance tracking software, and other IT systems. While federal authorities are assisting with the response and reorganization to improve future security, it raises the issue of cybersecurity and what we can do to defend ourselves against these malicious hackers. Users affected in the attack have been instructed to reset their passwords while federal authorities conduct their investigation and restore operations.

Instagram fined for violating GDPR: The Irish Data Protection Commission has issued a fine against Instagram for $401 million for failing to secure the data of underaged users as part of the General Data Protection Regulation (GDPR). As regulators continue to update their policies and implement new guidelines for cybersecurity and data protection, it's important to ensure that your organization complies, or you may face severe legal action and fines.

Understanding third-party risk management for financial institutions: While the rising use of third-party products and services has been instrumental in maintaining operations and streamlining processes across the financial services industry over the last several years, the number of third-party risks and data breaches has continued to rise. In response to the risks that third parties pose, it's more important than ever to ensure that your institution has implemented effective third-party risk management strategies, such as risk scoring and vulnerability prioritization, which will defend your organization and protect your data from hackers.

Hackers use malware to target large organizations: A group of hackers and cybercriminals, known as Worok, has been targeting large organizations and local governments in Asia and Africa. Experts have identified the group’s motives to revolve around information theft, in which the hackers deploy malware to compromise private networks and retrieve files. To protect your organization, as these criminals continue to develop new methods of attack, it's important to assess your systems for vulnerabilities and be sure to update your cybersecurity policies.

Pharmaceuticals company settles lawsuit: In a lawsuit, Bayer’s employees were allegedly paying kickbacks to hospitals and doctors. The company has decided to settle for $40 million. The lawsuit claimed that Bayer had been paying doctors and healthcare organizations that agreed to prescribe select medications and that the sales team pushed for unnecessary prescriptions. This case highlights the importance of oversight, monitoring, and ethical practices, as regulators continue to pressure organizations to follow regulations and best practices.

How to mitigate third-party cybersecurity risks: Hackers continue to target organizations and steal sensitive information, so it's important to understand how your organization can improve its security strategies to defend against malicious actors. One way is by learning how to identify and mitigate third-party cybersecurity risks such as data breaches and compliance risks. To continue improving your third-party risk management processes and safeguard your organization, you should implement effective strategies like thorough due diligence, ongoing monitoring, and staying current on regulatory requirements and your vendors' internal policies.

KeyBank targeted in a third-party data breach: KeyBank recently learned that it was the victim of a third-party data breach, which may have compromised its customers’ private information, including account numbers and Social Security numbers. The hackers were able to identify and exploit a weakness in a vendor’s computer system. KeyBank is reaching out to notify anyone they suspect might have had their information stolen.

Google releases patch for Chrome vulnerability: Last week, Google released patches to address vulnerabilities in Chrome’s web browser. Users should be sure to update to the newest version, if they haven’t already, to install the patch and secure their network.

IRS accidentally leaked taxpayers’ private information: In an accidental leak, the IRS released sensitive data on about 120,000 taxpayers who filed the 990-T form for their tax returns. When filled out for nonprofit organizations, the form should be made public for inspection, but should be private when filled out by regular taxpayers. The compromised information reportedly contained names and contact information, but didn't include account or tax information. Anyone affected by the leak should expect to be notified by the IRS.

Healthcare organization fined over $24 million for a regulatory violation: A subsidiary of Philips RS North America has been fined for more than $24 million in response to filing false claims to government programs including Medicaid and Medicare. The allegations stated that the subsidiary provided false information regarding physician prescription behavior and that Philips’ sales team provided free medicinal equipment to its suppliers. It's important to ensure that you perform due diligence and monitor your vendors to ensure that your third parties follow regulatory requirements, to protect your own organization from having to face potential lawsuits or fines, as well as to preserve your reputation.

Court decision determines scope of FCPA: The U.S. Court of Appeal’s decision to acquit an ex-Alstom executive of responsibility for violations tied to a subsidiary of Alstom acts as a test for the scope of the Foreign Corrupt Practices Act. The decision stated that the executive couldn’t be held responsible for the subsidiary’s action which is instrumental for determining that FCPA doesn't have extraterritorial reach.

How you can ensure ethical practices in your supply chain: The supply chain has been a hot topic over the past several years as more consumers and organizations call for ethical practices, including the elimination of modern slavery. So, what can your organization do? How can you identify the signs of unethical vendors and work to preserve human rights? Experts point to due diligence as a key factor, as it allows you to delve deeper into your third parties to ensure that they are following regulatory guidelines and are complying with best practices. Evaluate your vendors’ third-party risk management processes, perform ongoing monitoring to ensure that your vendors continue to meet expectations, and be sure to communicate and promote transparency across the supply chain.

Breaking down risks associated with cloud vendors: As many organizations turn to cloud vendors as an easy solution for data storage, it's crucial to understand the third-party risks cloud vendors can pose to your organization. When performing due diligence on your cloud vendors and assessing for risks, you should look for information such as the physical location where the servers are stored, any security vulnerabilities that may expose your sensitive data to cybercriminals, the vendor’s security and disaster recovery plans, as well as their offboarding policies. As with any other vendor, it's important to understand the risks associated with cloud vendors so that you can protect your organization and your sensitive data.

Recently Added Articles as of September 1

There's no shortage of news to kick off September. Third-party data breaches are a hot topic this week as organizations look for ways to address security vulnerabilities and mitigate vendor risk. In other news, regulators continue to update policies and file lawsuits against organizations that are found violating guidelines. You don’t want to miss out on any details from this week’s news.

FTC sues company for collecting and selling consumer information: The U.S. Federal Trade Commission has stated that it's issuing a lawsuit against Kochava, a data broker, for allegedly collecting and selling its customers’ location data. Though Kochava has denied the allegations, these events highlight the importance of staying updated on recent policies and regulations to ensure that your organization operates within industry guidelines.

Hackers use malware to infiltrate private networks: Experts have identified a series of cyberattacks that have used malware, such as ModernLoader, to compromise systems and steal private information. During these attacks, the malicious actors distribute the malware through compromised applications or phishing campaigns.

NYDFS proposes amendments to cybersecurity regulations: Following the trend of recent updates to cybersecurity guidelines and regulations, the New York Department of Financial Services has released a series of proposed amendments to policies including reporting, access management, business continuity plans, and governance. If the proposals are passed into legislation, financial institutions would need to update their processes and policies for activities such as reporting suspicious activity and detected ransomware, updating risk assessment and cybersecurity policies on a minimum annual basis, and integrating multifactor authentication for privileged accounts.

Updated report shows ransomware attack affected 2.7 million: An update to a report detailing a data breach targeting OneTouchPoint, a printing and mailing vendor, reveals that approximately 2.7 million individuals had their data exposed. In a statement, OneTouchPoint detailed the attack, saying that hackers gained access to company servers and sensitive information including health assessment data, member IDs, and names. To help protect your organization from third-party data breaches, you should ensure that you assess your vendor’s controls and security practices,  there's limited access to sensitive information, and you perform ongoing monitoring.

Over 2.5 million individuals compromised during a third-party data breach: Over 2.5 million student loan accounts were exposed during a third-party data breach that targeted Nelnet Servicing, one of Oklahoma Student Loan Authority’s vendors. As third-party breaches have become more common lately, it's important to identify and address security vulnerabilities to protect sensitive data and your organization. Some of the types of data exposed during this breach include the names, addresses, email addresses, and Social Security numbers of students. Those compromised during the breach are urged to remain vigilant of identity theft and fraud.

Hackers turn their sights onto smaller healthcare organizations: Experts have noted that healthcare organizations have been among the primary targets of cyberattacks, with the criminals stealing sensitive data and private patient information. Though the overall number of cyberattacks has decreased since its height in 2020, a new trend suggests that these hackers have turned their focus towards smaller healthcare organizations which lack the sophisticated security and robust third-party risk management programs when compared to larger organizations.

Cyber criminals steal data from missile systems firm: NATO is investigating a cyberattack which compromised data and blueprints from a French missile systems firm. This attack follows a pattern of extortion attempts by hackers in which the cyber criminals attempt to blackmail their victims. In released information, NATO is looking into the possibility of a third-party data breach resulting from a vulnerability in one of the organization’s suppliers.

Cloud vendors optimize Royal Caribbean’s operational needs: Over the last several years, we've witnessed the evolution and emergence of new technologies, such as cloud servers. Just as all organizations face unique challenges and needs, Royal Caribbean discusses the obstacles it faces to operate at sea from around the world. To meet these challenges and select the right vendors to fit their needs, Royal Caribbean performs extensive third-party reviews, including due diligence, to ensure that they find the best cost and services from their vendors.

SEC issues new regulations to improve its whistleblower program: In new amendments to its whistleblower program regulations, the Securities and Exchange Commission has stated that it can pay whistleblowers in exchange for information related to non-SEC issues and that the award for information can't be decreased during consideration. These rules will be put in place to incentivize whistleblowers. The program, established in 2010, was built to attract high-quality tips of security threats with the goal of protecting investors and the marketplace.

DoorDash suffers third-party data breach: Have you recently ordered your favorite meal through the convenient app, DoorDash? In a third-party data breach, DoorDash has reported that customer information was stolen, including addresses, names, email addresses, partial payment card numbers, and phone numbers, as well as driver data. DoorDash discovered the breach after noticing strange activity and cutting off services. This attack highlights the importance of monitoring your vendors' security protocols and training your employees to identify phishing attacks. Oh, and as a customer, you may want to check and confirm your information wasn't exposed in the breach!

U.S. is granted access to audit China’s public accounting firms: It seems that the talks between the U.S. Public Company Accounting Oversight Board and the China Securities Regulatory Commission have reached an agreement, as a Statement of Protocol has been signed, which will allow U.S. regulators to audit public accounting firms in China and Hong Kong. These audits will include personnel, work papers, and additional information. Overall, if the deal is upheld, this agreement could mark a major step forward in economic relations as well as ensuring that regulations are in place to protect investors and the market.

How to implement third-party risk management to protect your organization: In today’s threat landscape, third-party risks present major challenges to organizations. No matter the vendor and relationship, every third party presents some sort of risk. What steps can you take to defend your organization? Experts suggest implementing effective third-party risk management strategies such as reviewing security measures and performing due diligence on your vendors. By identifying vulnerabilities in your vendor’s cybersecurity controls, eliminating overlapping tools, and taking the necessary steps to address any weaknesses and mitigate risks, you'll be able to help defend your organization against malicious actors.

Lawsuit against HSBC cites unauthorized communications and discrimination: In a lawsuit claiming discrimination and unauthorized use of WhatsApp, a banking executive at HSBC stated that employees were using WhatsApp to denigrate the compliance department. HSBC has commented that it's taking these allegations seriously. This raises the question of how well you manage your employees to ensure that company business is handled over authorized channels as well as how well staff is trained to prevent discrimination in the workplace.

Sephora faces fines after violating CCPA: Consumer privacy and protection has been a hot topic for policymakers over the past several years. The California Consumer Privacy Act (CCPA) is only one of the regulations on the ways that companies can use consumer data and information. Sephora, a large cosmetic retail company, has agreed to pay the issued $1.2 million fine after the company was found violating CCPA by selling customer data from individuals who didn't consent. It's important to ensure that your own organization remains updated to the newest industry regulations and guidelines to avoid fines and legal action.

The importance of implementing a third-party risk management program: For many organizations, third parties are integral for daily operations. But, how can your organization manage all its vendors and the risks that are associated with third and fourth-party vendors? In today’s business world, ensuring that your organization has an effective third-party risk management program is essential to identify and protect your organization from third-party risks. As organizations continue to outsource products and services from vendors, it's more important than ever to understand the growing reputational, financial, and legal risks, and how to safeguard your organization to prevent future attacks and damages.