September 2023 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of September 21

Third-party data breaches dominated the headlines this week, impacting casinos, United Kingdom police, and cryptocurrency. The White House is looking to address cybersecurity regulations, attackers are trying to exploit new vulnerabilities, and one bank is facing a hefty fine for its lack of due diligence. There’s a lot more to catch up on this week, so check it all out below!  

White House looks to tackle cybersecurity regulations: You may have noticed that the White House is taking a bigger role in cybersecurity recently. The administration is trying to establish standard cybersecurity regulations and technical standards. It’s a big task. First is to create a framework for a single set of standards for organizations to follow. Cybersecurity regulations can span from state to state, and can even differ at a federal level, but a full overhaul of cybersecurity regulations may require Congress to get involved. This task is likely to take years, so organizations will just have to wait and watch for regulatory changes.  

Third-party data breaches in different industries can impact financial institutions: Third-party data breaches are jeopardizing organizational security, and they’re becoming more common. Financial institutions are no exception to this, and the information hackers steal can be used to open fraudulent bank accounts. Even breaches in the retail industry can lead to banking headaches, as bank account and Social Security numbers are leaked. Financial institutions should monitor compromised credentials and maintain a list. Payment cards can also be compromised and those should also be monitored. Banks should use these tools to protect customer data that’s compromised in a breach.  

Critical Juniper vulnerability leaves organizations at risk: About 12,000 Juniper firewalls and switches are vulnerable to an execution flaw that attackers can exploit. This critical vulnerability allows attackers to execute code without authentication. Updates were recently released that address the vulnerability. Those who use Juniper should apply these updates as soon as possible.  

Ransomware group is encrypting Azure cloud storage: The BlackCat ransomware gang is using stolen Microsoft accounts to encrypt Azure cloud storage. Using a stolen one-time password from LastPass, attackers can change security policies and encrypt Azure Storage accounts. This sophisticated hacking group is behind many successful breaches, so organizations should monitor their security and watch for any new updates.  

United Kingdom police officer information is stolen in a third-party breach: Greater Manchester Police badge details were compromised in a third-party data breach. The supplier of the badges was the victim of a ransomware attack. Officers’ names, photos, and serial numbers were compromised. This mirrors another attack on London’s Metropolitan Police when hackers accessed a vendor’s IT systems. There was a third attack on officers in Northern Ireland as well. Breaches impact every industry, so it’s crucial to know your third-party vendors and do your cybersecurity due diligence.  

Review your HR vendor’s contract for privacy compliance: Have you reviewed your HR vendor contracts recently? You could be at risk of violating California’s privacy law if employee data rights aren’t covered. With extended protections passed earlier this year, employees now have the same rights that consumers have had. Data provided to HR vendors, like payroll information, could be interpreted as selling data. HR vendors must agree to meet California’s requirements on what they can use the data for and that they’re compliant in processing it.  

Puerto Rico bank fined for lack of due diligence on foreign financial institutions: A Puerto Rico bank has to cough up a hefty $15 million after a huge fine for violations of the Bank Secrecy Act. The action comes from the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). It’s the first time FinCEN has enforced a 2021 rule that requires minimum anti-money laundering program standards for banks that don’t have a federal regulator. The bank failed to complete due diligence on foreign financial institutions and high-risk customers.  

Will generative AI be protected by copyright? It isn’t likely: One of the biggest issues posed by generative artificial intelligence (AI) is potential copyright infringement. The U.S. Copyright Office has held that AI-generated works aren’t eligible for copyright protection. If there’s only a small amount of AI involved in the creation of a piece, it must be disclosed to the Copyright Office. A D.C. District Court upheld this viewpoint in a recent opinion. Since AI-generated work isn’t likely to be protected, organizations should exercise caution when using it.  

Casino and hotel company Caesars suffers a third-party cyberattack: Caesars Entertainment was recently the victim of a third-party cyberattack. Attackers gained access to the hotel and casino organization’s loyalty program database, which included Social Security numbers. Bloomberg reported that Caesars made a ransom payment to the attackers. The third party was an IT support vendor. These types of attacks are becoming increasingly more common. It’s crucial to perform due diligence on vendors and then continuously monitor their risk. This is the second recent attack on a casino, as MGM Resorts deals with the fallout of their own attack.  

New sanctions announced on Russian technology companies: The Russia supply chain is getting even more complicated as the U.S. announced 100 new sanctions against financial institutions, industrial base, and technology suppliers. The sanctions focused on those benefitting from supporting and sustaining the war in Ukraine. Organizations should use extreme caution with foreign third parties that are tied to Russia. It’s crucial to perform due diligence on third-party vendors located in foreign countries, including checking industry news and alerts. Otherwise, organizations could face regulatory penalties in the U.S. and other countries that have sanctions.  

Attackers target Teams messages to lure employees into phishing: A new phishing campaign is targeting corporations using Teams messages. Attackers send phishing messages over Teams with malicious links that lead to a file on SharePoint. An open-source tool allows the attackers to send messages to external organizations. Several security updates were made to address the threat, but people should still use caution with clicking unfamiliar links.   

Third-party data breach at crypto company puts wallets at risk: After a third-party data breach at crypto payments company Fortress Trust endangered client’s wallets, another crypto company stepped in to repair the damage. Ripple, which has acquired Fortress Trust, restored clients’ wallets and there were no breaches to Fortress technology or systems. The breach was traced back to a third-party vendor’s cloud tool.  

Cannabis sales in New York could cause headaches for banks: Banks receiving payment from cannabis sales in New York could face regulatory penalties. A new law in New York allows the city to fine landlords if they knowingly lease space to people who illegally sell cannabis. This could extend to the banks that finance these properties or properties like illegal smoke shops. Banks should use caution and do their due diligence on properties and retail clients.  

Recently Added Articles as of September 14

This week’s headlines brought helpful news on what to do when issues arise in third-party risk management. There are red flags to look for with technology service providers, steps to take to prepare for a vendor business unexpectedly closing, and crucial lessons to learn from the MOVEit breach. There’s also been new cyberattacks, discovered vulnerabilities, and compliance updates, so check out all of the news below! 

GitHub vulnerability exposes repositories to attacks: A new GitHub vulnerability may have exposed repositories to cyberattacks. An attacker could gain control of a repository and create new accounts with the same username to upload malicious repositories and attack software supply chains. GitHub addressed the issue on September 1 by preventing users from creating a repository with the same name as many other repositories.  

MGM Resorts impacted by apparent cyberattack: Reports of a cybersecurity issue at casino MGM Resorts has shut down multiple computer systems, impacting almost every part of MGM’s operations. This includes reservation and booking systems, electronic key cards, and casino floors. The casino floors are back online, but booking systems still appeared to be down. MGM said it notified law enforcement and shut down its systems to protect data, but no further information on the incident was given.  

Red flags to look for with technology service providers: More and more organizations are using technology service providers for crucial business operations, but when those relationships fail, it can lead to severe disruptions. If the provider has unreliable communication, like vague answers or slow responses, it can indicate a lack of commitment. And if the provider isn't proactive, issues may go unaddressed. To help, your provider should offer a detailed project plan before a project begins, and you should be sure to offer a clear vision so the delays don’t come from you! Frequent bugs in the technology, and no support after the project, are other things to watch out for. Before you contract the vendor, be sure to do your due diligence to catch red flags before they’re an issue.  

Proactive third-party risk management is an important team effort: What’s one of the best defenses to operational risk at organizations? What is third-party risk management! As organizations evaluate their third-party risk management programs, they should share data and intelligence across departments for better decision-making on third parties. Find your critical third parties and proactively manage the risk – sometimes software is a great solution for this as it automates the risk analysis process. Move beyond point-in-time data and use real-time risk monitoring. Real-time vendor alerts can move your organization from being reactive to proactive. Third-party risk management isn’t a silo. It involves everyone in the organization working together.  

Microsoft to stop allowing third-party printer drivers: In its Windows update, Microsoft will block third-party printer drivers. This is an effort to strengthen security of Windows as printer driver vulnerabilities can bring significant security risks. In 2025, Microsoft will no longer accept driver submissions from printer vendors, and then in 2026, Microsoft will prioritize Windows Internet Printing Protocol Class drivers.  

Study finds critical vulnerabilities in university websites: A study of 20 university websites found that they were extremely vulnerable to a cyberattack. These sites have more than a million monthly visitors, and six of the universities are in the top 100 list. The study found that universities were late in deploying security updates and some had significant vulnerabilities. It’s important to invest in a secure online presence and update services that patch vulnerabilities.  

Managing third-party risks should be a top priority: It’s increasingly challenging to manage third-party risks as the supply chain becomes larger and more complex. And one weak vendor in the chain can lead to data breaches, fines, and reputational damage. Following the third-party risk management lifecycle and using tools to automate tasks can be a huge help. Do your due diligence on new vendors and outline compliance in the contract. Continuously monitor compliance and have an exit strategy in place in case it’s needed. Cybersecurity has become an obligation for all organizations, and it extends to even small vendors and fourth parties. Using software tools to help manage this growing challenge will help your organization stay safe.   

Healthcare organizations must be prepared for a cyberattack: What should a healthcare organization do in the event of a cyberattack to prioritize patient safety? The Joint Commission released suggested actions that healthcare organizations need to take in the event of a cyberattack. Organizations should implement business continuity and disaster recovery plans and annually evaluate them. The Commission also suggested a downtime planning committee and downtime plans and procedures. All staff should be trained and prepared for an attack. Healthcare organizations should review existing incident response plans to ensure they’ve accounted for items like downtime.  

Financial institutions should evaluate OFAC compliance: Compliance continues to be a high priority for organizations, and compliance with the Office of Foreign Assets Control (OFAC) should be no exception. Financial institutions and other organizations subject to the regulator should conduct a risk assessment to determine compliance needs, as well as reevaluate compliance on an ongoing basis. Things like improper due diligence on customers and clients and exporting to U.S. sanctioned countries are red flags for OFAC and can lead to enforcement actions. 

FDIC releases a new examination tool: The Federal Deposit Insurance Corporation (FDIC) announced a new tool that will exchange examination planning and compliance information. The Banker Engagement Site will allow banks to communicate with FDIC staff and exchange documents and information. The site is only designed for the consumer compliance examination process.  

Apple releases updates to patch vulnerabilities: Apple released emergency security updates to address two zero-day vulnerabilities that could lead to a malicious attack. Specific details weren’t given because of active exploitation. These types of bugs and vulnerabilities are becoming more and more common. It’s important to keep software updated and be aware of new updates that address vulnerabilities.  

Cisco identifies a software vulnerability: Cisco is warning of an exploitation in Adaptive Security Appliance and Firepower Threat Defense software. It can be exploited remotely and gives attackers access to username and password pairs. The vulnerability can be used in brute force attacks. Cisco is working on updates that address the vulnerability, which was identified last month.  

MOVEit breach teaches importance of vendor incident management: At this point, we’ve all heard about MOVEit and the massive breach that impacted thousands of organizations. This major incident makes it clear how important vendor management is. For many organizations, MOVEit was the vendor of a vendor – a fourth party. Those parties are easy to miss, even though they may handle your critical data. During your due diligence, it’s crucial to know what vendors will use to process your data. Data breaches are almost inevitable and so it’s good to have a solid contract that addresses incident response and obligations. And incident response plans should address vendor incidents and vulnerabilities. Cybersecurity breaches may be inevitable, but you can have a good plan in place!  

Your design vendor suddenly closed. What’s next? A vendor unexpectedly announced it’s closing its doors and your organization is left scrambling. It’s not an uncommon scenario, especially in the design industry. Financial stress builds up before a shutdown, but if the vendor is private, you won’t see the financials. Still, there are warning signs you can look for to be prepared. As the supply chain slowly returns to normal, look for empty shelves. Track your documents and communication with the vendor to set a baseline. If things suddenly change – slower delivery, not meeting orders – there could be problems. Recent layoffs can also be a sign, so it’s good to have news alerts and watch for any issues. Reviews and Google Alerts can provide early indications. It’s always good to diversify your supplier base and have a backup plan in place in case a vendor suddenly shuts down. An exit strategy in the contract is a great best practice.  

New interagency rule proposed on long-term debt amounts: The federal banking agencies are looking to prevent more bank failures with a new proposed interagency rule. The rule would require large banking organizations to issue and maintain minimum amounts of long-term debt. The rule was adopted unanimously, but if it’s finalized it will require a three-year transition period. Comments on the rule are due by November 30, 2023.  

New tool will allow cybersecurity professionals to emulate attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) partnered with MITRE to offer an open-source tool that mimics cyberattacks on operational technology. Cybersecurity professionals will be able to test and strengthen their defenses with the tool.  

Recently Added Articles as of September 7

In this week’s news, we’re reminded why it’s so important to have a vendor exit strategy in place in advance of contract termination. There are lessons learned from the bank failures earlier this year, and agency-issued research has discovered common themes. ESG issues continue to heat up, third-party verification and monitoring remains important, and so much more. Read on!  

Phishing kit bypasses multi-factor authentication, attacking Microsoft 365 accounts: Threat actor W3LL created a phishing kit that compromised over 8,000 Microsoft 365 corporate accounts, causing millions in financial loss. Keep an eye on your corporate 365 account… and be sure your vendors are doing the same! 

California Privacy Protection Agency shares draft rules: Recently, the California Privacy Protection Agency (CPPA) shared cybersecurity audits and risk assessment draft rules in preparation for this month’s board meeting. The rules will likely become a part of California Consumer Privacy Act’s second rulemaking package. Some of the proposed requirements would include documented and detailed risk assessments, updating risk assessments due to material changes in processing activities, annually submitting the risk assessment for a compliance certification, and more.  

Third-party verification is crucial: In today’s interconnected landscape, organizations rely on complex networks of third-party vendors for products and services. Due to vendor reliance, organizations are exposed to a variety of risks, including fraud, corruption, environmental and social, and regulatory. To successfully mitigate these risks, it’s crucial for organizations to verify and monitor their vendors, ensuring compliance with relevant laws and standards. Especially as sanctions become more prevalent. 

Reacting to third-party problems: On average, organizations partner with ten third-party vendors to manage their necessary business operations. And an attack on any of your vendors can affect all vendors, creating a domino effect, which is why organizations must successfully manage risk associated with these vendors. To help, it’s important to implement security awareness training. Security awareness training organization-wide ensures your organization and its employees can stay in compliance, which assists with reducing risk.  

Update on the Nevada Consumer Health Data Privacy Act: The governor of Nevada signed the Consumer Health Data Privacy Act, which will go into effect on March 31, 2024. The Act establishes restrictions and responsibilities for regulated entities regarding the collection, processing, sharing, and sale of consumer information and specifically applies to regulated entities dealing with public health information (PHI). 

California’s data broker law to be amended: California is working on amending its current data broker law, with the Delete Act. The Act will affect data broker compliance obligations, likely increasing those under the state’s data broker law and California Privacy Rights Act. It will also affect enforcement authority over data broker provisions, giving authority to the California Privacy Protection Agency.  

Themes discovered that contributed to the recent bank failures: Since the Silicon Valley Bank, Signature Bank, and Republic Bank failures earlier this year, many agencies have issued reports covering factors that contributed to the bank failures and areas to keep in mind moving forward. Some of the findings covered include concentrations/diversification, stress testing, compensation, and risk management/chief risk officer. Regarding risk management/chief risk officer, you can expect more regulatory focus on the CRO position in large and mid-size banks. The bank collapses continue to be analyzed, but it’s clear… banks can expect an increase in enforcement actions and more stringent examinations.  

Minimize onboarding struggles with offshore third-party vendors: Organizations often face challenges when onboarding offshore vendors, including investing significant time in educating vendors on expectations, lack of context about the vendor’s market and goals, communication barriers, and more. To ensure a seamless integration with offshore vendors, several best practices are recommended which include treating vendor onboarding like employee onboarding, planning for a smooth onboarding, fostering long-term relationships, securing your investment, and communicating effectively.  

A New York school district scrambles to find a new bus vendor: North Alleghany school district’s third-party bus contractor abruptly cancelled their contract, leaving officials scrambling to find a solution before school started. District officials reached out to eleven contractors and have been able to restore bus service to two schools. The district transports over 8,500 students, so the loss of transportation was a hardship for many families who relied on bussing to get their children safely to school. This reiterates the importance of establishing a vendor exit strategy well before you sign the contract. It should include a replacement plan with next steps should you suddenly lose a vendor product or service.  

ESG reporting criteria expanded to include human rights: Many of the voluntary ESG standards overlap, with mandatory reporting criteria in various jurisdictions such as Canada, the EU, U.S., and Australia. When organizations are required to disclose information in one jurisdiction, they can enhance their ESG profile by also adhering to internationally recognized ESG metrics. Organizations already reporting under these standards can often repurpose their reports to meet regulatory standards. Current best practices involve aligning reports on human rights and supply chain management, and staying informed on the latest ESG developments will ensure that your organization and its third-party vendors stay compliant. 

Resolve human rights violations through arbitration: Human rights obligations primarily fall on sovereign states, and corporations are responsible for adhering to international human rights standards. However, corporations may struggle to define the scope of obligations that involve both private and public elements and may not be well-equipped to handle certain human rights issues. Despite these challenges, business and human rights arbitration can be valuable in enforcing human rights requirements within third-party contracts, especially in supply chains.  

ESG issues continue to heat up: After the 2022 mid-term elections, the Congressional Republicans announced that their oversight agenda would include ESG issues. Fast forward to 2023, their focus on ESG issues has increased. In February, they established an ESG Working Group that is primarily focused on protecting capital markets from ESG considerations. Throughout this year, there have been many oversight hearing and document requests too, and there is more to expect this fall. Ensure your organization stays up to date on the latest ESG regulations that may come into play. 

Notorious malware platform is taken down: U.S. authorities have announced that an international law enforcement operation has taken down the “Qakbot” malware platform, which was discovered over a decade ago and is believed to have originated from Russia. This platform was widely used by cybercriminals in an array of financial crimes. The U.S. Department of Justice operation, nicknamed Duck Hunt, involved the FBI and over 6 other countries to investigate. Evidence shows that Qakbot malware had infected over 700,000 victim computers and caused hundreds of millions of dollars in damages to various businesses. 

Consumer privacy race continues with new FCC task force: The FCC is working on creating a Privacy and Data Protection Task Force. This task force aims to coordinate efforts across the FCC to address privacy and data protection challenges in the ever-changing digital world. The creation of this task force highlights the need for consistent and adaptive privacy oversight in an era of constant connectivity.  

Overview of the malware loaders used in the first half of 2023: In the first half of 2023, cybercriminals used 7 malware loaders to attack. These include QakBot, SocGholish, Raspberry Robin, Gootloader, Chromeloader, Guloader, and Ursnif, with 30% of intrustions coming from QakBot. Interesting data! 

Artificial intelligence best practices: It’s believed that by 2026 over 75% of large organizations will infuse AI into various processes to heighten efficiency, streamline processes, and more, but there are still significant risks and dangers of AI such as accuracy, transparency, and privacy. Organizations must establish AI governance to ensure AI risks are identified and assessed. NIST recommends these 5 best practices: create transparent documentation, policies, and procedures; empower employees through training; commit to a culture that considers and communicates AI risk; integrate a feedback mechanism into system design and implementation; and keep a tab on third parties. If your organization plans on utilizing AI, be sure to review the AI Risk Management Framework and ensure you have a plan in place to mitigate any risks that may arise.