COVID-19's Past and Future Impact on Third-Party Risk

It’s been more than a year since the World Health Organization (WHO) declared the COVID-19 outbreak a global health emergency and approaching a year since the outbreak was declared a pandemic. This makes it a good time to take a look back and review how third-party risk management has been affected the most.

While aspects of third-party risk management are very interconnected, third-party risk management has especially been affected in four big areas: cybersecurity, business continuity/disaster recovery/pandemic planning, financial and compliance and regulation.

Vendor Cybersecurity Top Priority

Aside from human health itself, the arena of cybersecurity may have been the most impacted throughout the pandemic, and the damage still continues. Bad actors everywhere took advantage of the chaos and vulnerabilities as millions were sent home to work on unsecured networks.

It became top priority to review vendor’s cybersecurity and information security plans along with their SOC reports.

Here are some interesting cybersecurity statistics as a result of the COVID-19 pandemic:

• The number of unsecured remote desktop machines rose by more than 40% (Security Boulevard)
• COVID-related email scams rose by 667% (Tech Republic)
• Ransomware spike increase by 72% to 105% (Skybox Security)
• Large scale data breaches rose by 273% (iomart)
• 80% of organizations experienced a cybersecurity breach that originated from their own vendor’s ecosystem vulnerabilities (Opinion Matters)
• The average cost of a data breach increased by $137,000, which seems to be occurring almost daily and wreaking havoc on many organizations across the world (Ponemon and IBM)
• 40% of respondents experienced third-party cyber incidents during 2020 (Venminder)

Whether it’s a low or high-impact exposure or vulnerability, your organization’s reputation is at risk. Customers don’t care about the “sensitivity” of data stolen or particular details of what happened. It comes down to trust.

10 Notable Hacks of the Pandemic

We watched those cybersecurity statistics play out as there were some especially notable data hacks over the last year to be aware of and remember. Here are ten to know about:

• SolarWinds – A suspected group of Russian hackers planted malicious code in software updates for its third-party network-monitoring tool, Orion, which has continued to have massive fallout, affecting both the private and public sector. The SolarWinds supply chain attack is believed to have impacted as many as 250 government agencies and businesses, but further damages are still being uncovered.
• Garmin – A ransomware crusade was unleashed, taking down Garmin Connect, the cloud platform vendor that syncs user activity data, as well as large portions of Garmin.com.
• Blackbaud – The third-party cloud computing vendor experienced a breach that exposed the information of millions of healthcare patients.
• Marriott – The hotel chain fell prey to a cyberattack which impacted 5.2 million guest accounts.
• Ubiquiti – The third-party cloud provider of devices such as routers, network video recorders, security cameras and access control systems was breached but currently not clear the extent of damage. In the meantime, they’ve urged their customers to change passwords and set up multi-factor identification.
• Ascension Data & Analytics – The company hired a vendor, OpticsML, to scan sensitive documents and put them on the cloud. However, the vendor didn’t have proper security protocols in place and a lot of personal information was accessed. The FTC proposed a settlement for the alleged violations of the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule.
• Adobe Flash Player – Flash was known to have bad actors using scripts from third-party sites to intercept clipboard contents and grab code. Professionals estimate that over the course of its life, Flash demonstrated more than 1,000 vulnerabilities, including the ease of downloading a malware bundle instead of a legitimate update. As of December 2020, Adobe no longer supports Flash Player.
• Oracle – Multiple botnets have targeted thousands of publicly exposed and unpatched Oracle WebLogic servers. The bots have deployed crypto miners and steal sensitive information from infected systems. The attacks are part of an attack on the vendor’s WebLogic Server vulnerability, which was released in October 2020.
• Zoom – This video conferencing vendor experienced security issues and vulnerabilities in 2020 with the surge of platform use. The company failed to maintain a high level of cybersecurity and misled its customers around its encryption levels provided for meetings, saying it was AES 256 when it was actually AES 128. Negative press, lawsuits and settlement with the U.S. Federal Trade Commission followed. They’ve made updates to improve their policies and controls to meet customer and regulator expectations.
• The Office of the Washington State Auditor (SAO) – The office experienced a data breach that exposed more than 1.6 million people who filed for unemployment claims in the state in 2020 due to a third-party software provider, Accellion.

Call Center Ransomware Attacks on the Rise

Pay extra close attention to your call center vendors. Ransomware attacks on all centers rose in 2020 and continue to be a threat. Groups are reportedly cold calling their victims to tell them their systems have compromised by ransomware and will then “shakedown” the unsuspecting individual not only using crypto-locking malware but, lately, also leaking data to increase the psychological pressure on victims to pay. The scary thing is some of these groups have developed to be more-or-less like a mid-sized company, complete with staffing and budgets.

Ensure you’re doing proper due diligence and oversight on these vendors and verify they are prepared and educating their staff on how to handle various situations like this.

The Particular Vulnerability of the Healthcare Industry

The above is only the tip of the iceberg. The healthcare and pharmaceutical industry has by far been the hardest hit with breaches. Healthcare cybersecurity breaches cost the most of any other industry at $7.13 million. And, since November of 2020, cyber attacks on healthcare facilities increased by 45%.

The unique makeup of the healthcare industry, which, in many ways is still a bit old school and is decentralized, often relies on paper transmission and uses technology within its medical devices, which are ultimately vulnerable to attack. When Blackbaud, a third-party cloud computing vendor we mentioned in the list above (which services non-profits, healthcare, academic institutions, religious organizations and other organizations alike) was hacked this year, the fallout was massive — especially for healthcare.

It’s estimated that more than two dozen providers and over 10 million patients have been included in the final breach tally and the number is still growing. As of December 2020, the Blackbaud hack has resulted in close to $6 million in damages.

Now, Blackbaud is being audited by the Department of Health and Human Services (HHS) and state and federal regulators.

Focus on Vendor Business Continuity, Disaster Recovery and Pandemic Plans

There are some things that even the best thought-out plans aren’t prepared for. It became even more important than ever to be aware of your vendor’s business continuity, disaster recovery and pandemic plans to ensure procedures are strong and meet expectations.

It’s important to look into these matters and determine any root cause of issues and if circumstances could have or can be avoidable. Even if a matter is recovered, there could be systemic issues which show further action should be taken to remediate, or perhaps transition to a new vendor. Either way, as people have done especially in 2020, continue to keep a close eye, increase ongoing monitoring and incorporate lessons learned.

With the pandemic, the possibility of vendors being disrupted from the pandemic in some form greatly increased. By reviewing and monitoring their plans, you’re determining the resiliency of the vendor and, therefore, your own organization.

Examiners, especially now, expect you to have an analysis of the plans as well as documentation available. For example, a joint paper between the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation on operational resilience was published in October 2020 outlining practices to have in place to be prepared when facing cybersecurity, natural disaster and pandemic-related scenarios. This shows the heightened focus on third-party risk management due to the pandemic and the importance of being prepared.

Here are a few interesting statistics:

• 44% of respondents worked to confirm their vendors had adequate pandemic plans due to COVID-19 (Venminder)
• Business continuity has been a major concern for C-level executives during the pandemic at 71% (Black Box)
• Only 43% of employees felt their employer had a proper plan in place to address COVID-19 business concerns (Forrester)

Increased Vendor Financial Concerns

Monitoring the vendor’s financial status also became increasingly more frequent to see how the pandemic was affecting their revenue. When income declines, it leads to reduction in staff, which then leads to declining service levels and longer response times… and all of that which then leads to declining service levels and longer response times… and all of that leads to decline in maintenance of security and systems which loop us back around to information security.

And it’s important to remember that not all of the shutdown fall-out is felt instantaneously. There may be organizations holding on now, but sustainability is uncertain. Even when operations begin to go back to normal, the residual impacts to organizations large and small will continue to play out over the coming months and years.

• 56% of compliance leaders reported budget cuts due to COVID-19 (Baker McKenzie)
• 43% of small businesses closed temporarily as a result of COVID-19 (PNAS)
• It was predicted business’ bankruptcies were to be 140% higher due to the pandemic (MIT Management)
• Companies plan to deal with the impacts of COVID-19 expense for longer than anticipated – e.g., Iron Mountain spent an extra $9.8 million in Q2 2020 in COVID-19 related expenses for personal protective equipment, plexiglass shields and cleaning (The Wall Street Journal)

Compliance & Regulatory Shift

According to a report done by Baker McKenzie November of 2020, 35% state that their compliance function has no way of knowing if third-party partners are compliant.

So, it’s no surprise that all the increased risks from the pandemic created compliance and regulatory shifts. We’ve seen many regulations created as a result, a couple notable ones being:

• The California Consumer Privacy Act (CCPA), which is considered the first modern consumer data protection state law in the United States, went into force on January 1, 2020. And, it seems many other states are keen to follow: on the horizon, other states 
  such as Virginia, Minnesota and Florida are in the process of putting together their own data protection bills.
• The New York State Department of Financial Services, which was set cybersecurity regulations in 2017 and gave a two-year period to become compliant, commenced its first enforcement action against First American Title Insurance Company for violations on numerous requirements including those related to their vendors.

Meanwhile, compliance and regulatory shifts have happened within the financial industry, specifically, and needed some major support, resulting in a long, and somewhat complex list of updates pertaining to various facets of mortgaging, credit and loans. Some of these included changes and relief or changes around:

• Paycheck Protection Program Loan notification and adverse action requirements
• FFIEC reporting
• FDIC deposit assessment
• US banking interim final rules (IFRs)
• Equal Credit Opportunity Act timing requirements
• CFPB reporting changes are quarterly submissions
• CFPB mortgage servicing and forbearance

From our own recent survey released last month, the State of Third-Party Risk Management 2021, 36% of respondents are feeling more pressure now because of regulatory/audit scrutiny and 67% feel that there is more scrutiny on third-party risk management over the last year.

More organizations than ever are placing a priority on third-party risk management, as evidenced by the investment of budget expenses increasing for many and the other facts we’ve mentioned throughout.

Organizations are continuing to see a practical advantage of third-party risk management as a positive return on investment (ROI). From our survey, 80% of organizations do believe there is a ROI from efficient vendor risk management. Also, around 73% of organizations overall are feeling pressure to improve their vendor management program.

So far, 2021 is shaping up to be somewhat of a transitional period. We’re all still in the thick of the many changes that are sure to come. But, of one thing we are certain: regardless of industry, third-party risk management is indispensable. Managing risk is non-negotiable, and while we will undoubtedly weather more shifts in cybersecurity, business continuity/disaster recovery/pandemic planning, financials and compliance and regulatory requirements, dedicating resources to developing a strong risk program is a steadfast, strategic advantage in the best and worst of times.

Are you aware of the long-lasting impacts COVID-19 could leave on third-party risk management? Learn more in this infographic.