August 2024 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of August 29

Almost 1 million people had data compromised in a third-party cyberattack, U.S. organizations experience severe financial losses in security incidents, and best practices can help organizations navigate the privacy compliance landscape. Check out all of this week’s news and headlines below. 

The importance of trust in healthcare and technology vendor relationships: The amount of data in healthcare is projected to increase by 2025 and cybercriminals have taken advantage of the wealth of data available. Many healthcare organizations use a wide range of systems, technologies, and APIs, which can increase the possibility of future incidents. Healthcare organizations should seek to build up relationships of trust with technology vendors as they respond to cyberattacks, regulatory scrutiny, and a changing customer base. Vendors should be true partners in the healthcare organization’s goals, mission, and overall strategy. It's recommended to consider how the technology is implemented with other platforms, how the vendor will comply with evolving regulations, and how the vendor can meet both current and future needs. 

Almost 1 million people’s data is compromised in a third-party attack: A third-party developer notified almost 1 million people of a healthcare data breach. Exposed information includes names, birthdates, and Social Security numbers. The third party develops software for carriers and brokers who underwrite medical stop-loss insurance. The data stolen from the third party belonged to Blue Shield of California.  

Majority of education institutions experienced a cyberattack: Seventy-seven percent (77%) of education institutions identified a cyberattack within the last 12 months, according to a new survey. Almost half of the respondents said they now faced unplanned expenses due to a security incident. Educational institutions should prioritize preventative cybersecurity measures and remediation steps after an incident; however, this often costs extra resources that may not be in the budget. 

Microsoft resolves incorrect malware flagging on emails: Microsoft alerted users that some emails may have been incorrectly flagged as malware and quarantined. The organization investigated the Exchange Online false positive issue. It appears to be widespread and also impacts emails with image signatures. Microsoft said the issue has since been resolved and that over 99% of impacted emails were unblocked. 

Third-party software sued for pricing algorithm: The Justice Department, along with several states, filed a lawsuit against a commercial revenue management software company for alleged activities to reduce competition and monopolize the market. The company, RealPage, provides software services to landlords. The lawsuit alleges RealPage’s pricing algorithm allows landlords to share sensitive and competitive information and align rent costs. This increases the rental prices across markets, the lawsuit says. 

Navigating the challenges of privacy compliance: Organizations must face the challenges of complying with a myriad of data privacy laws, particularly in the U.S., where 20 states have their own privacy laws and expectations. A proposed federal privacy law has stalled in Congress, leaving the current, complex framework of navigating state laws. Organizations should inventory their data to understand what they have and who has access to it, which could reveal third-party risks. Consider supply chain risks and whether your organization should minimize the data it shares with third parties. Proactively managing privacy risks can help your organization be better prepared for compliance. 

The benefits of continuous penetration testing: Continuous penetration testing is a critical cybersecurity practice for organizations to identify and mitigate vulnerabilities. This helps organizations stay ahead of potential attackers by monitoring their security posture. Continuous penetration testing isn’t a one-time assessment, and it’s not a standalone practice. Instead, it’s integrated with other security practices to provide a full overview of an organization’s security risks. Continuous penetration testing offers long-term cost saving by preventing incidents, increasing visibility into the organization, and meeting compliance expectations. This practice can also help identify third-party vulnerabilities and mitigate those risks. Organizations should determine the frequency of testing, set clear goals and objectives, and use both manual and automated testing techniques. 

Maturing third-party risk management to protect against risks: Third-party data breaches continue to impact organizations, emphasizing the importance of third-party risk management programs. Many organizations rely on hundreds or thousands of third-party vendors, increasing overall risk to the organization. For a more mature third-party risk management program, it's recommended that organizations evaluate current policies, procedures, and control mechanisms to see if there are any existing gaps. Review incident response plans to ensure they’re current and that there’s a solid plan of action for when an incident occurs, too. Organizations should also manage third-party access to data and limit what’s available as much as possible. 

U.S. organizations face severe financial losses after a data breach: Almost half (47%) of U.S. organizations have experienced significant financial losses due to data security incidents, according to a new survey. Of those surveyed, 8 out of 10 of the organizations were impacted by ransomware. The new survey shows the devastating impact of data breaches, particularly when it comes to revenue. 

Recently Added Articles as of August 22

This week’s headlines gave important insights on meeting regulatory expectations for third-party risk management, addressing challenges within programs, and how to defend against third-party cybersecurity risks. Check it out below. 

How to defend against third-party cybersecurity risks: Third-party cybersecurity breaches have become more common throughout the supply chain, demanding an evolving approach to managing the risks. Vulnerabilities must be identified and remediated in the supply chain before they’re exploited. This likely requires organizations to work with their third parties to improve cybersecurity posture and identify the right mitigations. Risk and threat intelligence is also important for organizations to have for third parties, particularly if they have direct access to systems. 

Meeting third-party regulatory expectations in the financial industry: Third-party relationships continue to allow banks to be at the cutting edge of technology and meeting customers’ needs. However, this continued growth requires the financial industry to stay on top of new and existing third-party risks. Higher-risk activities should receive more comprehensive oversight. Risks can also arise from unseen places, such as a third party’s subcontractor or from geographic regions. Financial institutions have a regulatory responsibility to conduct proper due diligence, so they can evaluate whether the third-party risks can be identified, monitored, measured, and controlled. Remember to review examination reports for existing gaps, ensure third parties implement software updates, and know who has access to your data. 

Hackers are exploiting a backdoor flaw: Attackers have exploited a backdoor to hack into an unnamed university in Taiwan. It’s likely that attackers exploited a critical PHP flaw, which can be used to achieve remote code execution. 

Addressing third-party risk management challenges: Financial regulators are scrutinizing banks for their third-party relationships, which is a reminder that compliance should be a top priority. Regulatory violations can lead to financial and reputational costs with large fines. There are often clear challenges for financial institutions and third-party risk management, such as multiple systems used to manage third parties, a lack of comprehensive reporting, and insufficient management of non-critical vendors. To address some of these issues, there are steps financial institutions can take. Contractual agreements should be clear and comprehensive, with provisions for service expectations, contingency plans, and termination. Also, consider what contingency and exit plans look like in both the short-term and long-term. Regular third-party resilience tabletop exercises are also helpful. 

Entra global administrators must enable multi-factor authentication: Microsoft has alerted Entra global administrators to enable multi-factor authentication (MFA) by October 15. If MFA isn’t enabled, users will lose access to admin portals. This is part of an initiative to ensure accounts are protected against phishing attempts. If an administrator needs more time, they can postpone the enforcement date until April 2025. However, postponing the date could lead to greater risks. 

Securing healthcare organizations against third-party risks: Cybercriminals are targeting the third-party vendors of healthcare organizations. For healthcare organizations to protect themselves, they should create an inventory of third-party vendors classified by risks. This should also include fourth-party vendors. Controls and cyber insurance should be based on the levels of identified risks and outlined in the vendor’s contract. To prepare for a potential incident, healthcare organizations should also have incident response and recovery plans that include third parties. 

Reducing human cybersecurity risks: Almost 75% of CISOs see human error as their top cybersecurity risk, showing growth from last year’s 60%. It’s important for organizations to prioritize employee training and teaching safe practices. This should go beyond just checking the box, but should be tailored to what employees need and should be conducted regularly. Remember, cybersecurity is the responsibility of everyone in the organization, so setting a culture of cybersecurity can help. 

MIT researchers create AI risk database: Researchers at the Massachusetts Institute of Technology (MIT) have created a database of artificial intelligence (AI) risks. Researchers were able to uncover gaps in existing AI risk frameworks. To help organizations identify missing risks, they created a database of more than 700 risks. The database will be regularly updated and provide a common frame of reference for people. The risks are broken out into seven domains: discrimination and toxicity, privacy and security, misinformation, malicious actors and misuse, human-computer interaction, socioeconomic and environmental harms, and AI system safety, failures, and limitations. 

Many organizations haven’t assessed AI risks: A majority of U.S.-based organizations plan to use generative artificial intelligence (AI), but only 58% have started assessing the risks, according to a new survey. Experts said it’s important for organizations to start building responsible AI frameworks, particularly with the large-scale adoption of AI. Organizations should consider accountability and ownership for AI use and think through the lifecycle of AI systems. 

How organizations can protect against third-party bribery risk: Many regulators expect organizations to manage bribery and corruption risks, including within the supply chain. Effective third-party risk management programs can help protect against these risks. It's recommended organizations have a rationale for why a third party is involved in a transaction and understand the level of risk a third party poses. Written contracts should outline the third party’s responsibilities and bribery compliance expectations. After the contract is signed, third parties should be monitored for continuous compliance through due diligence, audits, or annual compliance certifications. 

Microsoft patches vulnerabilities: Microsoft addressed 90 security flaws, including 10 zero-day vulnerabilities, 6 of which were active. As Microsoft patches these vulnerabilities, it’s important for organizations to ensure their systems are up to date. 

Recently Added Articles as of August 15

This week’s headlines include a massive, alleged data breach at a third-party background check service provider, strategies for secure third-party relationships, and vendor risk management recommendations for a resilient supply chain. Check it all out below. 

FBI shuts down online infrastructure of a ransomware group: The FBI has shut down an online infrastructure of a ransomware group. This included three UK servers, 18 German servers, eight U.S.-based criminal domains, and one German-based criminal domain. According to the FBI, the ransomware group has successfully attacked organizations across industries, including financial services and healthcare. 

Preventing supply chain attacks through employee awareness: A crucial element to mitigating the risk of supply chain attacks is employee awareness. Employees with advanced training can recognize and report potential threats quickly, potentially preventing breaches. Employees should adhere to practices like verifying identities before sharing sensitive information, using secure communication methods, and being on the lookout for social engineering attacks. To help train employees, organizations can use real-world phishing scenarios and host interactive training. Covering a specific supply chain threat in training, such as malware, can also help employees better identify threats. It’s also important to extend awareness to third parties by establishing security requirements in the contract, conducting regulatory security assessments, and offering support in training and awareness. 

Update in Microsoft Office after a vulnerability: Microsoft reported a zero-day vulnerability in Office that could allow cybercriminals to gain access to sensitive information. Organizations should update Microsoft Office to ensure the final patch is applied. 

Using third-party risk management in healthcare: The healthcare industry continues to face a rise in cyberattacks, particularly from third-party vendors. Third-party risk management in the healthcare industry can help prevent and mitigate these third-party attacks. It's recommended that healthcare organizations assess the security practices of third parties before entering into an agreement. This includes evaluating data protection, industry compliance, and security infrastructure. Third-party contracts should include provisions on adherence to HIPAA regulations, data encryption standards, and protocols for incident response. After the relationship begins, third parties should be continuously monitored for changes in security. These practices can help keep third-party relationships secure. 

What to negotiate for in cloud provider contracts: Negotiating contracts with cloud providers can be challenging, especially as many of these third parties are large organizations. However, it’s still important to ensure cloud contracts protect your organization. Set service performance expectations in cloud contracts, including a minimum level of availability and penalties for downtime. Performance metrics, such as measuring incidents and availability metrics, should be negotiated. Cloud contracts should also define the process in case of performance issues. If possible, limit the cloud provider’s ability to make unilateral changes to the contract terms that may be damaging to your organization. The contracts should also include provisions for data protection and termination. 

Building a resilient supply chain through vendor risk management: Supply chain disruptions can occur quickly and unexpectedly, so it’s important for organizations to be prepared. Effective vendor risk management can help organizations create partnerships with clear expectations so organizations and their vendors can communicate openly to resolve issues. Building this type of program requires a diverse vendor portfolio, using technology to enhance efficiency and monitor vendors, relying on data analytics to measure vendors and make informed decisions, and open and transparent communication. 

Almost 3 billion data records were allegedly compromised in a cyberattack on a third-party background check service: Almost three billion data records were allegedly compromised from a cyberattack on a third-party background checking service. The allegation came from a class action lawsuit, but the service, National Public Data (NPD) hasn’t yet confirmed a breach. Data records were leaked on a hacking forum, although some of the data doesn't include current addresses, so may be outdated. Because NPD performs the background checking service and scrapes data from non-public services, many people didn’t knowingly provide their data to the organization. 

Best practices for secure third-party relationships: It can be challenging for organizations to keep their own environment secure, let alone ensure all their third-party vendors are secure as well. However, as third-party inventories grow, cybercriminals have more opportunities to gain access to organizations’ data. To manage these risks, it's recommended organizations consider mapping the supply chain, including fourth parties, to identify vulnerabilities. Third parties should also be assessed for criticality and cybersecurity. Organizations should perform due diligence to assess compliance and cybersecurity practices. Strict access controls for third parties can also ensure third parties don’t access more data than they need to. These proactive approaches can help organizations protect against third-party risks. 

Security vulnerability from 2006 was actively exploited: An 18-year-old security vulnerability was exploited in attacks. It allows malicious websites to bypass security in browsers, such as Chrome, Firefox, and Safari. The vulnerability only works on Linux and macOS devices. All three browsers are working to fix the vulnerability. Organizations should ensure they’re updated to the latest versions. 

Recently Added Articles as of August 8

A third-party app leaked organizations’ data through a public web directory, healthcare organizations were urged to improve supply chain security, and an exercise showed how vendor concentration risk can negatively impact government agencies. Check out all of this week’s news below. 

Organizations pay an average of $2.5 million in ransomware attacks: The average ransomware payment is $2.5 million, according to a new survey. Larger organizations are more likely to pay ransoms and more likely to pay a higher amount. Many discourage paying ransomware, as cybercriminals aren’t guaranteed to actually delete an organization’s data. However, organizations may pay to minimize financial and operational disruptions.

New Windows vulnerability targets older systems: A 2018 Windows vulnerability was added to the government’s Exploited Vulnerability catalog, impacting systems older than Windows 11. Users were given until August 26 to patch or cease using Windows systems. Windows 10 users may be preyed upon, particularly as end of support for it begins in October 2025. Millions of people still use Windows 10, as their machines may not be suitable for Windows 11. 

Federal Reserve issues guidance for resolution plans: The Federal Reserve (The Fed) issued final guidance for large banks on resolution plans, also known as living wills. These describe a bank’s strategy for resolution under bankruptcy in the case of financial distress or failure. In the guidance, third-party contracts, service level agreements, and identifying critical third-party vendors were emphasized. 

Third-party app leaks data through public web directory: A third-party app had a publicly available web directory that exposed 10,000 employee credentials from organizations. The directory stored backups of the app’s database and website, but researchers were able to access it. The information included email addresses, hashed passwords, and meeting details. As more organizations share data with third parties, experts recommended having strong third-party risk management practices in place.

Hardware supply chains targeted by nation-state actors: Nation-state cybercriminals are targeting hardware supply chains, with 19% of organizations saying they’ve been impacted by an attack in a survey. Hardware includes physical PCs, laptops, and printers. A majority of security leaders believe the next major nation-state attack will involve hardware supply chains and malware. Experts advise monitoring hardware compliance in the supply chain and ensuring they have appropriate security controls. 

Healthcare organizations urged to improve supply chain security: Healthcare industry leaders issued a warning on supply chain attacks after a ransomware attack on a blood center in Florida. The American Hospital Association (AHA) and Health Information Sharing and Analysis Center (H-ISAC) urged healthcare organizations to improve medical supply chain security. The ransomware attack on the blood bank, coupled with the Florida hurricane, caused hospitals to activate critical shortage procedures for blood. AHA and H-ISAC asked healthcare organizations to consider alternative suppliers or use multiple suppliers to eliminate single points of failure. 

Ransomware group impersonates popular IT website: A ransomware group is targeting IT workers with a remote access trojan that can breach corporate networks. The malware impersonates a legitimate IT networking site. The ransomware group is targeting IT workers in the hopes of gaining elevated privileges to accounts. Be wary of sponsored results in searches to escape malvertising and bookmark official sites. 

Vendor concentration risk can negatively impact government agencies: Relying on one single vendor for government IT systems can cause significant risks, according to the Center for Cybersecurity Policy and Law (CCPL). The organization conducted a tabletop exercise that simulated two attacks with varying degrees of IT vendor concentration. The simulated attack on the agency with more vendor concentration was more damaging than the simulated attack on an agency with a more diverse vendor portfolio. CCPL recommended that government agencies examine IT vendor concentration risk more closely and to diversify their systems. 

Aviation industry facing increased third-party risks: Airlines had more data breaches than the industry benchmarks due to third-party risks and vulnerabilities, according to a new report. Vendors in the aviation industry are posing significant risks, particularly with IT and aviation-specific software. Ransomware is a top threat for the industry. The aviation industry will need to look into their third-party vendor’s risks. 

Third-party data access a top concern: A new study highlighted that third-party data access is a top IT concern. Many organizations struggle to track who has access to their data and what they can do with it. The majority of survey respondents share internal data with more than 25 vendors, but 25% share data with more than 100. Dependence on third parties can have a large impact on organizations, particularly if third-party data breaches occur. Survey respondents said third-party data breaches became reputational issues and resulted in monetary losses. 

Fraudulent money transfer trojan discovered: A new Android remote access trojan is able to perform fraudulent money transfers from compromised devices. A cybersecurity firm discovered the vulnerability. The trojan is self-destructing, so that any evidence of the money transfer is removed. 

Agencies continue to scrutinize BaaS partnerships: The recent interagency statement from the Federal Reserve (the Fed), Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) may lead to more regulatory rules on the relationships between banks and banking as a service (BaaS) providers. Regulators have noticed more complex arrangements with BaaS and banks, leading to greater risks. Agencies have scrutinized BaaS relationships more closely lately with several regulatory actions. Banks should ensure they have the right capital for BaaS activities and increase due diligence practices. 

Recently Added Articles as of August 1

This week’s headlines highlighted the costs of third-party data breaches, best practices to help manage cybersecurity risks, the importance of risk intelligence, and more. Check it all out below. 

Best practices to manage third-party cybersecurity risks: Managing a third party’s cybersecurity risk can be a daunting task. Experts recommend categorizing vendors based on their access to sensitive data and the potential impact on your organization’s operations. Organizations should also have a risk assessment system that consistently vets third parties and establishes continuous monitoring. Any sensitive data given to third parties should be protected. End-to-end encryption is a key best practice. Some experts said you could even simulate cyberattacks on key vendors to understand their response plan. These practices can help your organization identify and monitor third-party cybersecurity risks.

Cost of a data breach rose to $4.88 million: The cost of a data breach increased 10% from last year, to $4.88 million, according to IBM’s new study. The study cited lost business and data breach response as what drove up the cost of a breach. Healthcare, financial services, technology, and energy organizations had the highest data breach costs. Many organizations also cited staffing issues compared to the previous year, with higher breach costs as a result. 

Importance of continuous third-party risk intelligence: Third-party cyber risks are constantly changing and emerging, meaning point-in-time assessments are often not enough to stay on top of the risk. Although these assessments can be useful in offering a snapshot of a third party’s cybersecurity posture, it doesn’t measure the continual threat changes. Continuous monitoring is a crucial way for organizations to adopt a real-time approach to third-party risk management. It's recommended your organization determine which vendors need to be continuously monitored, set a standard cadence for monitoring, and acquire the right technology for risk intelligence. 

Increase in lawsuits due to increase in ransomware attacks: An increase in ransomware attacks has led to an increase in lawsuits, according to a new report. Many of these lawsuits have been filed against third-party vendors, whether it’s the organization or customer suing the vendor. Courts have mostly sided with customers, ruling the organizations have a legal duty to protect personally identifiable information (PII). 

Third-party data breach compromises 4.5 million: A third-party healthcare data breach compromised 4.5 million people in the U.S. HealthEquity, which is a health savings account provider, and said the breach stemmed from a third-party data repository. The cybercriminals weren’t detected for about two weeks. 

Exploited weaknesses cause millions of phishing emails to be sent: A phishing campaign exploited weaknesses in Proofpoint’s email protection services. Millions of emails were sent impersonating large organizations. A peak of 14 million emails were sent in June. Proofpoint has since fixed the issue. The organization also reached out to customers that need to improve their security. 

Cryptocurrency experiences third-party data breach: Gemini, a cryptocurrency exchange, experienced a third-party data breach through its Automated Clearing House (ACH) vendor that impacted 15,000 customers. Banking information was impacted, including full name, bank account number, and routing number. Gemini didn’t offer impacted customers identity theft protection services, according to the company’s notification letter.

Protecting U.S. infrastructure from third-party risks: Critical U.S. infrastructure has faced a growing cybersecurity risk through its third-party vendors. A study showed that third-party access was a top security concern. Critical infrastructure needs to have a comprehensive policy to address third-party relationships and ensure third parties follow the same standards. These organizations should follow best practices like risk assessments to identify and evaluate third-party risks, security policies that establish clear third-party guidelines, and continuous monitoring to detect threats quickly.

Cybercriminal group selling AI-powered phishing kits: A cybercriminal group has started selling AI-powered phishing kits with malicious Android applications. The group has mostly targeted users of Spanish banks and other institutions. The kits even include AI voice calls, allowing cybercriminals to dupe organizations with phone calls. 

Federal agencies highlight third-party bank deposit services risks: The Federal Reserve (Fed), Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) issued a statement on the potential risks between banks and third parties that deliver bank deposit products and services. The statement simply emphasizes existing guidance and doesn’t establish new expectations. These third parties pose significant operational and compliance risks as they perform crucial services for banks. Banks should have policies in place to address third-party relationships and develop risk assessments specific to these relationships. Due diligence is also a critical activity for banks to perform.