Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

December 2020 Vendor Management News

30 min read
Featured Image

Can you believe it's already the end of the year? December is here, and with only a few weeks left of 2020, it's the perfect time to make sure you stay updated on recent industry news. Find out what you may have missed  by reading below!

Recently Added Articles as of December 31

It's been a wild ride to say the least, but in these final days of 2020, there's still some big headlines making waves - from the fallout  of the recent Russian hack now affecting Microsoft license users to new updates which hope to make the workplace a little bit easier (and safer) in the wake of the pandemic. So, enjoy these last few headlines of the year as we count down to fresh start! We'll see you in 2021 with more industry news!

Three tips for COVID-19 risk management: We’ve said it all year long, and there’s really not a lot left to say around how much the virus has impacted all of us. All there’s left to do is keep pushing forward and making changes and improvements where we can. When it comes to improving risk management, there are three things that can help! One, engage a third party to audit your COVID-19 safety policies and practices; two, develop a plan of action to respond to probable or confirmed cases of the virus in the workplace; and three, stay current with the state and local standards.

 

FDIC issues a final rule on deposit insurance apps: The Federal Deposit Insurance Corporation has issued a final rule which establishes the commitments it will require to approve a deposit insurance application from an industrial bank (or industrial loan company) whose parent company is not subject to supervision by the Federal Reserve Board. The adoption of the final rule is a pretty big deal for fintech companies and other organizations seeking to establish ILCs. Effective April 1, 2021, the final rule solidifies the scope, commitments and restrictions of ILCs… but a few people weren’t so happy about the decision. The Center for Responsible Lending, Bank Policy Institute  and the Independent Community Bankers of America challenged the FDIC’s position with the concern that the rule’s actual effect “will be to signal that this charter is a viable back-door option for entering the business of banking without the obligations of consolidated supervision by the Federal Reserve.” Good idea or bad idea? I guess time will tell!

 

OCR guide on HIPAA compliant PHI disclosures: The Office for Civil Rights recently released guidance for covered entities and business associates around HIPAA permitted disclosures of protected health information shared via health information exchanges. The guidance was meant to provide some clarity amid the complexity, confusion and added risks the pandemic has caused. According to the article by Jessica Davis, “these insights shed light on the HIPAA rule and are designed to help providers and relevant business associates better understand how to remain compliant when leveraging HIEs for data sharing.” OCR Director, Roger Severino, also added in a recent statement, “This guidance will highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public's health, particularly during the COVID-19 public health emergency.”

 

Most read risk management stories of 2020: When it comes to risk management, 2020 has been a doozy (to say the least). From adjusting to indefinite work-from-home and cybersecurity issues up the wazoo, it’s been an experience. But the good news is you can review all the most read risk management stories from 2020 right here and catch up on topics like the impact of COVID-19 on the property/casualty sector, corporate settlement actions, merger and acquisition headlines and more.

 

Vendor risk management industry is to see huge growth: As cybersecurity becomes an increasing priority, risk management as a whole has become equally as important. More and more organizations are looking to automate solutions to simplify the complex process and to minimize  security gaps. A recent study found that in terms of revenue, the North America vendor risk management market is expected to reach $2,371.65 million by 2022, while, on the basis of enterprise size, the small and medium-enterprise segment is expected to witness the highest compound annual growth rate (CAGR) over the forecast period, owing to the increasing adoption of cloud-based solutions. So, buckle up, because vendor risk management isn’t going anywhere anytime soon!

 

Russian hackers used vendor, Microsoft, in the recent breach: As experts continue to untangle what could be the most devastating data breach in recent U.S. history, it seems more rabbit holes are beginning to emerge. This week, investigators uncovered that the Russian hackers leveraged access to Microsoft services in their crusade to penetrate targets. Initially, it seemed there had only been one point of entry via SolarWinds’ Orion software; however, security company CrowdStrike Holdings Inc said Thursday hackers had won access to the vendor that sold its Office licenses and used that to try to read CrowdStrike's email. Many Microsoft software licenses are sold through third parties, and those companies can have near constant access to clients' systems as the customers add products or employees, making it even more critical to monitor the risk and access associated with third parties.

 

SolarWinds supply chain attack underscores risk assessment importance: Because Russian hackers were able to breach the SolarWinds product, Orion, (which helps organizations manage their networks, servers and networked devices), this allowed hackers access to an elite list of government, consulting, tech, telecom and extractive entities in North America, Europe, Asia and the Middle East. The aftermath of the cybersecurity attack has left organizations upside down trying to determine if their data has been compromised, further underscoring the importance of internal documentation to help determine security posture. The SolarWinds attack has become yet another chapter in the cautionary tale of outsourcing agreements. No one can predict when cyberattack will occur, making it more important than ever to complete thorough risk assessments and overall due diligence.

 

Why climate change should be considered a risk management factor: From diminishing arctic and glacier ice, rising humidity and elevated ocean temperatures, climate change is making some big impacts. Executive Vice President for Policy at the Center for American Progress, Mara Rudman, said, “Climate change will undoubtedly be one of the greatest challenges we face in the coming years and decades.” She emphasized that climate change “Has the capability of wreaking havoc on nations and industries, on communities and families; it has the capability of destroying lives and livelihoods, and we don’t have to look far to see this already happening.” Everyone will need to adjust. In this article by Vallardes, she underscored that bank examiner supervisory manuals will need to be updated to incorporate clear guidance in order for examiners to evaluate whether banks are beginning to incorporate climate change risks as part of their operational risk management and as part of their Basel Pillar II portfolio, an enterprise wide stress testing.

 

FTC files a consent order against a mortgage analytics company due to vendor issue:  The FTC alleged that Texas based Ascension Data & Analytics, LLC violated the Gramm-Leach Bliley Act’s Safeguards Rule. This rule requires financial institutions to develop, implement and maintain a comprehensive information security program and oversee their third-party vendors security safeguards. In the original complaint, the FTC alleged that Ascension failed to do this properly. The details? Long story short, they hired a vendor, who specializes in a software which scanned and stored private information to the cloud… but the vendor didn’t use any encryption or protective measures which resulted in dozens of unauthorized people who were able to access the information (oops). After the FTC publishes the complaint details, the agreement will be subject to public comment for 30 days before the Commission finalizes.

Recently Added Articles as of December 24

It seems the theme of the year has been health and safety, whether it's ourselves or our organizations, and this week proves no different as a scary, new ransomware gang emerges, inciting the allyship of some pretty big tech names. Meanwhile, organizations are still untangling the fallout from the recent Russian infiltration of American cybersecurity firm, FireEye. And, before we tie a bow on this year, IBM releases its fifth annual cybersecurity report. You don't want to miss it. Read on for more of the details!

A new ransomware gang emerges: As if the underbelly of the cyber world wasn’t scary enough, now a new gang, self-named “Hades,” is adding to the reign of digital terror. One of its first victims is a large, American freight transportation firm called Forward Air Corporation. While the attack occurred on December 15th, the firm only filed a report with the U.S. Securities and Exchange Commission on Monday. In the interim, Microsoft, McAfee, Rapid7 and Citrix are banding together to fight the ransomware used by this new group of cybercriminals. “The Ransomware TaskForce” assesses the effectiveness of existing anti-ransomware solutions, creates a road map of concrete objectives and actionable milestones fighting ransomware and hopes to include legislators, law enforcement and cybersecurity professionals alike. Sometimes, all you can do is fight terror with terror!

 

Regulators propose a new timeline for reporting cyber events: In light of increasing cybersecurity concerns, new regulations continue to attempt in aiding the fallout of any future data attacks. This week, Office of the Comptroller of the Currency (OCC); the Federal Reserve and the Federal Deposit Insurance Corporation (FDIC) issued a proposal, which, if passed, would require financial institutions to notify their primary federal financial regulator within 36 hours of becoming aware of either a “computer security incident” or a “notification incident.” In addition, the rule would also require bank service providers to contact at least two individuals at the affected banks. The hope is to make it harder for the bad guys to do their evil bidding… or to at least be more proactive around security events.

 

SolarWinds hack has a real world impact: FireEye CEO, Kevin Mandia, announced that the Russian hackers who infiltrated government and business networks via a stealthy software update appear to have "genuinely impacted" around 50 organizations. He went on to say, “It's true that over 300,000 companies use SolarWinds, but you come down from that total number down to about 18,000 or so companies that actually had the backdoor or malicious code in a network," Mandia said in an interview with CBS. "And then you come down to the next part. It's probably only about 50 organizations or companies, somewhere in that zone, that are genuinely impacted by the threat actor." Among the victims are tech giants Microsoft and VMware; although no one will be surprised if and when more affected organizations come forward.

 

CFPB settles a consent order with student loan servicers: This week, the Consumer Financial Protection Bureau issued a consent order against Discover Bank, The Student Loan Corporation and Discover Products, Inc. based on some findings that Discover violated a prior order, the Electronic Fund Transfer Act and the Consumer Financial Protection Act of 2010. When you boil it all down, Discover used shady and unfair tactics by withdrawing payments from more than 17,000 consumers’ accounts without valid authorization and by cancelling or not withdrawing payments for more than 14,000 consumers without notifying them…. AND they misrepresented minimum payments to about 100,000 consumers. The end result? Some consumers ended up paying more than they owed, others became late or delinquent because they could not pay the overstated amount, while others may have filed inaccurate tax returns. The consent order will prohibit Discover from making any misrepresentations about minimum payments consumers owe, the amount of interest consumers paid and other service terms. Additionally, it also prohibits Discover from withdrawing loan payments from consumers’ bank accounts. Justice served!

 

How FireEye uncovered the Russian attack: When FireEye’s CEO, Kevin Mandia, was asked about how they assessed the hack on their systems, he was frank, saying, “What we do is we track attackers and quite frankly, we out them. We try to figure out — here's their fingerprints, let's share those fingerprints with everybody so they can't get away with what they're doing.” Mandia went on to say that FireEye was able to determine that there was enough operational security by the attacker to know it was professional. “This wasn't the first rodeo for these attackers,” Mandia said, “In fact, they followed a tradecraft that the more I learned, the more this was a unit that's been operational for a decade or more. They knew what they were doing, they had novel techniques.”In fact, the attack was so specific, it was designed to uniquely target FireEye itself. “That's an operation — not just a hack,” Mandia told NPR. “Most threat groups, when they attack, will use shared infrastructure to attack many companies. This group does not do that. That in and of itself made me realize it was an operation.” Scary stuff in an increasingly scary age.

 

The four Vs of big data: Big data is the second biggest threat to the cybersecurity of any organization today. IBM broke these down into four major categories; volume, or scale of data; velocity, analysis of streaming data; variety, or different forms of data and finally veracity, or the uncertainty of data.

 

IBM releases its fifth annual cyber report: Given how wild 2020 has been, and the impact it’s had on the way we work, we think you’ll be pretty interested in the Cyber Resilient Organization Report from IBM Security. Based on research from Ponemon Institute and surveying more than 3,400 IT and security professionals around the world, this report helps determine organizations’ ability to detect, prevent, contain and respond to cybersecurity incidents.

Recently Added Articles as of December 17

Data and privacy are the name of the game, with some pretty massive tech giants being put on trial for how they use consumer data.  Not to mention that the US is contending with the aftermath of what could be a pretty insidious data attack from Russian cybercriminals known as Cozy Bear. An investigation is underway, but the fallout seems to continue to uncover more damage. And, as of this week, the California Privacy Rights Act is official. There's more where that came from. Read on for all the details!

The California Privacy Rights Act goes into effect: On December 11, Secretary of State Alex Padilla finalized the results of the November General Election, which means the California Privacy Rights Act (CPRA) became effective today. So, what does that mean exactly? Well, moving forward, December 16,  2020 will mark the official birth of the California Privacy Protection Agency (CPPA)—an agency that has the potential to become one of the most powerful data privacy agencies in the world. Especially considering that California is the world’s fifth largest economy. Additionally, the CPPA will have a $5 million appropriation for the fiscal year 2020-2021 and a $10 million appropriation every year thereafter… that’s a pretty hefty amount of dough to throw at consumer data protection. Let’s just hope it provides some tangible effects.

 

SolarWinds' customers install backdoor software: For those who are unfamiliar, SolarWinds, the enterprise monitoring software provider— who recently found itself at the center of an international hacking crusade affecting some of our country’s highest-level security providers — has now reported that as many as 18,000 of its high profile customers might have installed a poisoned version of its Orion products. To put things in greater perspective, the Texas-based company serves more than 300,000 customers worldwide, including every branch of the U.S. military and four-fifths of the Fortune 500 companies. DomainTools' Senior Security Researcher, Joe Slowik, said, “the ubiquity of SolarWinds in large networks, combined with the potentially long dwell time of intrusions facilitated by this compromise, mean victims of this campaign need not only recover their SolarWinds instance, but may need to perform widespread password resets, device recovery, and similar restoration activity to completely evict an intruder." Bottomline, this is pretty bad news, and only more fodder for building better cybersecurity practices.

 

Medical imaging leaks raise security questions: It seems that more than 45 million healthcare patient images, including X-rays and MRI scans, are accessible to anyone who may want to search for them on the internet. If you think that’s terrifying, you’re not alone. Over the course of a six-month investigation spearheaded by cybersecurity firm, CybelAngel, it was discovered that more than 3,000 servers allowed access to port 10 (which is a network port used by manufacturers of medical imaging machines). Senior cybersecurity analyst David Sygula said, “These exposed servers are totally widespread, and some countries that are more secure than others. [While] we saw some smaller servers that were eye doctors, some of the biggest ones belong to medical centers." Worse, the investigation found that many medical organizations aren't aware that they are leaking sensitive image files… despite a focus on securing data. If we’ve said it once, we’ve said it a thousand times, to maintain thorough cyberhygiene, organizations have to remain vigilant and regularly analyze their cybersecurity programs.

Twitter fined for non-compliance with GDPR: It seems the “honor” of being the first U.S. tech company to breach the cross-border privacy laws Europe laid down two and half years ago goes to…. drum roll… Twitter! Some critics say this is an overdue development. On Tuesday, Ireland’s Data Protection Commission said that it is fining Twitter, Inc.  $546,000, for failing to document or properly notify the regulator within 72 hours of learning of a data breach disclosed in January 2019 that exposed some users’ private tweets. Twitter’s chief privacy officer Damien Kieran, said, “We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers.”

 

FTC orders tech giants to explain personal data use: Just because you’ve got a big name shouldn’t mean you don’t have the follow the rules… at least that’s what the FTC seems to think anyways, as it puts the pressure on Amazon, Facebook, TikTok, SnapChat, Twitter, YouTube, Reddit and WhatsApp to detail exactly how they use all the personal data they’re privy to. All were sent orders to hand over information about their data practices and were given just 45 days to respond. The FTC is using its authority under Section 6(b) of the FTC Act, which allows it to pursue broad studies separate from law enforcement. In fact, the FTC filed charges last week against Facebook alleging the company has unlawfully maintained a monopoly in personal social networking services. So, it’ll be quite interesting to see what these tech mammoths come up with… and just maybe they’ll finally come clean about all those scary accurate, pop up ads we all seem to get these days.

 

FDIC And FRB update guidance for foreign banks: The FDIC and the Federal Reserve Board, together known as the “Agencies," have recently made several proposed changes to the submission of the resolution plans with respect to certain large foreign banking organizations or FBOs. These modifications include several changes to the proposed guidance in response to comments they received, including: updating the scope of the guidance to include FBOs that are Category II firms; eliminating certain capital, liquidity and governance mechanisms; removing from the scope guidance on group resolution plans, and the management information systems, qualified financial contracts and mapping of branch activities; eliminating home/host coordination and supervisory information sharing expectations and clarifying that all previous guidance not included in the consolidated guidance has been superseded.

U.S. is investigating a Russian data hack: As we mentioned last week, and briefly touched on this week with the SolarWinds hack, some very high level, critical government data has been put in jeopardy after a malicious data hack (most likely from Russia) infiltrated a few of our country’s top data repositories. "We can confirm there has been a breach in one of our bureaus," the Commerce Department said in a statement to CNN. "We have asked CISA and the FBI to investigate, and we cannot comment further at this time." It seems the FireEye and SolarWinds issues are all related. CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.

 

CCPA rulemaking sees fourth set of propositions: The California Attorney General is on a roll these days as it sees its fourth set of proposed regulatory modifications to California’s Consumer Privacy Act. The fourth set of modifications are in response to the comments to the third set of modifications and are intended to clarify and conform the proposed regulations to existing law. The changes made include revisions to section 999.306, subd. (b)(3), clarifying provisions around consumer notification and the sale of personal information as well as proposed section 999.315, subd. (f), which reinstates the requirement for a uniform opt-out button to be used “in addition to... but not in lieu of... a ‘Do Not Sell My Personal Information link.” I don’t know about you, but something tells us this isn’t the last we’ll see of changes like this.

 

How to get your vendors on board for third-party risk management: Okay, so you finally have a program, you’ve established a board and you may even have a platform to help you manage it all. Now, all you have to do is get your vendors to participate. No sweat, right? Well, as most of you already know, that is not the easy part. So, what is the trick to getting vendors to play nice? For one, you can’t give up, and you can’t go easy. If nagging doesn’t work, you may have to throw a wrench in renewals negotiations to gain their cooperation; and then if that still doesn’t work, you may have to bring out the bad cop. After all, it is the law! Read on for more tips.

 

The new normal is adapting to our consumers: You’ve had to adapt. We’ve had to adapt. Everyone’s had to adapt to this new reality we’ve all found ourselves in. It has changed everything, including consumer behavior, how they purchase things, when and where. So, it’s not a surprise that financial services have had to adapt, as well. Customers can no longer just stop by the bank, which means banks and credit unions have had to take a hard look at how they offer their services. Many took a three-pronged approach: One, tailoring personalization to meet current customer needs; two, providing great mobile experiences to serve consumer needs whenever and wherever they may be; and three; understanding the branch of the future must consider serving customers in new ways. But, the question is… will it be enough?

Recently Added Articles as of December 10

From Russian hackers with cuddly names infiltrating one of the world's leading cybersecurity organizations, to a new hacking campaign as well as critical vulnerabilities discovered in healthcare imaging tech, the news is ablaze with digital disaster this week. But, before we get all doom-and-gloom, the IoT Security Bill was signed into law which could offer some relief.  Read on for more of the good, the bad and the ugly!

Louisiana hospital alerted to vendor breach: Once again, a vendor at a Louisiana-based surgical hospital that processes payments discovered a cyberattack that breached patient information. This time, information was accessed via an employee’s email during the summer and included images of patient checks that contain protected health information. Technology Management Resources reported that the email account had been compromised between August 5, 2018, and May 31, 2020. The attack may have been part of a larger effort against its customers.

Critical vulnerabilities in GE healthcare products: Two pretty heavy-duty vulnerabilities were identified in GE healthcare medical imaging devices that allow remote code execution and access/alteration of sensitive patient data. These devices include Healthcare imaging devices including MRI, Ultrasound, Advanced Visualization, Interventional, X-Ray, Mammography, Computed Tomography, Nuclear Medicine and PET/CT equipment; and were identified by CyberMDX who reported their findings after dubbing the weakness MDHexRay and assigned both a CVSS v3 base score of 9.8 out of 10. For those who are not familiar with The Common Vulnerability Scoring System, that’s bad news bears. While there is no patch available to correct the vulnerabilities, it is possible to mitigate the issue by changing the default password; however, that can't be performed by end users, only by GE Healthcare. 

Critical TCP/IP flaws affect millions of IoT devices: Cybersecurity pros have discovered a whole array of new flaws embedded in TCP/IP stacks which impacts millions of devices, including networking equipment, medical devices and industrial control systems. Dubbed AMNESIA:33 by Forescout researchers, this set of 33 vulnerabilities impact four open-source TCP/IP protocol stacks — uIP, FNET, picoTCP and Nut/Net and are commonly used in Internet-of-Things (IoT) and embedded devices. Besides encouraging organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures, CISA has recommended several other things, including: minimizing network exposure, isolating control system networks and remote devices behind firewalls and using VPNs for secure remote access

FireEye reveals it was hacked: Not sure it gets any more ironic than this, but leading cybersecurity company, FireEye, disclosed today that it was hacked by a threat actor showing all the signs of a state-sponsored hacking group. "Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack," Chief Executive Officer and Board Director Kevin Mandia said in a filing with the Securities and Exchange Commission (SEC). Even more frightening is that Mandia believes they witnessed an attack by a nation with “top-tier offensive capabilities.” Aside from a severe ego bruising, FireEye stated the attack also resulted in the theft of FireEye tools, which range from scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as CobaltStrike and Metasploit. The attackers also attempted to collect information on government customers. Right now, best guesses are that the state-backed hacking group behind the FireEye security breach is the Russian cyberespionage group APT29 (aka Cozy Bear).

Six steps for evaluating merger opportunities: In the last ten years the overall number of credit unions in the country have dwindled by about 30%. And, in the first part of 2020, mergers declined as well as an increased focus was spent on internal operations and scrambling to protect themselves during the pandemic fallout. Now that most organizations have more or less adjusted, mergers are on the docket once again. So, how to prepare? One, analyze the data you have; two, look to understand the probable fair valuation price results; three, consider pricing, focus points and strategy; four, perform a qualitative assessment; five, ensure a combined strategic vision; and six, discuss the transaction structure. Read on for more details!

OCC announces new executive committee members: This week, the OCC rolled out the proverbial red carpet for two brand new executives to the agency’s Executive Committee. Sydney Menefee has been selected to fill the Senior Deputy Comptroller for Midsize and Community Bank Supervision on a permanent basis and Greg Coleman will become the next Senior Deputy Comptroller for Large Bank Supervision. “The agency and the federal banking system are lucky to have career executives of the caliber of Sydney and Greg, who demonstrate the utmost competence and professionalism in their duties and even more importantly a passion for this agency and our employees,” said Acting Comptroller of the Currency Brian P. Brooks.

Call center ransomware attacks on the rise: Unfortunately, digital thieves and data hackers are as creative as they are devious, and the ways in which they will try to swindle organizations and individuals out of their hard-earned dollar is downright shameful. So, brace yourself, we have just another way these bad actors are out to get you. This time, it's call center ransoms in which groups are reportedly cold calling their victims to tell them their systems have compromised by ransomware and will then “shakedown” the unsuspecting individual not only using crypto-locking malware but, lately, also leaking data to increase the psychological pressure on victims to pay. The scary thing is some of these groups have developed to be more-or-less like a mid-sized company, complete with staffing and budgets… who knows, maybe even 401k matching? But, jokes aside, this is very, very bad, and as the deviants innovate, so must our security endeavors.

Trump signs IoT Security Bill into law: The wait is over, and the decision is in: Trump approved the IoT bill which will require several interesting security changes. Among them, the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”) to take steps to improve cybersecurity on IoT (Internet of Things) devices and will specifically require NIST to develop minimum or baseline IoT cybersecurity standards. The OMB would then be tasked with issuing guidelines to agencies in consultation with NIST. Perhaps most fascinating is that the bill will effectively block the government from entering into any contracts with third parties that would result in the purchase or use of IoT devices which don't comply with NIST standards; and as a result, the bill would likely prompt manufacturers of these products to adopt the NIST standards.

OCC Fines JP Morgan Chase $250 million: It seems the banking regulators have been taking the opportunity to flex their enforcement muscles when it comes to control deficiencies. Several big names have been put on the OCC’s bad list, including JP Morgan. The OCC found that JP Morgan “maintained a weak management and control framework for its fiduciary activities and had an insufficient audit program for, and inadequate internal controls over, those activities.” As a result, JP Morgan was forced to pay $920 million to settle DOJ, SEC and CFTC charges of illegal market manipulation or “spoofing” in the precious metals and Treasury markets.

Technology and regulatory agenda for community banking: Federal Reserve board Governor, Michelle W. Bowan, spoke at the virtual Independent Community Bankers of America ThinkTECH Policy Summit, centering her speech around innovation. “There are certain points in history when an event can fundamentally change how society and entire industries function. In addition to the other ways that COVID-19 has affected us, this could be one of those moments,” Bowan said. “The pandemic has demonstrated the importance and unique role of technology in responding effectively to new challenges. In this case, the challenge has been an unprecedented disruption in our lives. One year ago, it would have been difficult to imagine the extent to which we are now working and conducting routine aspects of our lives from home and online.” Throughout the speech, Bowan touched on new trends, including telemedicine, digital deposits and fintech innovation.

Recently Added Articles as of December 3

Cybersecurity is under the microscope as more and more organizations fall prey to an onslaught of digital attacks. In fact, we have a list of some of the most damaging cyber events this year, and there are some BIG names on it. We don't want to spoil anything, but you may be surprised to see who took the bait. Luckily, it seems there are some equally big changes coming to our digital landscape, both here and abroad, which should hopefully provide some much needed relief. Read on to get the full scoop this week. 

Botnets exploit critical Oracle WebLogic Bug: This week, it was discovered that multiple botnets have targeted thousands of publicly exposed and unpatched Oracle WebLogic servers. Not only that, but the bots have deployed crypto miners and steal sensitive information from infected systems. The attacks are part of an insidious crusade against a recently patched WebLogic Server vulnerability, which was released by Oracle as part of its October 2020 Critical Patch Update. As of this week, about 3,000 Oracle WebLogic servers are accessible on the internet, based on stats from the Shodan search engine.

Cybersecurity regulation and litigation in the boardroom: It seems that the shifting regulatory landscape has begun to coincide with economic and technological changes that are helping a whole new cybersecurity dynamic take hold in boardrooms and C-suites around the world… in every industry imaginable. To really instill effective cybersecurity strategy, it’s becoming increasingly evident that corporate cybersecurity leadership must start at the senior most levels, alongside boards, enterprise risk executives and CEOs, if it’s really going to be effective. This reality creates new pressures but also significant opportunities to create greater competitive advantage. In today's environment, CEOs should expect their entire C-suite and boards to be the toughest customers — and should also make them their biggest cyber advocates.

European Commission ready to unveil Digital Services Act: This month, the European Commission is on the precipice of unleashing a newly proposed regulation which could drastically alter the digital landscape amongst the European Union. This Digital Services Act makes up a legislative package that hopes to overhaul the European Union’s 20-year-old e-Commerce Directive and “aims to shape the digital economy at EU level as well as setting the standards for the rest of the world, as it did with data protection.” Along with the newly proposed Data Governance Act, the measures hope to increase trust in data sharing, rules on neutrality and practices to give Europeans more control over how their data is used. Fieldfisher Director of Technology, Outsourcing and Privacy, Emily Parris said, “Apart from the GDPR, the DSA is probably the single largest piece of reform of online activity that we’ve seen for years.”

Biggest hacks and data breaches of 2020: It’s been a year. A lot of wild things have happened, and among them are a hefty list of cybersecurity thefts and deviances galore; and if cybersecurity is your bag (and quite frankly, even if it isn’t) this roundup should terrify you. The pandemic-prompted, work-from-home shift left a lot of vulnerabilities, and cybercriminals jumped at the chance to take advantage. The result is that organizations big and small paid the price… from giants like Amtrak and NASA (yes, even NASA) to universities, cruise lines and international football clubs (cough, cough…Manchester United). This is one list you definitely do not want to miss. Read on for a month by month run down of all the biggest cyberhygiene “whoopsies.”

Cybersecurity is the new normal: Alongside a viral pandemic, a new trend has begun to infect our digital landscape…cyberthreats. At this point, looking the other way is just not an option; and if anyone is going to get out of this on top, it’s going to require a good hard look at how each and every organization handles cybersecurity. Need more convincing? Since March of this year, Michael Sentonas, Chief Technology Officer at Crowdstrike said, “My company has observed a 330% increase from cyberthreat actors deploying malicious files using Covid-19 themes, and in the six months from January to June, our threat-hunting team observed more hands-on-keyboard intrusions than were seen throughout all 2019.” His opinion? In order to truly ensure your business is on the right track toward staying secure in the new normal, businesses need to adopt the cloud as the key to unlocking work-from-anywhere cybersecurity. In a nutshell: to elevate cybersecurity solutions from being just good enough, the cloud is the new gold standard.

Congress sends Bipartisan “IoT” Bill to President Trump: Just this month, the Senate unanimously passed The Internet of Things Cybersecurity Act of 2020. And, as of this week, it’s in the hands of President Trump to either veto… or approve. The bill requires several things. Among them, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) would have to take steps to improve cybersecurity on IoT (Internet of Things) devices and will specifically require NIST to develop minimum or baseline IoT cybersecurity standards. The OMB would then be tasked with issuing guidelines to agencies in consultation with NIST. Perhaps most fascinating is that the bill would effectively block the government from entering into any contracts with third parties that would result in the purchase or use of IoT devices which do not comply with NIST standards; and as a result, the bill would likely prompt manufacturers of these products to adopt the NIST standards.

CFPB refreshes their website: This week, the bureau has made another change, except this time it's not an update. Instead, the CFPB announced changes to its website. Thus far, it appears slightly different in its main pages, but many parts of the site still look very familiar. The Bureau says that the updated website will feature additional user functionality, an improved layout, more content and easier access to information; along with an interactive enforcement database, a page for petitions and archiving. Notably, the refresh will also include a new interactive enforcement database to help the public track the Bureau’s enforcement actions. Through these updates, the Bureau "aims to increase transparency and make it easier for consumers and stakeholders to locate and access essential resources."

Consumer complaint count aids in determining enforcement risk: Each year, PerformLine publishes a trend analysis titled the Consumer Complaints report, which takes a deep dive into the Consumer Financial Protection Bureau (CFPB)’s Consumer Complaint Database and enforcement action trends. The goal is to help financial institutions determine their risk of enforcement based on the total number of consumer complaints. The Enforcement Risk Scale also takes a look at how an organization’s annual revenue and total complaint counts could impact the risk of an enforcement action. When analyzing complaints, the CFPB suggests that “complaint volume” should be considered in the context of company size and/or market share. For example, companies with more customers may have more complaints than companies with fewer customers.

The NAFCU fight for action: The National Association of Federally-Insured Credit Unions (NAFCU) is leading a “fight for action” around a specific set of 12 credit union issues they feel should be addressed in the Congressional lame duck session, alongside regulators in the transition to a new Administration. Specifically, NAFCU feels that acting on these issues now will help credit unions better respond to the challenges created by the pandemic and the altered economy. The topics include: Bank Secrecy/Anti-Money Laundering Act, the Paycheck Protection Program, Prompt Corrective Action (PCA) Relief, Relief from Unexpected Share Growth, Extension of Troubled Debt Restructuring (TDR), Extension of Central Liquidity Facility Enhancements, Capitalization of Interest, Capital Reform, Revaluation of Qualified Mortgage Rulemaking, Protect Defense Credit Union Leases, Technical Fixes for Provisions in Tax Cuts and Access to Capital for Credit Union Small Business Members.

The end of the year is coming up quickly, take a few minutes to evaluate how your peers are managing third-party risk. Download the whitepaper.

New call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo