December 2024 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of December 19

This week’s headlines highlighted two third-party data breaches that impacted consumer information, continued fallout from the Change Healthcare attack, and a new report on third-party data breaches. Check it out below.  

Nebraska sues Change Healthcare over 2024 ransomware attack: Nebraska’s attorney general filed a lawsuit against Change Healthcare over its massive February cyberattack – the first state attorney general to do so. The ransomware attack on the third party compromised the data of about 100 million people and disrupted healthcare services. Nebraska’s attorney general said he filed the suit to keep Change Healthcare accountable. The lawsuit alleged the organization violated Nebraska’s consumer protection and data security laws.  

Report shows 98% of Europe’s top companies had a third-party data breach: A recent report revealed 98% of Europe’s top 100 companies had a third-party data breach over the past year. Supply chain vulnerabilities are a critical threat for organizations to manage, particularly with regulations like the Digital Operational Resilience Act (DORA). Prioritize third-party risk management to identify and manage these threats before they can become larger issues.

Healthcare software as a service provider experiences data breach: More than 910,000 people had health information compromised in the data breach of healthcare software as a service (SaaS) company Phreesia. Phreesia’s subsidiary telehealth platform, ConnectOnCall, experienced the breach in May. Information breached included communications between patients and their healthcare providers, medical record numbers, and dates of birth.  

Preparing for DORA compliance: The deadline for the Digital Operational Resilience Act (DORA) is quickly approaching for financial institutions. DORA prioritizes incident reporting, resilience testing, and third-party risk management. Financial institutions should ensure continuous testing of vulnerabilities and third parties is in place. Review incident response protocols to accommodate DORA’s 72-hour requirement. Third-party risk management practices should include continuous monitoring and assessment of vendor security practices.  

FTC issues enforcement actions against data brokers, including supply chain requirements: The Federal Trade Commission (FTC) announced two enforcement actions against large data aggregators. The data brokers collect, sell, or obtain data from third-party suppliers. According to the FTC, one data broker continued selling data even after learning consumers didn’t give consent, and another sold data without ensuring consumer consent was given. The FTC imposed requirements on the brokers that limits future use, sale, or disclosure of sensitive information. The companies will also have to maintain a supplier assessment program, which should verify that consumers provided consent. Companies are responsible for the sensitive data practices in their supply chain.  

Data of 58,000 compromised in third-party data breach: Byte Federal, a Bitcoin ATM operator, announced a data breach due to a GitLab vulnerability. About 58,000 customers had sensitive data compromised. Byte Federal relied on GitLab, a software platform, for internal operations. Attackers exploited a vulnerability to gain access to Social Security numbers, government-issued ID numbers, and cryptocurrency transaction histories. Byte Federal shut down the affected platform, reset all customer accounts, and updated internal passwords.  

Recently Added Articles as of December 12

This week’s headlines covered how to manage third- and fourth-party risk effectively, building a resilient third-party risk management program, and the increasing frequency of supply chain attacks. Check out all the news below.  

Snowflake to require multi-factor authentication by November 2025: Snowflake said multi-factor authentication (MFA) will be mandatory for all accounts by November 2025. This is part of the vendor’s commitment to the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge. Earlier this year, a hacker stole user data from Snowflake with compromised customer credentials, breaching organizations like Ticketmaster. MFA adds another layer of protection from cyberattacks.  

Managing third-party risk effectively: A third party’s risks can affect an organization’s revenue, reputation, compliance, and operations. To manage these risks, implement risk management strategies like due diligence and continuous monitoring. Build a third-party risk management program that assesses risk, sets clear contract provisions, assigns key employees to manage third parties, and continually monitors risk.  

Agency predicts intensified focus on supply chain attacks in 2025: Moody’s Ratings predicted a stronger focus from ransomware groups on supply chain attacks. Organizations have improved cybersecurity defenses, which will likely lead hackers to look for supply chain weaknesses. Cybercriminals may also target open-source repositories, which rely on volunteers to fix vulnerabilities. Securing the supply chain with practices like third-party risk management will be critical.

Building a resilient third-party risk management program: Many third parties provide critical services yet also pose substantial risks. Traditional third-party risk management should become more data-driven for better operational resilience. Traditional methods can fall short of addressing emerging risks. A program that fosters resilience includes a shared risk appetite, risk prioritization that aligns with organizational goals, and collective risk management. A risk appetite is how much risk an organization is willing to take on. Based on the risk appetite, your organization will know how to proceed during third-party risk assessments. Visibility into where your data lives with each third party is also key to operational resilience.

Managing fourth-party risks: You may allow a third party to transmit, process, or store your data, but what about your fourth parties? Identify who handles your organization’s sensitive data, and require third parties to disclose critical fourth parties in the contract. You can also request third parties to explain how they manage and monitor fourth-party risks. Be aware of high-risk fourth parties and any data breaches they’ve experienced.  

How to protect against software supply chain attacks: Software supply chain attacks have increased in frequency and will continue to do so, according to Gartner predictions. Organizations must maintain the balance between high-quality software and a high level of security in the supply chain. Vendors should be carefully vetted. Review documents like a software bill of materials to identify possible vulnerabilities. The vetting process should be ongoing throughout the relationship. Generative AI tools must receive the same level of scrutiny as vendors. Consider how the tool works, what data it was trained on, and whether the model is open or closed. Open-source repositories are an easy target in the supply chain, so it should be used cautiously. Open-source projects should follow compliance frameworks. These practices can protect organizations from software supply chain attacks.  

Phishing campaign uses fake recruiting emails: Attackers are posing as recruiters in a new phishing campaign. It tricks victims into downloading an application that can unlock PINs and control infected devices. Users should be wary of any unexpected emails or job offers and verify the sender before clicking any links.

AWS cloud credentials stolen: Cybercriminals stole Amazon Web Services’ (AWS) cloud credentials and other data from thousands of organizations. Data stolen included proprietary source code and application databases. The cybercriminals exploited vulnerabilities in public websites to access the AWS credentials. Hardcoded credentials should never be present in code or file systems that could be accessed by unauthorized people. Performing simple web scans can also identify holes in an organization’s environment.  

Ransomware group embracing social engineering tactics: The Black Basta ransomware group is switching up tactics to include email bombing, QR codes, and social engineering. Email bombing is when a user is signed up for multiple email lists simultaneously. The group is also sending malicious QR codes to users via chats to steal credentials. These attacks rely on social engineering tactics, emphasizing the importance of employee training for these situations.  

Establishing a third-party oversight program: Third parties need consistent oversight to ensure risks are managed. However, implementing proper oversight can be a challenging task. Develop a framework that outlines how third-party risks are assessed. Include processes for due diligence and ongoing monitoring. The framework should also include third-party risk criteria, regular risk assessments, and integration of industry standards. Collaborate across departments for a unified third-party risk management strategy and develop procedures for onboarding and offboarding third parties. Technology, like a third-party risk management platform, helps third-party oversight be more proactive.  

Insights for successful vendor management: A successful vendor management program begins with buy-in from internal teams. Clearly communicate the purpose and benefits of a vendor management program to gain support. Setting clear expectations is also important for vendor management. Align with leadership on vendor management policies and decisions. Vendor management often requires technology for better decision making. Organizations gain meaningful vendor insights through data and technology.  

Phishing campaign targets users with corrupt documents: A phishing campaign is using corrupt Microsoft Office documents and ZIP archives to bypass email defenses. The corrupted files can’t be scanned by security tools and the messages trick users with fake employee benefits and bonuses.  

Recently Added Articles as of December 5

This week’s headlines focused on the importance of managing third-party cybersecurity risks, preventing third-party data breaches, and identifying fourth-party risks. Catch up on this week’s news below.

How to manage third-party cybersecurity risk: Working with third-party suppliers is a necessary practice for many organizations; however, this can also increase the risks organizations face. Many third parties may have insufficient security practices, a lack of awareness on cybersecurity threats, shared data access points, and complex supply chains. To manage these risks, organizations should conduct thorough risk assessments to identify security gaps and implement strict security policies. Third parties also need continuously monitored to ensure they comply with security standards. 

Managing third-party cybersecurity risks in the vacation rental and property management business: Vacation rental and property management businesses use third parties to operate websites, maintain online reservations, and manage properties. They often collect, process, and store large amounts of personal information, making it important to manage third-party risks. All third parties that access personal information should be identified. It’s also important to assess the third party’s security practices during the procurement process. There should also be plans in place for if the third party is breached.

Third-party software and hardware host critical vulnerabilities: A recent report showed that many critical vulnerabilities are linked to third-party software and hardware, increasing cybersecurity risk for organizations. Web servers, cryptographic protocols, and web interfaces that handle personally identifiable information (PII) are key areas of concern. It’s important to implement robust security measures and thoroughly vet third-party products before onboarding to combat these risks. 

Phishing email targets Microsoft Word file recovery: A phishing attack abuses Microsoft Word’s file recovery feature by sending corrupt Word documents in an email attachment. These emails pretend to come from payroll and HR departments.

Phishing as a service toolkit can steal Microsoft 365 credentials: A phishing as a service toolkit is seeking to steal Microsoft 365 credentials. Even users with multi-factor authentication in place may still be vulnerable to the attack. The emails used for phishing include file-sharing notifications and requests for e-signatures. It’s always important for computer users to be wary of clicking any link in an email and always verify the sender.

Using third-party risk assessments to mitigate risks: Addressing third-party cybersecurity risks can be challenging, yet failing to do so can lead to costly and damaging consequences. That’s why it’s important to conduct third-party risk assessments during onboarding and then on an ongoing basis. These risk assessments should determine what controls the vendor has in place to mitigate risks like operational, compliance, reputational, and financial. Using cybersecurity standards, like NIST, can help create questions that determine the vendor’s security practices. After the risk assessment is completed, you can then risk rate each vendor and determine the level of scrutiny they’ll need. 

Managing fourth-party risks: Many third parties outsource work or rely on the services of other third parties, increasing the need for organizations to identify and manage fourth-party risks. These fourth parties first need identified and then third-party risk assessments can help identify how third parties are managing their own vendors. Third-party contractual requirements on fourth-party risk management can also be helpful to include. 

Preventing third-party cybersecurity attacks in healthcare: Healthcare organizations are increasingly exposed to third-party cybersecurity attacks as they continue to rely on vendors for services like storing electronic health records. These attacks not only impact patients’ sensitive medical information, but can also impact patient care and well-being. A third-party risk management program is crucial to protect against these risks. There should be thorough due diligence before onboarding, clear contractual provisions, and continuous monitoring of cybersecurity practices and risks. Incident response plans, employee training, and compliance programs are also valuable tools to use. 

Third-party data access risks can be challenging to manage: Third-party vendors can be a blind spot for many organizations, especially when it comes to data protection. They’re a frequent target of cybercriminals, as many third parties hold vast amounts of sensitive data. It can be challenging for organizations to determine which vendors have access to sensitive data and what those vendors’ security practices are. Using software can be a helpful way to gain more visibility and map out compliance requirements for data protection.