January 2025 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of January 9

Several third-party data breaches occurred over the holiday break, the United Kingdom's recent third-party guidance for financial institutions became effective, and a new study showed the rising risk of third-party data breaches in the European Union. Catch up on all the important news and headlines below. 

Third-party data breach compromises U.S. Treasury Department: A third-party data breach allowed Chinese state-sponsored hackers to compromise the U.S. Treasury Department. Cybercriminals targeted third-party provider BeyondTrust and accessed a stolen key. This allowed the hackers to override security and get remote access. The third party alerted the Treasury Department to the major incident. 

OCC urges banks to manage supply chain cybersecurity risks: The Office of the Comptroller of the Currency (OCC) highlighted third-party data breaches in its Semiannual Risk Perspective. Threat actors are increasingly targeting third-party vulnerabilities and poor security practices. The regulator said banks need to stay on top of supply chains, particularly the information technology supply chain. 

Third-party system compromised in Exotar breach: Exotar was the recent victim of a breach after information stored on a third-party system was compromised. It’s unclear what types of information was compromised, but victims were alerted to the breach. Exotar provides identity and access management systems and the third party wasn’t identified. 

White House introduces Cyber Trust Mark for consumer smart products: The White House launched the U.S. Cyber Trust Mark, a cybersecurity safety label for internet-connected consumer devices. The label will be on smart products to help consumers choose a safe product. A QR code will provide consumers with security information like how to change the default password. For vendors to receive the Trust Mark, they must meet the National Institute of Standards and Technology (NIST) cybersecurity criteria. 

CISA warns of actively exploited vulnerabilities: The Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to critical vulnerabilities that are actively exploited in Oracle WebLogic Service and Mitel MiCollab systems. The bug lets attackers perform unauthorized administrative actions and access user information. Organizations should patch these flaws as soon as possible. 

United Kingdom financial regulators push for resiliency from third-party attacks: Financial institutions in the United Kingdom need to strengthen operational resilience and oversight of critical third parties. The Bank of England, Prudential Regulatory Authority, and the Financial Conduct Authority released a policy effective on January 1. Criteria for critical third parties isn’t clear, but regulators expect them to have incident management procedures and transparent reporting. Financial institutions need clear accountability to manage third-party risks, identify dependencies on third parties, and develop protocols to manage third-party disruptions. These practices will help institutions remain compliant with new expectations. 

Third-party cybersecurity a major risk in the European Union: Third-party data breaches are a top risk in the European Union, a recent study showed. According to the study, 98% of European organizations had a third-party data breach in the last year. This leads to operational disruptions, reputational damage, and regulatory scrutiny. Among industries, the energy sector performed the worst. Prioritize third-party risk management to avoid these consequences and mitigate the damage in the case of an event. 

Third-party data breach exposes customer credit card information: A third-party data breach exposed credit card data of ZAGG Inc. customers. The cybercriminal breached an app provided by the third party and injected malicious code that stole the card details. The app was immediately uninstalled from the third party’s stores, which removed compromised code. It’s not clear how many customers were impacted in the breach.