July 2024 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of July 25

This week’s news offered several important lessons from the CrowdStrike outage, a massive data breach in Australia, and a new state privacy law. Check out this week’s news below. 

Lessons learned from the massive CrowdStrike outage: The CrowdStrike and Microsoft outage has offered several important lessons for organizations, including the dangers of overly relying on a single vendor and vendor consolidation and concentration risks. As organizations try to trim down the number of tools and technology they use, they may run the risk of severe impact if a single vendor were to experience an incident. However, some of these risks may ultimately be unavoidable, so it’s important for organizations to identify and mitigate vendor consolidation risks. Business continuity and disaster recovery plans become essential when incidents like CrowdStrike occur. Learn more about the impacts of the CrowdStrike incident in the healthcare industry and the lessons learned in the banking industry. 

Third-party risks are identified as a top challenge in information security: Third-party risks have become a number one challenge for information security professionals in the U.S., according to a new study. This comes as supply chain attacks continue to rise and impact more organizations. Setting strong partnerships with third parties that prioritize cybersecurity can help protect organizations from increasing risks. 

Retail industry is a common target in third-party data breaches: The retail industry has been a prime target for data breaches, impacting organizations and their customers. Many of these cyberattacks originate from retailers’ third parties. It’s important for retailers to ensure the sensitive data they hold is kept secure, even when it’s in the hands of third parties. Cybersecurity best practices, such as multi-factor authentication, intrusion detection systems, and data encryption, are also important to implement. 

New malware targets critical infrastructure: A new malware targeted infrastructure in Ukraine. It looks to sabotage operational technology networks and was discovered in April 2024. The malware was able to take down heating services to more than 600 apartment buildings in Ukraine for almost 48 hours. 

Private OCC report finds weak operational risk management at large banks: The Office of the Comptroller of the Currency (OCC) found that 11 of the 22 large banks have “insufficient” or “weak” operational risk management, according to a private report. The assessment of this operational risk contributes to the broader CAMELS ratings, which then determines the amount of regulatory scrutiny a bank will receive. 

Vendor breach compromises almost 13 million Australians: Almost 13 million Australians – roughly half the country’s population – had personal information compromised in a data breach on e-prescription vendor, MediSecure. The hacked information encompasses prescriptions from March 2019 to November 2023. The vendor was denied assistance from the Australian government to cover breach notification costs and the vendor then announced its liquidation. 

Cybercriminals begin phishing attacks to take advantage of CrowdStrike outage: Cybercriminals took advantage of the global CrowdStrike outage to launch phishing attacks. CrowdStrike Intelligence warned of the attempts as cybercriminals posed as source of help for those impacted by the outage. The phishing attacks consisted of emails and phone calls impersonating CrowdStrike staff. Cybercriminals have even attempted to sell remediation solutions, like malicious scripts and files. 

U.S. sanctions two Russian cybercriminals: The U.S. has sanctioned two Russian cybercriminals after cyberattacks that targeted critical infrastructure. Both cybercriminals are members of a Russian hactivist group. The group targeted water treatment and energy facilities in the U.S. Financial institutions may face sanctions or fines if they engage with either of sanctioned individuals.

Speech from SEC director focuses on AI risks: The Securities and Exchange Commission (SEC) is focusing on commercial real estate exposure risks and artificial intelligence (AI) risks. In a speech, the SEC’s director noted that banks are facing heightened risks with commercial real estate, particularly with higher interest rates. As more organizations begin to use AI, the SEC director also noted that organizations may be required to disclose how they use AI and the risks of it under current SEC disclosure laws. Organizations subject to the SEC should begin to prepare for these two areas to come under increasing scrutiny.

Rhode Island passes state privacy law: Rhode Island became the 19th state to pass a state privacy law, which will be enacted in January 2026. Unlike many previous state privacy laws, Rhode Island has a broad application of privacy notice requirements, including commercial websites or internet service providers that conduct business in Rhode Island or with customers in Rhode Island. The privacy notice must disclose all third parties the organization has sold to or may sell to. Also, unlike many other privacy laws, the state attorney general doesn’t have to give organizations time to correct noncompliance. 

Recently Added Articles as of July 18

This week’s news highlighted increasing regulatory scrutiny of third parties, the impact of several third-party data breaches, and how third-party risk management is a top priority according a to a new survey. Check it all out below.

Preparing for more third-party risk management regulations: As regulatory scrutiny on third parties around the globe intensifies, organizations are facing a greater burden for compliance. To meet the varying regulatory requirements, it may be necessary for organizations to visit some long-time third-party risk management best practices. Due diligence is a crucial activity, particularly on regulatory focus areas like fraud and sustainability. It’s also wise to require third parties to comply with your own organization’s policies and procedures. Vendors should recognize what’s expected of them and have the practices in place to comply. 

New fraud campaign targets apps in Google Play Store: Cybercriminals are running a fraud campaign using app ads in the Google Play Store. The campaign uses “evil twin” apps to monitor web searches, install browser extensions, and load code onto devices. This is an attempt from the cybercriminals to appear legitimate.  

Healthcare organization victim of third-party data breach: Loretto Management Corporation was impacted in a third-party data breach, compromising sensitive customer information. Hackers were able to access Loretto’s information technology network through a third party. 

Squarespace domains compromised: Multiple domain names with Squarespace were compromised by threat actors. There’s an ongoing migration process between Google Domains and Squarespace and cyberattackers exploited vulnerabilities in the process. They may have gained access to information like leaked or reused passwords. Users should implement two-factor authentication, remove excess users, and monitor for unexpected changes.  

Improving third-party risk management a top priority in new survey: Forty percent (40%) of legal and compliance leaders have made strengthening third-party risk management programs a top priority, according to a new Gartner survey. New technologies, both internally and with third parties, have put a greater strain on legal and compliance as they have to wear many hats. According to the survey, more than 50% of third-party risk management leaders have seen an increase in senior leader oversight. This comes as regulatory expectations continue to evolve in the third-party risk management landscape. Forty-six percent (46%) of third-party risk management leaders have seen an increase in board oversight. 

Millions of AT&T phone and text records compromised in illegal download off third-party platform: Nearly all of AT&T’s more than 100 million customers were impacted by a data breach. Information stored on a third-party cloud platform was illegally downloaded and it’s not believed the data is publicly available at this time. Compromised data included records of phone calls and texts, but the data doesn’t include the content and no sensitive information was impacted. The data was stolen from third-party platform Snowflake, where customers without multi-factor authentication were targeted in an attack. Snowflake said there’s no evidence the attack was caused by vulnerability, misconfiguration, or breach of its third-party platform. 

Exim mail transfer agent has activity vulnerability: More than 1 million Exim mail transfer agent (MTA) instances are unpatched for a critical vulnerability. The attack does require users to download an attachment from an email, which would then allow cybercriminals to access the system. Administrators should immediately update Exim or restrict remove access to their servers if they can’t update yet.  

Third-party data breach compromises sensitive customer data: Kovack Financial was the victim of a third-party data breach, which compromised Social Security numbers. An unauthorized party was able to gain access to emails and was then able to get sensitive customer information through a third party’s cybersecurity issue. 

Using governance to mitigate third-party AI risks: It can be easy to assume third-party tools that use artificial intelligence (AI) have the right safeguards in place. However, your organization is ultimately responsible for ensuring the safety of that third-party tool when it’s used within your organization. Governance frameworks can offer a clear path of accountability and responsibility for third-party AI. These frameworks can also ensure proper monitoring of the third-party AI tool is done. Monitoring can also help make sure biases aren’t corrupting AI results. The right governance also sets the standard for regulatory compliance and defines ethical standards. With governance in place, your organization can be more secure in its third-party AI use.

Recently Added Articles as of July 11

A car dealership expects to see a financial impact from a third-party cyberattack, a global banking committee proposed principles for third-party risk management, and a federal regulator downgraded a bank’s compliance due to a third-party relationship, and so much more. Check out all of this week’s news below. 

FDIC downgrades bank’s compliance score due to a third-party relationship: Forbright Bank’s Community Reinvestment Act (CRA) compliance score was downgraded by the Federal Deposit Insurance Corporation (FDIC) due to a third-party relationship, which ended more than two years ago. An unnamed credit-building fintech allegedly charged users fees which violated the CRA. Forbright is repaying impacted users, although it didn’t charge the fee or receive revenue from them. 

Global committee proposes principles for third-party risk management: The Basel Committee of Banking Supervision has proposed 12 principles for financial institutions to manage third-party risks. Basel emphasized that a bank’s board of directors holds the ultimate responsibility for third-party oversight. The draft principles for third-party risk management are due to financial institutions’ increasing reliance on third parties. These principles would replace the existing standards on outsourcing and address newer risks, such as fintech and concentration risks. The proposal from the Basel Committee is open for comment until October 9. 

Roblox conference attendees impacted in third-party data breach: A third-party data breach impacted those who registered for the Roblox Developer Conference in 2022, 2023, and 2024. Roblox itself wasn’t affected by the breach. The vendor that manages the organization’s conference registration was breached. Information includes names, emails, and IP addresses. 

Car dealership expects material financial impact after a third-party cyberattack: A third-party cyberattack was attributed as the reason sales fell at Sonic Automotive. Software services provider CDK experienced an attack that led to outages at automotive dealerships across the U.S. Sonic said the attack is likely to have a “material impact” on its financial performance. There are still CDK systems and functions that are offline, but basic functionality was restored. 

Third-party risk management is needed for carrier companies, according to National Motor Freight Traffic Association: The National Motor Freight Traffic Association (NMFTA) emphasizes the need for third-party risk management for freight and logistics companies. The association said that if key vendors don’t have strong cybersecurity practices in place, carriers could be adversely impacted. Carriers could even be unable to operate trucks or other hardware if hackers are able to gain access to systems or sensors. It’s important for carriers to map out their third-party vulnerabilities and understand what parties are hosting and processing data. NMFTA said executive buy-in is crucial to a solid third-party risk management program and can be achieved by explaining the serious third-party risks carriers face. Carriers must address not just cybersecurity risks, but also financial and reputational risks. 

Stolen data from third-party app impacts Shopify customers: Shopify has denied any data breach at its organization, but instead said personal data was stolen from an unnamed third-party app. Shopify said the app developer would be responsible for notifying impacted customers. The data includes names, Shopify IDs, phone numbers, and SMS subscription. 

Malicious AI tools are on the rise: There’s been a rise in malware disguised as artificial intelligence (AI) tools in the first half of this year, according to a new report. Cybercriminals have used the technology to act as generative AI assistants and tried to trick people into downloading malware. 

Ghostscript vulnerability is being actively exploited: A vulnerability in the Ghostscript document conversion toolkit is being actively exploited. The tool is pre-installed on many Linux systems. Attackers would be able to bypass security on unpatched systems and perform high-risk operations. Organizations should ensure the application is updated to the latest version. 

Florida Department of Health is victim of ransomware attack: Florida’s Department of Health experienced a cyberattack that impacted the state’s ability to issue death and birth certificates. A ransomware group has claimed to have stolen data, but Florida law bans state and local governments from paying a ransomware. 

Third-party data breach compromises sensitive data: A third-party data breach impacted sensitive data at HealthEquity, according to the organization’s Securities and Exchange Commission (SEC) filing. A third party’s user account was compromised, allowing access to some HealthEquity data on a SharePoint server. The incident isn’t expected to have a material impact on the organization. 

Limitations of a third party’s SOC 2 report and other strategies to use: Many third parties use SOC 2 reports to show their security practices to organizations, but SOC reports do have limitations organizations should consider. It’s important to look at the scope of the report to ensure it covers the systems and services relevant to your organization. SOC 2 reports are also only a point in time and security practices can change quickly. Remember, vendors are also in control of the criteria for the audit, which may influence the focus of the report. While a SOC 2 report is still helpful to review and use, other strategies like security questionnaires, penetration testing assessments, and contractual agreements are useful to implement.

Cloudflare incident is due to Border Gateway Protocol hijack: Cloudflare said a recent incident impacted 300 networks, but said the overall impact was low. Cloudflare identified the issue and resolved it in about two hours. 

Recently Added Articles as of July 4

A third-party data breach led to data being posted on the dark web, vendor risk assessments are an essential tool for mitigating risk, and a former employee at a third party copied sensitive records in a security incident. Read all of this week’s news below. 

Fintech companies are impacted in a bank’s ransomware attack: Evolve Bank & Trust confirmed it was the victim of a ransomware attack, which impacted some of its former and current fintech partnerships. These fintech companies include Wise and Affirm, both of which confirmed some information was compromised. Customer data was released on the dark web and the ransomware gang has asked for a ransom. Evolve is working with law enforcement. The attack comes after a regulatory order for the bank in June to strengthen its fintech relationships. 

How fintechs can prioritize compliance: It’s become increasingly important for fintech companies to follow the same compliance and regulatory expectations as banks have. However, especially for fintechs with small teams, this can be challenging to do. A proactive approach to compliance anticipates potential regulatory challenges and implements solutions. Technology that includes automated transaction monitoring and data analytics can also be helpful. Fintech companies should perform regular risk assessments, conduct ongoing monitoring, and create a culture of compliance. 

Bank required to make third-party risk management improvements: Thread Bank was required to address its banking as a service (BaaS) third-party risk management in a consent order with the Federal Deposit Insurance Corporation (FDIC). The bank must implement documented risk assessments on fintech partners and ensure its third-party risk management program addresses the level of risk of fintech partners. This includes setting risk tolerance thresholds that are approved by the board. The bank has said it will make the required improvements.

Implement security controls to ensure secure SaaS relationships: Software as a service (SaaS) is an extremely useful tool for organizations to improve efficiency and operations. However, like with many other vendor relationships, threat actors can often target SaaS tools in supply chain attacks. This can occur through credential exploitation (particularly if organizations lack security measures like multi-factor authentication) and bypassing multi-factor authentication. Best practices like data encryption, account access control, and data backups are crucial for both organizations and their SaaS providers to have. 

The importance of secure generative AI: Generative AI is a new attack vector that organizations should be aware of, according to experts. As many rush to adopt the technology and provide new offerings to their customers, cybersecurity and safe practices can easily slip to the background. When building AI technology, organizations should be aware of the risks and prioritize protecting privacy and personally identifiable information (PII). 

Cybercriminals using fake IT sites to inject malware: Fake IT sites are pushing malicious “fixes” for Windows errors. Cybercriminals are using the sites to infect devices with malware. Cybercriminals have even started using videos to give false instructions to victims. The malware can steal credentials, credit cards, cookies, and browsing history. Remember to only download software and error code fixes from trusted websites.

How to ensure effective vendor risk assessments: Vendor risk assessments are an essential tool in the third-party risk management toolbox as they help organizations vet potential vendors before signing a contract. For these assessments to be effective, organizations should have internal standards for evaluating vendors. Organizations need to know how to measure and compare vendor risks to ensure consistency. Standards should also align with regulatory requirements and best practices. Because vendors pose different levels and types of risk, a one-size-fits-all approach is unwise for vendor risk assessments. Instead, assessments should be tailored to the vendor. Be sure to verify what the vendor reports by checking references and analyzing financial health, too. 

Thousands of websites were compromised in a third-party library attack: The domain Polyfill.io was compromised in a supply chain attack that infected more than 110,000 websites with malicious code. Websites that use JavaScript code from Polyfill should remove it immediately. It’s important to perform due diligence even on third-party libraries by evaluating a Software Bill of Materials (SBOM) and assessing the libraries’ security posture. 

EU and UK regulatory compliance for critical third parties: Critical third parties in financial services have moved under the microscope of regulatory agencies, particularly with the EU’s Digital Operational Resilience Act (DORA) and with proposed regulations in the UK. Although there is some overlap, there are also key differences. For example, while the EU mostly focuses on critical technology providers, the UK has focused on all critical third parties. Some of the key similarities for critical third parties in the two regulations include governance, risk management, supply chain risk management, and resilience testing. Critical third parties should begin preparing for compliance now and collaborate with their financial services clients.

Former third-party employee accesses sensitive records, causing a security incident: Millions of records were potentially compromised at a healthcare organization due to a third-party security incident. A former employee at the third party accessed records after they were fired and made copies. After discovering the incident, the third party permanently disconnected the former employee’s access. Although sensitive data was stolen, it didn’t include insurance information, credit card or bank account numbers, or Social Security numbers. This is at least the second similar incident the third party has experienced where a former employee accessed records.

Navigating third-party sanctions: It's essential to ensure a third party you plan on doing business with isn’t sanctioned. However, that process can be difficult. As a start, a risk-based approach is helpful to include. Although it can be useful to do a basic check on low-risk vendors, organizations should focus on higher-risk vendors. To verify if you have the correct entity or person, it’s helpful to have secondary identifiers, such as business address. If a third party has been sanctioned before, but is no longer on the list, your organization should be aware of those risks, such as operational and reputational. 

AMD is impacted by third-party data breach: A third-party data breach caused internal data at an organization, AMD, to be posted on a hacking forum. It’s unclear what the extent of the breach was, although AMD said it didn’t expect material business impact. In a statement, AMD pointed to an unnamed third-party vendor as the cause and said a limited amount of information was stolen, mostly focusing on production materials. 

Failed prepaid card vendor monitoring found in Georgia audit: An audit found that Georgia’s Department of Human Services and Department of Labor need to improve prepaid card vendor monitoring. According to the audit, neither department ensured the vendors’ performance met contractual expectations. Data that was used to monitor the vendors also sometimes failed to align with what was stated in the contract. 

Regulatory agency proposes revised recovery planning guidelines: The Office of the Comptroller of the Currency (OCC) has proposed changes for its recovery planning guidelines for large banks. This includes extending the definition of large banks to include those with at least $100 billion in assets, incorporating a recovery plan testing standard and clarifying the role of non-financial risks in recovery planning. In the proposal, the OCC also states that recovery plans should describe interdependencies on critical third parties.

Mitigating third-party AI risks: As artificial intelligence (AI) regulations have continued to evolve, it’s important not to overlook third parties. Organizations should expect to be held responsible for how their third parties use AI. To mitigate the risks, identify which third parties use AI and how they use it. Consider which third parties use sensitive data for AI and their level of transparency. Organizations should implement continuous monitoring strategies for AI usage.