June 2024 Vendor Management News

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of June 27

More organizations were impacted by the Snowflake data breach, an Italian court noted Dior’s lack of oversight on subcontractors, and financial institutions are looking for new strategies to manage third-party risks. Check out all of this week’s news below.

Almost half of organizations have experienced cloud breaches: Forty-four percent (44%) of organizations have experienced cloud breaches in the last 12 months, according to new research. Human error and misconfiguration was the number one cause of breaches, with vulnerability exploitation in second. 

Neiman Marcus confirms data breach through Snowflake: Neiman Marcus is another victim of the third-party Snowflake data theft. The personal information compromised included contact information, birth dates, and gift card numbers. Neiman Marcus disabled access to the database. Cybercriminals began selling the data on a hacking forum, but the post was later taken down. 

Federal Reserve analysis notes lack of third-party climate model transparency: A climate scenario analysis from the U.S. Federal Reserve (The Fed) revealed frustrations with climate risk models by third-party vendors. The analysis, which 6 banks participated in, noted a lack of transparency over third-party models. Experts said it’s important to hold third-party vendors to the same level of transparency for climate models. The analysis said some banks are considering moving to in-house models and away from vendors. 

Healthcare industry leads in third-party data breaches: Thirty-five percent (35%) of third-party breaches impacted the healthcare industry in 2023, according to new research. Weaknesses in applications and endpoint security currently represent the biggest third-party risks. According to the research, the healthcare industry has still earned a B+ in cybersecurity progress in the first half of 2024. 

Third-party software vulnerability compromises chemical security plans: A critical government tool holding private sector chemical security plans was breached in January due to a third party’s software vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the breach, which may have allowed cybercriminals access to sensitive data. Those impacted were notified of the breach and asked to change their passwords. The third-party software company had two vulnerabilities that were exploited, giving hackers access to gateways. 

Italian court says Dior failed to oversee subcontractors’ working practices: Christian Dior is under judicial administration for a year after two Chinese-owned subcontractors outside Milan were found to be exploiting workers. The court found that Dior failed to take appropriate measures to check the working conditions of the subcontractors. Organizations that outsource production are required by Italian law to oversee suppliers. In April, Giorgio Armani also had a judgement for failing to oversee suppliers. 

Restoration process beginning after third-party ransomware attack on car dealers: After the cyberattack targeting a software provider for thousands of car dealers, the third party has begun restoring systems. The process is expected to take several days to complete. Car dealers were forced to isolate systems from the software provider and work around the outage, including using paper to keep records. 

Singapore company is victim of a third-party data breach: A Singapore company experienced a cyberattack after a breach with a third-party customer relationship management (CRM) platform. A cybercriminal hacked the vendor’s shared server and was able to access the organization’s database. The data included names, email addresses, and login passwords. 

Contract compliance with DORA’s requirements: As the deadline to comply with Europe’s Digital Operational Resilience Act (DORA) in January 2025 approaches, financial entities must ensure third-party contracts are in compliance. Mandatory provisions with third-party information and communication technology (ICT) providers includes audit rights, performance standards, data and confidentiality, and business continuity. The scope of ICT services is broader than current regulations, encompassing software as a service and digital data subscription services. All ICT contracts must include these mandatory provisions, not just critical providers, although there are special requirements for critical providers. Financial entities may need to prepare contract addendums to ensure compliance. 

SolarWinds vulnerability being actively exploited: A high-severity vulnerability with the SolarWinds Serv-U file transfer software is currently being actively exploited. The vulnerability has been patched by SolarWinds, so it’s crucial for organizations to apply those updates. 

Advance Auto Parts confirms data breach costing about $3 million: Advance Auto Parts confirmed its organization was breached through a third-party cloud database, according to its filing with the U.S. Securities and Exchange Commission (SEC). It’s speculated that the third party is Snowflake, which had several clients breaches after attackers used stolen credentials to gain access. However, Advance Auto Parts didn’t name the third party. Although the organization uses insurance, the breach will still cost about $3 million. 

Assessing third-party IT providers in local governments: Many local governments rely on third-party IT providers to offer better services to citizens. However, these relationships also come with risks that governments must mitigate, such as financial, reputation, and compliance. First, a third-party inventory is crucial to identify risk. This should include software and hardware vendors and cloud service providers. Governments should assess how critical each third party is to operations and then perform due diligence. This should include verifying the third party and checking financial documentation and security and compliance standards. 

U.S. bans Russia-based cybersecurity vendor: The U.S. is banning Russia-based cybersecurity vendor Kaspersky due to risks to U.S. national security. Beginning at midnight on July 20, the vendor is banned from entering into any new agreement within the U.S., and at midnight on September 29, the vendor is banned from providing any updates in the U.S. Organizations that violate the ban could face civil penalties.

Third-party firewall issue disrupts Massachusetts’ 911 system: A technical issue with a third-party vendor caused a disruption to Massachusetts’ 911 system. Some calls may not have gone through, but the state 911 department hasn’t received reports of impacted emergency services during the two hours the system was disrupted. A firewall in the third party’s system prevented calls from reaching 911 dispatch centers. The third party applied a solution to prevent the firewall from blocking the calls. 

Financial institutions are looking for new strategies to manage third-party risks: Financial institutions are beginning to develop frameworks similar to know your client (KYC) processes to manage third-party risks. This comes as regulators focus more on third-party risk management and third-party incidents become more common. At a recent panel discussion, experts said financial institutions may need to perform more frequent reviews of key suppliers and renegotiate contracts for better visibility and monitoring. 

Recently Added Articles as of June 20

In this week’s news, a bank received a ban from new fintech relationships, Australia finalized a key third-party regulation, and a new privacy law passed. Check out all the news below. 

Operations halted at car dealerships due to a third-party cyberattack: Thousands of car dealerships' services were halted across the U.S. after a third-party cyberattack. The dealerships' dealer management system experienced an outage, disrupting business operations and causing many dealerships to halt services. Details are still developing. 

Challenges in managing fourth-party risks: As organizations become more dependent on third-party relationships, the supply chain network is growing more complex. Risks continue to expand and fourth- and nth-party risks are becoming more crucial to manage. It can be difficult to manage these subcontractors, or your vendor’s vendors. Visibility can be limited and it can be challenging to know where to draw the boundary line for risk management. Organizations should first map their third parties and understand their risk profile. Identifying critical third parties will help organizations understand where to manage fourth-party risks. Risk intelligence tools can be extremely helpful to monitor these fourth parties and identify risks before they become a problem. 

OCC publishes its Semiannual Risk Perspective for Spring 2024: The Office of the Comptroller of the Currency (OCC) reported key risks facing the industry in its Semiannual Risk Perspective for Spring 2024. The report is full of third party risk management warnings, extensively covering operational risk, compliance risk, and BSA/AML concerns.

Managing third-party data access: To help safeguard the confidentiality, integrity, and availability of data, organizations can perform third-party access auditing. This ensures only authorized third parties access sensitive systems and data privacy regulations are complied with. To start, organizations can create an inventory of third-party accounts and detail their data access levels. Then, organizations can review how much access third parties have to data and whether it’s necessary. It’s important to communicate with third parties to understand how access rights are handled, including whether former employees are deactivated from accounts. These practices can help keep data secure at your organization.

U.S. Department of the Treasury sends RFI on AI in the financial industry: The U.S. Department of the Treasury is seeking to understand how artificial intelligence (AI) is being used within the financial sector. The Treasury sent out a Request for Information (RFI) on the subject. The Treasury is concerned about concentration risks with vendors developing AI models and providing data and cloud services. The RFI contains 19 questions, addressing third-party risk, potential opportunities and risks of AI, explainability and bias, and consumer protection and data privacy. Responses to the RFI are due in August. 

Complying with the Health Breach Notification Rule: One of the important healthcare regulations to follow is the Health Breach Notification Rule (HBNR) from the Federal Trade Commission (FTC). This covers any gaps left from the HIPAA Breach Notification Rule by ensuring non-HIPAA covered entities are still responsible for reporting data breaches. HBNR applies to vendors of personal health records (PHRs), PHR-related entities, and third parties for vendors of PHRs or PHR-related entities. PHR includes identifiable health information created or received by a healthcare provider. It’s important to ensure any PHR given to third parties is kept safe. HBNR requires these entities to send a data breach notification when PHR identifiable health information is compromised. 

Bank banned from new fintech relationships without regulatory approval: The Federal Reserve Board (the Fed) has banned Evolve Bancorp from entering into any new fintech relationships without prior approval. The ban came in a cease and desist order after the Fed noted deficiencies in Evolve’s risk management and compliance. When seeking approval for fintech relationships, Evolve must submit a proposed contract and list any management or board approving the relationship. Before exiting existing fintech relationships, Evolve must conduct an impact analysis and provide it to the Fed. 

Third-party risk professionals talk AI at a recent summit: Third-party risk professionals recently addressed current issues at a third-party risk management summit. AI was a big topic as programs look to take advantage of the technology without increasing risks. Adding AI to third-party questionnaires can help identify where third parties are using the new technology. 

Preparing for Retail Payment Activities Act compliance: The compliance deadline for the Retail Payment Activities Act (RPAA) in Canada is fast approaching for payment service providers (PSPs). In November, PSPs must register with the Bank of Canada, including information on third parties, the PSPs business structure, and methods to safeguard end-user funds. In 2025, PSPs are expected to be able to comply with the RPAA. This includes assessing performance and managing third-party risks, establishing a framework to safeguard end-user funds, and notifying the Bank of Canada of any incidents. PSPs should begin to prepare for compliance now with risk management programs, including third-party risks. 

APRA finalizes operational risk management guidance: The Australian Prudential Regulation Authority (APRA) released its final guide, CPS 230 Operational Risk Management, which will take effect in July 2025. The guidance emphasizes the importance of operational risk management and managing third-party risks. The final guidance allows discretion in the approach to third-party risk management, but still sets baseline expectations. Entities will still have to evaluate whether third parties are “material” and ensure CPS 230 compliance for material third parties. APRA did step back on its expectations for fourth-party risks and instead required entities to include fourth-party risk management in their service provider management policy. 

Best practices to protect against cloud service attacks: The exploitation of legitimate cloud services set record numbers in March, according to a new study. Cybercriminals are looking for new cloud services to target in order to disrupt supply chains. It’s important for organizations to evaluate their security posture to protect against cloud service attacks. Employees should be educated on the proper use of corporate cloud services, HTTP and HTTPS downloads should be inspected to prevent malware, and organizations should block connections to cloud apps that aren’t used. 

Solving the challenge of continuous third-party monitoring: As regulatory agencies take a closer look at third-party relationships, it’s increasingly important for financial institutions to manage the relationships. A study found that while financial institutions prioritize onboarding activities, ongoing monitoring can often be neglected. A real-time, data driven approach is important to manage the continuous risks of third-party relationships. Technology can help provide the solution, offering real-time data and automated processes. These solutions can keep your financial institution ahead of the curve and in compliance. 

Assessing supplier risk in the financial industry: Regulatory requirements for banks have increased in recent years, requiring banks to understand the vendors and suppliers they interact with. While it may be good for banks to diversify their network of suppliers, each one needs proper due diligence conducted and should involve a risk assessment. These assessments should include regulatory and compliance risk, ensuring suppliers follow relevant laws and regulations. Fraud risk is another important aspect to assess, diving deeper into a supplier’s fraud history or known risky behaviors. Adverse media screening can also assess reputation risk during the risk assessment process. By evaluating risks like these, banks can be better positioned in their business and in compliance. 

Common supply chain attacks and tips to mitigate: The supply chain has become a greater risk for cyberattacks that it’s important to understand and mitigate. Social engineering is a common tactic, where cybercriminals can convince users to provide sensitive information or login credentials. Stolen login credentials, which can happen through social engineering or malware, is another common way cybercriminals target supply chains. Cybercriminals can also compromise a third party’s software, allowing unauthorized access into the organization’s data or system. Ransomware is a large threat to the supply chain, as it can shut down systems and pull business to a halt. Determining a third party’s risk and criticality can help identify potential risks, but organizations should also build strong resilience plans in the case of a security incident. It’s also important to assess third-party risks and use cybersecurity metrics to measure performance and risks. 

Minnesota enacts privacy law; Vermont’s moves to governor’s desk: Two new data privacy laws have passed in the U.S. in Minnesota and Vermont. Vermont is the first comprehensive state privacy law to allow private citizens to take action for privacy-related violations. The bill still waits for the governor’s signature and business groups have urged the governor to veto it. The Minnesota privacy law will take effect on July 31, 2025. It grants citizens the right to get a list of specific third parties the citizen’s data has been shared with. It also requires data controllers to maintain a data inventory. 

Managing third parties in the healthcare industry: To ensure data resilience in the healthcare industry, it’s important to manage third-party suppliers. This includes monitoring Internet of Things (IoT) devices, managing third-party data access, and evaluating network security. These practices can help healthcare organizations secure their environment. 

Recently Added Articles as of June 13

Multiple third-party data breaches impacted organizations this week, compromising customer information and leading to phishing attempts, while federal agencies investigate a 2023 third-party data breach. Catch up on all of this week’s news below.

Healthcare organization impacted by business associate’s data breach: More than 70,000 patients had their healthcare information compromised in a third-party data breach. Adventist health announced the data breach, which occurred with its business associate, Signature Performance. Letters were sent to affected individuals.

Vendor email compromises and phishing attacks rose: Vendor email compromise (VEC) attacks rose across the U.S. and Europe between April 2023 and April 2024, according to a new study. In VEC attacks, cybercriminals impersonate vendors to deceive organizations to make payments for fake invoices, start wire transfers, or update banking details. Phishing attacks overall in the U.S. and Europe had large increases. The volume of phishing attacks increased in Europe by 112.4% and increased in the U.S. by 91.5%. Phishing attacks are often used as a way to gain initial entry into an organization, which cybercriminals then use to compromise even more accounts. 

Another organization is the victim of third-party Snowflake breach: Pure Storage, a cloud storage system provider, confirmed it was impacted through the third-party Snowflake breach. Snowflake is a cloud storage provider. Its data breach has impacted multiple organizations, such as Ticketmaster and Santander. Cybercriminals were able to gain access to Pure Storage's Snowflake workspace. Exposed information included customer names and email addresses; however, no credentials were compromised.

Third-party data breach impacts customer information: GapBuster recently notified of a third-party data breach that impacted customers’ sensitive information, including names, email addresses, and phone numbers. The third party provides cloud-based call center solutions to GapBuster. The third party quickly contained the data breach and informed GapBuster. 

Data stolen in third-party data breach is sold on dark web: Information stolen in a third-party data breach was recently spotted on the dark web being sold for $750,000. Cylance, a cybersecurity company, confirmed the data and said it was old data taken from a third-party platform. Allegedly, 34 million records of personally identifiable information were stolen and it appears to be old marketing data. 

Federal agencies investigating a massive 2023 third-party data breach: Federal agencies are investigating a third-party data breach from last year that impacted at least 14 million records. The breach originated with a medical transcription company, Perry Johnson & Associates, and impacted several healthcare systems. According to a subpoena, the U.S. Department of Justice is requesting records relating to the due diligence a healthcare organization conducted on the third party. 

Microsoft changes its AI feature to opt-in: Microsoft will disable its artificial intelligence (AI) feature, Recall, and make it an opt-in for customers. The feature was controversial, particularly in the security and privacy community. The feature could have screenshots of documents, emails, or messages, which could potentially compromise sensitive information. 

Crypto company impacted by third-party data breach: A crypto data aggregator, CoinGecko, confirmed a third-party data breach through its email platform. Almost 2 million records were impacted, and phishing emails were sent to thousands of accounts from the email platform. Impacted users of CoinGecko were notified and breach is under investigation.

Cyberattack on a third party may be one of the largest so far: A cyberattack against a third-party cloud storage company, Snowflake, may be shaping up to be one of the biggest so far. Ticketmaster and Santander have already been confirmed as victims of the attack. Cybercriminals have also claimed to be selling millions of data records from the Snowflake breach. The U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert on the breach.  

Protecting against third-party data breaches: While organizations outsource more to third parties to strengthen their offerings, cybercriminals are also viewing many third parties as weak links to exploit. This has been displayed in several recent third-party data breaches. To help prevent and lessen the impact of third-party data breaches, due diligence on cybersecurity practices is important. Organizations should ensure cybersecurity controls are tested at least annually. 

Critical vulnerabilities in a third-party healthcare tool are disclosed: The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) is warning healthcare organizations of two critical vulnerabilities in a medical device. The vulnerabilities are in Baxter products and were disclosed to the Cybersecurity and Infrastructure Security Agency (CISA). There’s no evidence of active exploitation, but there could be delays in patient care if eventually exploited. A software update was released for the issue and Baxter encouraged healthcare organizations to apply the updates.

Evaluating the risks of third-party apps: Many organizations use third-party apps to become more efficient in their operations. With that, it’s important to ensure sensitive data remains protected. Before using third-party apps, organizations should first assess the third-party vendor, including evaluating their history of data breaches. The principle of least privilege is also important, ensuring third-party apps only have access to necessary data. Organizations can utilize third-party monitoring to quickly identify data breaches and should have an incident response plan to prepare.

Third-party ransomware attack disrupts patient services at UK hospitals: A third-party ransomware attack disrupted patient services at hospitals across London. The third party provides diagnostic and pathology services, and the attack was linked to a Russian cybercriminal group. The third party had its systems offline and a critical incident emergency status was designated through the region. Patient care continued to be delivered, but hospitals lost pathology services and couldn’t perform quick blood tests. 

European authority reminds banks of importance of keeping AI safe: The European Securities and Markets Authority (ESMA) reminded banks and investment firms that customers must be protected from AI. Boards of directors are responsible for all decisions, including those made by AI tools. When third-party AI is involved, ESMA said it’s important to understand how that technology is used and ensure it’s overseen. 

Recently Added Articles as of June 6

Several third-party data breaches impacted organizations and customers, a bank was ordered to create a third-party risk management program, and experts recommend several third-party risk management practices to protect your organization. Check out all of this week’s news below.

How the healthcare industry can prepare for third-party cyberattacks: The healthcare industry is often targeted in cyberattacks, particularly third-party healthcare providers. Protected health information (PHI) is valuable to cybercriminals, and many healthcare organizations use the same third parties, which can disrupt the entire system. Healthcare organizations should seek to minimize overreliance on third parties and address cybersecurity issues. It's recommended healthcare organizations evaluate their business continuity and disaster recovery (BC/DR) plans to evaluate critical vendors. They should also look at their vendor contracts and business associate agreements to ensure everything is up to date and there are provisions for cyberattacks. 

European Central Bank is taking feedback on cloud outsourcing guide: The European Central Bank (ECB) began public consultation on its new guide for outsourcing cloud services. The guide requires banks to consider the risks of overly relying on one cloud services provider, as the market is highly concentrated, and consider the potential business disruptions. Third-party risk management has been a top priority for ECB, and it will continue to be over the next couple of years. ECB will take feedback on the guide until July 15 and then publish a finalized guide.

Cox patches API vulnerability: Cox Communications fixed a vulnerability that allowed attacks to abuse APIs and reset Cox modem settings. The organization took down the exposed APIs and patched the vulnerability. Cox also investigated if the vulnerability was exploited, but found no evidence of it. 

Third-party data breach impacts Ticketmaster user data: Ticketmaster attributed a recent data breach to a third-party cloud database that contained mostly data from the organization. Live Nation, the parent company, said it doesn’t expect the breach to have a large impact on operations. However, user data was compromised and offered for sale on the dark web. Data includes names, addresses, phone numbers, email addresses, and order history.

Pharmaceutical organizations are impacted in third-party data breach: At least 15 pharmaceutical organizations have been impacted in a third-party data breach and about 540,000 people have been notified of the breach. That number will likely continue to grow. Cencora, the breached company, is a pharmaceutical distributor.

Third-party risk management practices to protect the hotel industry: It’s extremely important for the hotel industry to protect guest data, but often APIs and third-party property management systems are neglected. This leaves the hospitality industry open to cyberattacks. Hotels should regularly perform security audits on third parties and continuously monitor for new vulnerabilities. Before beginning third-party relationships, hotels should vet third parties and examine security policies, reputation, and compliance documentation. Assessing third-party incident response plans is also a good practice to ensure everyone is prepared if an incident occurs. 

Colorado finalizes the first U.S. AI law: Colorado has enacted the first artificial intelligence (AI) legislation in the U.S. It's set to take effect in February 2026. The applies to anyone conducting business in Colorado that either deploys or develops high-risk AI systems. High risk is defined as any AI system that makes or is a substantial factor in consequential decisions. AI deployers or third parties will have to complete impact assessments on high-risk AI systems and risk management policies are required. 

Organizations should patch an actively exploited Linux vulnerability: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch a vulnerability impacting the Linux kernel. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, as there’s evidence of active exploitation. The vulnerability was addressed in January, so it’s crucial for organizations to apply the patches. 

SEC is investigating foreign third-party relationships: The Securities and Exchange Commission (SEC) has started poking into third-party relationships technology organizations have, especially third parties in countries with high corruption risk. It’s important for technology organizations to have the answers prepared if the SEC begins to ask questions. Organizations should be able to show evidence of due diligence and contract management. Contracts should include a right to audit so your organization can continuously monitor risks and ensure compliance with the Foreign Corrupt Practices Act (FCPA). Keeping records and documentation is crucial to providing evidence to the SEC and there should be evidence of training for third parties on anti-corruption. 

Credit union is impacted in third-party data breach: Truliant Federal Credit Union reported a third-party data breach from one of its previous vendors. A cyberattack on the former vendor compromised Truliant files from 2012. It’s unclear how many people were impacted, but the data included names, account numbers, and Social Security numbers. 

Securing the supply chain against cyberattacks: Supply chain cyberattacks have increased and it’s important for organizations to be able to defend against third-party threats. Ultimately, organizations take the responsibility for the data breach, even if it originated with a third party. Often, cyberattacks are social engineering, so it’s important to ensure third parties have training practices in place and track the performance of the third party’s training. Cybersecurity threats need to be consistently monitored, so organizations should ensure third parties have vulnerability management practices in place. 

Healthcare industry is falling behind in cybersecurity protection: Although many industries are facing the increased threat in cybersecurity, experts say the healthcare industry has fallen behind in protecting its systems. This includes unpatched software vulnerabilities and system failures to defend against attacks. The healthcare industry is also becoming more connected, relying on more third parties and vendors, which has increased the attack surface. Experts pointed to the need for a third-party risk management program that is continuously evolving and adapting to new risks. 

Bank ordered to create third-party risk management program: Comerica Bank must create a third-party risk management program, per an enforcement agreement with the Office of the Comptroller of the Currency (OCC). The program must have an internal audit program and internal controls. The board of directors will be responsible for ensuring the agreement is followed.