Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of March 13
Two third-party data breaches impacted customer and organizational data, UK regulators asked for feedback on third-party regulations, and the Institute of Internal Auditors is looking to address third-party risks. Check out this week’s news below.
Client data compromised in third-party breach: Japanese telecommunications third-party provider NTT notified about 18,000 corporate clients of a data breach. Hackers breaches its system that contained information on customers, including contact numbers, emails, and service usage information. NTT will not send personalized alerts to clients, so organizations should watch for spam and other unwanted communication.
Third-party data breach perpetrated by ransomware gang, impacts over 100,000: A ransomware gang took credit for a third-party breach that impacted at least 110,000 K-12 school employees. Carruth Compliance Consulting, which administers retirement savings for public schools, said the breach impacted information like Social Security numbers, financial accounts, and W-2s. Breaches on even just one third-party provider can impact multiple educational institutions.
UK regulators ask for feedback on third-party regulations: Two United Kingdom regulators – Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) – are consulting on new requirements for material third-party arrangements. Organizations have until March 14 to submit feedback. The proposals require more timely, consistent, and accurate reporting of disruptive incidents and on third-party relationships. Reporting includes a register of information on material third-party arrangements. Although both regulators aligned their proposals, but there are slight differences. For examples, the PRA only requires third-party reporting on a risk-based approach.
Institute of Internal Auditors releases draft on Third-Party Topical Requirement: The Institute of Internal Auditors (IIA) released a draft of the Third-Party Topical Requirement that addresses rising third-party risks. The draft is part of IIA’s broader framework to help internal auditors assess governance, risk management, and control processes in third-party relationships. The draft requirement provides a consistent approach to managing growing third-party risks like geopolitical shifts, supply chain disruptions, and operational challenges. The public comment period on the draft runs until April 20.
Mishandling of data at third party causes small breach at financial institution: A large financial institution said a third-party document destruction service inappropriately handled confidential documents, breaching the information of a small group of customers. It’s not clear how many accounts were impacted. The financial institution said the bank didn’t secure materials properly in transport, so some documents were found outside of the secure containers.
Managing and monitoring third-party software tools: Third-party software tools are now considered a necessity for most organizations to communicate. However, if these tools aren’t secured, data leaks may occur through misconfigured sharing settings, unrestricted third-party integrations, lack of monitoring, and human error. To prevent this, organizations should enforce strict access controls and role-based access. Regularly review user permissions and channels and monitor activity through audit logs and real-time alerts of suspicious activity.
Recently Added Articles as of March 6
The costs of poor third-party risk management practices are high. Third-party risk contributed to 23% of insurance claims with incurred losses, third-party remote access was responsible for almost half of 2024’s data breaches, and noncompliance with the Digital Operational Resilience Act (DORA) may lead to steep penalties and even suspended business operations. Catch up on all the headlines below.
A third of 2024 cyber claims tied to third-party incidents: Vendor-related ransomware and outages contributed to 31% of all cyber insurance claims in 2024, according to a new study. For the first time, third-party risk contributed to 23% of claims with incurred losses. Eighteen percent of third-party incidents were ransomware attacks. Significant financial losses are tied to these third-party incidents, impacting industries like finance, healthcare, transportation, and manufacturing. Cybercriminals increasingly target vulnerabilities along the supply chain, making third-party risk management more important than ever.
Third-party remote access responsible for 48% of 2024 data breaches: Nearly half of 2024 data breaches involved third-party remote access, according to a new survey. Almost 66% of the respondents said third-party data breaches will increase or remain the same over the next one to two years. A significant number of organizations (34%) said they grant excessive privileged access to third parties. However, 41% struggle to mitigate third-party access risk. The consequences of the third-party access breaches included compromised sensitive data, regulatory fines, and damaged third-party relationships. Keep an inventory of what data third parties have access to and continuously monitor who has access.
The cost of noncompliance with DORA: The Digital Operational Resilience Act (DORA) in the European Union (EU) reshapes how organizations approach cybersecurity and operational resilience, focusing on areas like third-party risk management and critical providers. Noncompliance can result in significant financial penalties – while supply chain vulnerabilities continue to rise as a top risk. A report showed that 43% of organizations were expected to miss the DORA compliance deadline, which may be costly as DORA has taken effect. Individual fines can reach up to €1 million. Regulatory authorities may even limit or suspend the business activities of noncompliant financial institutions. Prioritize compliance and review current third-party risk activities to ensure there are no gaps that can be exploited.
Third-party administrator data breach exposes information of more than 48,000: A third-party administrator of retirement savings for school districts experienced a data breach, exposing the data of more than 48,000. At least 12 community colleges and public schools were impacted. Information impacted includes names, Social Security numbers, and financial account information.
Identifying red flags in your vendor’s business continuity plan: Your vendor’s operational resilience is just as important as your own. Weak or ineffective continuity plans can lead to operational disruptions, financial losses, and reputational damage. Look for key red flags when reviewing the vendor’s business continuity plan. This includes insufficient disaster recovery planning, outdated or untested plans, lack of staff training, and poor compliance management. Regularly review and assess the vendor’s plans to identify issues early and ensure the vendor can recover quickly.
Securing third-party software provider risks: Third-party suppliers pose first-party risks for organizations, particularly software providers, which can often be overlooked. Third-party software vendors should follow strict security standards to prevent potential data breaches and cyberattacks. Review the vendor’s security practices and continuously monitor for new vulnerabilities and weaknesses.
.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
