Stay on top of vendor management news and resources. Find out what you missed and catch up on important information in this blog post.
Recently Added Articles as of May 27
This week brings a lot of focus on cloud vulnerabilities and ransomware attacks. Regulators are facing a rise in complaints, too. A possible repeal of the OCC True Lender Rule will cause some confusion for fintechs and non-bank lenders. We’ve also included a few comprehensive risk reports that are worth reading. Read on to learn more about what else is trending in third-party risk management.
OCC releases virtual compliance risk workshops' schedule for bank directors: The regulator will provide free, virtual compliance risk workshops to community banks' board of directors bringing insight into guidelines and best practices to ensure your compliance risk management program is effective. You can now register for the July and August workshops. And, there are more to come in the fall.
Google joins AAIH to support AI in healthcare: The Alliance for Artificial Intelligence in Healthcare (AAIH) now has the support of perhaps the biggest tech giant after Google enrolled as a new member. They join Johnson & Johnson and Roche and Hub Security, among other big names in the healthcare and pharmaceutical industries. AI products are on the horizon for big implementation into healthcare and other industries. AAIH focuses on discussions around data and technology standards, while also establishing effective regulatory frameworks. Third-party risk management professionals should prepare for the inevitable complexities of AI vetting.
Five common threats to the cloud: A recent study reported that there’s been a 630% rise in cloud cyberattacks since January 2020. These breaches come at a huge cost at over $5 trillion within the past two years. This article details five common cloud threats that organizations should understand. One of the most common causes of data breaches is misconfigured AWS S3 buckets. This occurs when administrators allow public access to these “buckets” that contain shared files and other content. Unprotected idle assets are another common threat which may occur when hackers can take over any unused and unsecured assets. DevOps pipelines with too many permissions can also cause threats to the cloud. Many engineers are reluctant to deny access, especially when applications and fixes are under tight deadlines. Developers usually need access to privileged credentials, which leaves their workstations especially attractive to hackers. Misuse of authorization completes the list of common cloud threats, meaning that there’s often a false assumption that individual user accounts are protected when group access is denied.
Cloud vulnerabilities are costing millions for organizations: Cloud-based compromises are costing organizations an average of $6.2 million in financial losses every year. A Ponemon Institute survey discovered that most victims of these attacks didn't have processes to evaluate the security of cloud-based resources, nor did they have an established team who was vetting them. The average yearly downtime was 138 hours and the financial losses could be comprised of fines, legal fees or managed security service providers. Data theft, business disruption and reputational damages are just some of the other risks that can come from a compromised cloud service. Sixty-eight percent of survey respondents also noted that their organizations have a multi-cloud strategy, with an increased focus on data security.
Audio maker Bose suffers ransomware data breach: Bose has disclosed a data breach that occurred in March, while noting that they didn’t make any ransom payment. They obtained the help of third-party cybersecurity experts to restore their impacted systems and determine if any of their data was accessed by attackers. Their investigation revealed that a small number of employees were impacted after their information was accessed on an internal HR spreadsheet. Breach notification letters were sent out to affected individuals and Bose implemented a list of new security measures to help protect against future attacks such as changing passwords for all end-users and enhancing their monitoring and logging to identify any future incidents. Data breaches can affect anyone, but it’s reassuring to see a company take appropriate action after an event.
Insurance carriers grow weary of ransomware policies: Global insurance carrier, AXA, made headlines earlier this month when they announced their decision to discontinue reimbursements to French companies who paid ransomware payments. Insurers are becoming increasingly reluctant to pay out these claims, arguing that they’re just encouraging future attacks. Experts see advantages and disadvantages to these decisions. Their refusal to pay will likely reduce ransomware attacks, but will also unfairly penalize organizations who are unlucky enough to fall victim to these sophisticated cyberattacks, perhaps because of their suppliers. Cyber insurance continues to be a popular strategy to mitigate risk, with premiums increasing 22% in 2020, but it’s not intended to take the place of good cybersecurity practices.
Legislators question prudential regulators on challenges: Prudential regulators were questioned on issues of diversity in banking, their response to the pandemic and changing regulations with regards to climate change, cybersecurity and digitization. The Fed is recommending closer examination on a few key points including short-term funding markets, treasury markets and the shifting patterns of customer practices and their use of financial services. They also suggest a closer look at the relationships between banks and their non-bank partners. The OCC highlighted the challenge of digitalization that needs more attention and concern over the complacency of banks. The FDIC provided updates on its efforts to react to pandemic related risks and the NCUA is hoping for agency examination and enforcement authority over third-party vendors. The hearing also summarized a list of pending bills, most notably the NCUA Oversight of Third-Party Vendors Act.
Cloud vulnerabilities exposed by Russia’s successful hacking: The cloud is here to stay, along with those who will continue to exploit its weaknesses. Last year’s Russian cyberattack on SolarWinds affected more than 100 large companies and U.S. federal agencies and was largely accomplished by attackers compromising cloud and local network identity systems. The cloud is increasingly becoming the default mode for organizations, which means more and more critical data is living on it. Also, a concern is that the four largest providers of cloud computing services are concentrating technology and security design choices into a small number of organizations, which in turn affects hundreds of millions of users. The Federal Risk and Authorization Management Program (FedRAMP) is responsible for assessing the risk of cloud services being used by federal agencies and will likely be strengthened with the application of the recent executive order.
Architecture, engineering and construction not immune to cyber risk: Cybersecurity should be an important consideration for every industry, even the not so obvious ones of architecture, engineering and construction (AEC). Third-party document sharing platforms, like Dropbox and Google Drive, are widely utilized by the AEC industry and organizations should verify that their shared data is secure. The AEC industry is most at risk from a simple scheme involving fake third-party invoices. In this type of attack, cybercriminals will gain access to a vendor’s email accounts and will redirect payment instructions to an alternate location. Controls should be put in place to verify the legitimacy of any changes in invoicing and wiring. Another type of attack involves the impersonation of a high-level executive to receive funds from the financial department. Specific cybersecurity controls can include encryption, remote access, good backup for data and thorough training for end users.
FDCPA lawsuits continue to fall as CFPB complaints rise: Consumers are continuing to voice their complaints to the Consumer Financial Protection Bureau, but are perhaps weary of filing lawsuits for various consumer protection acts violations. WebRecon published an interesting set of data which shows that lawsuits against violations of the Fair Credit Reporting Act, Fair Debt Collection Practices Act and Telephone Consumer Protection Act were all lower in April 2021 than the same month last year. The CFPB, however, saw a 26% increase in complaints, when comparing those same two months. The most common complaint was directed towards debt collectors attempting to collect money not owed.
Verizon provides abundance of data breach information in investigations report: Verizon’s 2021 Data Breach Investigations Report (DBIR) is a hefty one at 119 pages, but provides clear definitions for often vague terms like “incident” and “breach” and compiles all of its findings in an organized way that’s easy to read. Cyber risk management professionals can review a lot of interesting discoveries surrounding the causes and purposes of data breaches. The report found that 85% of data breaches involved a human element, with employees continuing to make these incident causing mistakes. Credentials and personal information are the most desired data types by criminals and social engineering is the most successful type of attack. The DBIR highlights the importance of cybersecurity vigilance and the some of the challenges that teams may face including the difficulties of patching and an increasing complexity of attacks. The full report and executive summary can be downloaded here.
Contract tracing vendor gets axed after data breach: Insight Global has officially been terminated by the Pennsylvania Department of Health after the recent data breach impacted over 70,000 individuals which resulted in a class action lawsuit. The vendor’s contract was set to expire in July, but will now end on June 19, further causing controversy that the termination is too late. Perhaps more consideration should’ve been given to the relationship prior to the disclosure of the PII and PHI, as recommended in the third-party risk management lifecycle.
OCC’s “True Lender” Rule may come to an end: The Senate voted to repeal the OCC’s True Lender Rule which was designed to clarify some uncertainty regarding whether a national bank or a third party is considered the true lender. Fintechs and other non-bank lenders will now face possible regulatory uncertainty, with legal and compliance requirements decided case-by-case. While the OCC was confident in its supervisory efforts, critics of the rule believe that it would potentially allow lenders to avoid consumer protection requirements like usury caps by partnering with national banks who have more lax federal rules. The appeal is headed to the House and President Biden, where it’s expected to pass.
Top 5 risks for the finance industry: The new Allianz Financial Services Risk Trends report covers the top 5 risks that the financial services industry is facing. Unsurprisingly, number one is cyber incidents. This encompasses cybercrime, data breaches and even IT failures and outages. Number two is the pandemic outbreak which includes workforce issues related to health and restrictions on movement. Number three is business interruption which includes disruptions to supply chains and number four is regulatory and legislative changes. Tariffs, economic sanctions and even Brexit all factor into this risk. Rounding out the list is macroeconomic developments which monetary policies, austerity programs and deflation and inflation.
Bank of America sets minimum wage for vendor employees: Bank of America vendors are now required to pay their employees at least $15 per hour, 99% of which are already doing so. The bank points to their core tenet of responsible growth and investing in the people who serve their clients as a reason for this change. Bank of America will raise its own US minimum wage to $25 per hour by 2025.
Facebook ruling leads to TCPA guidelines: The recent Supreme Court ruling for Facebook was important in narrowing the scope of the Telephone Consumer Protection Act. The TCPA exists to regulate certain business to consumer calls and text messages. Express written consent must be given for marketing calls to cell phones using an autodialer. The Facebook ruling helped to create a clearer definition of autodialer, by stating that it’s a device with the capacity to use a random or sequential number generator but there is still some debate on what is meant by “capacity.” There are a few simple tips companies can use to help protect against a TCPA lawsuit, the top one being to confirm you’re receiving express written consent. Keeping good documentation as proof that you’ve obtained written consent and confirming that vendors are compliant are also helpful practices to implement. Violations of the TCPA can cost anywhere between $500-$1,500, and can add up quickly, so it’s important to ensure you and your vendors are compliant.
Understanding the cybersecurity Executive Order: The Biden administration’s Executive Order on security continues to be scrutinized by security experts. It’s important to realize that these orders serve as policy roadmaps, but don't hold the power of law. The order prioritized several areas of cybersecurity including private and public partnerships and private cyber breach notification requirements. It also emphasizes the overall modernization of cybersecurity standards through the federal system, which include detection and response criteria of cyberattacks. Another subtle point to notice is that the Biden administration intends to treat information security (both in and out of the federal government) as a national security issue, which many believe is a much needed update to U.S. policy.
Debt collectors face new limitations with recently passed bill: The House of Representatives has passed the new Comprehensive Debt Collection Improvement Act which will amend several existing debt collection statutes and pose new requirements to the industry. The bill would include limitations on electronic communications by collectors and restrictions on credit reporting of a medical related debt. There would also be regulations on debt owed to federal agencies that was sold or transferred to collectors. Some of the existing statutes that would be affected are the Fair Debt Collection Practices Act, Fair Credit Reporting Act, Truth in Lending Act and Consumer Financial Protection Act.
OCC’s Acting Comptroller issues complacency warning against banks and regulators: The OCC’s Semiannual Risk Perspective has projected economic growth for the remainder of 2021 and 2022. Acting Comptroller Michael Hsu is careful to warn banks and regulators against “overconfidence… as we enter a growth phase.” He does however give credit to banks for maintaining their operations during the pandemic. The OCC report highlights that both commercial credit risk and operational risk remain elevated, with an increased supervisory focus on third-party risk management. This was also the first mention of climate change in the Semiannual Risk Perspective, as Hsu has asked OCC staff to consider joining the fed in the Network for Greening the Financial System.
Recently Added Articles as of May 20
We have a lot to cover, with new reports from the OCC and FDIC, as well as their increased pressure to join the Fed in addressing climate change. The Colonial Pipeline cyberattack has taught us all some valuable lessons about cybersecurity and we continue to see articles about environmental, social and governance on both a national and global scale. Read on to discover what made headlines in the world of risk management.
Bizarro malware attacks European and South American banks: Some bank customers in Europe and South America have been the victims of a banking trojan which has stolen their credentials through phony requests for two-factor authentication codes. Visitors to the banks’ websites are also being tricked into downloading a malicious smartphone app. A main component of the malware forces the user off an existing online session and requires a re-entry of banking credentials which is then captured by the criminals. What’s especially concerning is that the threat actors are utilizing various methods to deter malware analysis and detection.
OCC report highlights pandemic’s effect on federal banking: The OCC’s Semiannual Risk Perspective for Spring 2021 report covers how the federal banking industry was impacted by the pandemic. Low interest rates were reported as an emerging risk, which contributed to the strain on profitability. Credit, strategic, operational and compliance risks were also highlighted. Cybersecurity threats have elevated banks’ operational risk, while assistance programs continue to affect compliance risk because of challenges to established practices. The economic effect of the pandemic has impacted credit risk and banks are finding ways to improve earnings through strategic risks.
SAP settles with DOJ over Iran sanctions violations: German software company, SAP, is safe from DOJ prosecution, but will have to pay $5.14 million after voluntarily disclosing its thousands of violations relating to the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations. Companies of all sizes should consider a few important lessons regarding complying with U.S. sanctions laws and regulations. First, internet-based companies are required to adhere to certain IP address identification and blocking capabilities. Supply chain due diligence is also a vital component for companies that rely on third-party vendors to distribute their products. In the case of SAP, their partners were responsible for the release of their software to Iranian end-users. Perhaps the biggest lesson is that companies may benefit from voluntary disclosures of violations. The DOJ entered into a Non-Prosecution Agreement with SAP, a first-ever resolution to its Voluntary Self-Disclosure Policy. It seems as though righting a wrong really does pay off in the end.
The Fed is leading others towards climate change policies: The Federal Reserve made news last December when it announced its inclusion in the Network for Greening the Financial System (NGFS). Other bank regulators are now facing increasing pressure to join and are still determining the possible threats they face from climate change. Some observers are hopefully anticipating that the OCC and FDIC will follow the Fed and take a more active approach in combating climate change. The two agencies could benefit from learning how other countries are handling climate risk. However, some believe that the Fed’s involvement with the NGFS is sufficient because they already have access to supervisory best practices and risk modeling. It should also be made clear that joining this network is more about learning and finding data gaps, and doesn’t include regulatory requirements.
European legislation addresses human rights and the environment: International organizations are facing increased criticism for not voluntarily adhering to basic human rights and environmental standards along their supply chains. As a result, mandatory human rights due diligence is gaining wider acceptance throughout Europe. This article covers the highlights of regulatory guidelines in France, the Netherlands, Germany and at the broader EU level. France’s Duty of Vigilance Act requires that companies develop a vigilance plan to review possible human rights violations in their business activities. The Netherlands seeks to prevent child labor with their Child Labor Due Diligence Act. Under this legislation, companies must investigate whether their goods or services have been produced using child labor, as well as develop a plan to prevent this type of activity in their supply chains. Germany’s pending Supply Chain Act is more broad and would require companies to conduct human rights and environmental due diligence in their supply chains. Reporting requirements are also a common theme within these various legislation acts. While there’s still not universal legislation at the EU level, it’s in the works with the EU’s proposed Draft Directive on Corporate Due Diligence and Corporate Accountability.
The impact of cyberattacks on critical infrastructure: The recent attacks and threats on critical infrastructure have highlighted the need for improved healthcare cybersecurity practices. A single exploit or vulnerability can lead to massive disruptions across many organizations. The increase in these types of attacks have prompted a rise in cybersecurity insurance premiums and an emerging trend of providers asking their customers for due diligence to ensure they’re making a safe investment. The healthcare industry should focus on tighter software release controls and inventory supply chain relationships. It’s also advised to perform a business impact analysis to understand the risks how to prioritize them. Healthcare providers should use the NIST Cybersecurity Standard Framework as a framework for their cybersecurity program, with an emphasis on continuous improvement and ongoing monitoring.
Colonial Pipeline cyberattack teaches valuable lessons: The recent cyberattack on Colonial Pipeline gave most of us a crash course on ransomware and the massive ripple effects it can cause. In simple terms, a ransomware attack is caused when malicious software is installed into a computer or database system which locks the information behind a ransom paywall. Some criminals even add a layer of blackmail, threatening to release sensitive information unless the ransom is paid. Although this attack hit a large company, businesses of every size are susceptible to these types of incidents. Companies would be wise to create an established cybersecurity framework, which includes an incident response plan and regular testing.
Debt settlement company may face penalties for unlawful fees: The CFPB is hoping for a $5.4 million penalty against DMB Financial for unlawful fees and failing to provide its customers required disclosures. CFPB Acting Director, Dave Uejio, accused the company of targeting consumers who were facing financial struggles by charging illegal upfront fees and being untruthful about the true cost of their services. In addition to the $5.4 million penalty paid to consumers, the other enforcement actions would include a less severe civil penalty of $1 and the prohibition of engaging in deceptive practices. The proposed order can be read here.
Apple’s AirTag device causes privacy concerns: Some believe that the new Apple AirTag has the potential to turn its users into a network of untrained spies. Maybe that’s a little dramatic, but it’s worth noting that this small tracking device (intended for personal items like keys or wallets) can easily be misused in the wrong hands. Some are concerned that they could be used for stalking purposes and of course there’s always the possibility of hacking with an interconnected gadget. The device doesn’t contain GPS technology, but requires the user’s connection to an Apple-operated surveillance network, which already contains a huge number of devices. In other words, each Bluetooth enabled iPhone would be “listening” for AirTags so it could then upload details about the tag’s ID and phone’s location to an Apple server. Users will have to weigh the cost of being able to locate missing items with being a participant in a global surveillance network.
Biden’s Executive Order is a step forward for cybersecurity: The recently signed Executive Order aims to strengthen the federal government’s cybersecurity practices, particularly within the information sharing between federal agencies and their contractors. Some of the highlights include stronger guidelines around critical supply chain software (in large, due to the SolarWinds breach) and a baseline level of security practices for IoT devices which will likely mirror standards set by third-party certification company Underwriters Laboratories. This order marks a huge shift towards more modern practices and opportunities for public and private partnerships.
Boston University compromised by cap and gown vendor: BU is the latest university that affected by the Herff Jones data breach. As with Towson University, some students and parents noticed unusual credit card activity after purchasing commencement merchandise online. Herff Jones still hasn't confirmed the exact source of the breach.
Research shows disconnect between cybersecurity and risk remediation: A resent research project by Vulcan Cyber reveals that most enterprise cybersecurity and vulnerability management organizations are lacking in their abilities to remediate risk and have unacceptable levels of cyber hygiene. One of the key findings was that cybersecurity teams were not proactive in their efforts to address vulnerabilities, instead reacting on a case-by-case basis. Eighty percent of the respondents to the survey lacked the proper tooling to automate vulnerability remediation and 56% lacked the speed and scale necessary to protect their business from hackers. Another surprising statistic found that 46% of respondents didn’t measure vulnerability risk at all or relied on their “gut feelings.” Yikes! The takeaway here is that mature vulnerability remediation programs require the teamwork of all stakeholders to achieve common objectives.
Global risks from counterfeiting and piracy: Counterfeit and pirated goods continue to be on the rise, with widespread impacts on the global economy. These counterfeit components and parts create health and safety risks across many different industries. The pharmaceutical industry is especially at risk of devastating effects from counterfeit goods. Organizations across all industries should be aware of some best practices to address the growing problem of counterfeit goods within a supply chain. Ongoing monitoring and in-depth background checks are helpful in “knowing your supplier or customer”. This includes regular audits of documents, data and facilities, as well as testing and evaluation of sample raw materials. Organizations should also develop standards and guidelines for third-party accreditation. Consideration should also be given to transport operators by establishing contractual terms with effective due diligence to identify the risk of counterfeiting and ensuring that a plan is put in place in the event of a claim.
FDIC Risk Review summarizes emerging risks in U.S. banks: A press release from the FDIC announces the publication of its 2021 Risk Review which details key findings in banking sector risks. The report analyzes how insured institutions fared through the 2020 banking environment and highlights the risks that require continued monitoring. There’s special attention given to community banks, of which the FDIC is their primary regulator.
Statement from Acting Comptroller of the Currency Michael J. Hsu: Newly appointed Acting Comptroller issued a statement as he completed his first day in the role with the OCC. He stated that his focus will be on solving urgent problems as the agency awaits confirmation of the 32nd Comptroller. He also addressed the pandemic, climate change and the increasing concern surrounding complacency about risk taking. A review of regulatory standards will be announced at a later time.
Recently Added Articles as of May 13
There’s a lot to cover this week, starting with the recent ransomware attack on Colonial Pipeline. Regulators continue to focus on ESG issues and you can discover some vendor management best practices. Read on to discover what’s making headlines.
FragAttacks may affect nearly all Wi-Fi devices: FRgmentation and Aggregation attacks (FragAttacks) could potentially impact all Wi-Fi security protocols with three design and implementation flaws discovered in IEEE 802.11. This technical standard allows laptops, tablets, printers, smartphones and other wireless devices to communicate with each other over the internet. These vulnerabilities can be exploited to set up more advanced attacks, although the flaws require user interaction or are limited to use in uncommon network settings. WiFi Alliance has reassured users that there isn’t evidence of these vulnerabilities being used maliciously and they 're mitigated through routine device updates.
Remote working leads to increase in application attacks: Cybercriminals have adapted their strategies during the pandemic by focusing their efforts on web applications. These threats made up 67% of attacks in 2020, which has more than doubled over the past two years. Healthcare, manufacturing and finance industries also saw an increase in attacks which jumped from 11% of all attacks in 2019 to 62% in 2020. Spyware is no longer the most popular malware, with cryptominers taking the top spot. Finance and manufacturing were hit by malware worms and healthcare dealt mostly with remote access Trojans and the technology was the target of ransomware.
Debt collection industry facing a shake up after court decision on third parties: Florida-based debt collector Preferred Collection and Management Services Inc. was ruled to have violated the FDCPA by sending information about a consumer’s debt to collection letter vendor CompuMail Inc. The FDCPA prohibits communication about a debt to a third party, although this has been a regular occurrence in the financial services industry for decades. Back office duties like sending debt collection letters and other notices are often outsourced to vendors. The CFPB issued a rule last year that limits the electronic communication between debt collectors and consumers, although they haven’t yet commented on this particular decision. Joann Needleman, at Clark Hill law firm, states that the entire financial services industry involves vendor management so this decision affects every service provider that provides information to third parties.
Ransomware cyberattack hits Colonial Pipeline: The recent Colonial Pipeline hack is shaping up to be one of the biggest disruptions on national infrastructure in history. The pipeline transports nearly half of the east coast’s fuel supplies and is expected to increase gas prices if the outage lasts much longer. It might be confusing to some to understand how a pipeline can be hacked. There is quite a bit of digital technology that goes into monitoring and controlling the flow of fuel across hundreds of miles of pipes, with Colonial even utilizing a “smart pig” robot to travel through its pipes to check for irregularities. With all of the technology tied to a central system, there lies an opportunity for attack. Details are still emerging, but it’s likely that hackers gained access to Colonial’s system through the administrative side through an employee email third-party software. An interesting twist from this event comes from the hackers (identified as DarkSide) issuing an apology, insisting that they only wanted to make money and not disrupt society. This is the same “Robin Hood” group that claims to donate a portion of its extorted money to charity, so perhaps this is another strange attempt at giving back to the less fortunate.
What to ask after your vendor has an outage: If and when your vendor experiences an outage, it helps to know the right questions to ask. You can learn from the situation and communicate the criticality of the technology to your organization’s leaders. First, ask your vendor if you can know exactly what happened. Understanding the details of how it unfolded can help prepare for future incidents. Second, ask why it happened to help determine whether you have any redundancy built into your process and have a backup provider in place. Third, ask about downtime so you can inform your users and partners. Fourth, ask your vendor if the outage has happened before, which may be grounds for replacement. Finally, ask about the performance of the vendor’s backup plan. It’s important to understand how well your vendor manages their operational risk.
Graduation cap and gown vendor is victim of cyberattack: As if graduating during a pandemic wasn’t stressful enough, upcoming graduates of Towson University are now dealing with the possibility of a data breach. Cap and gown vendor, Herff Jones, released a notice to students who purchased commencement items online, stating that there have been reports of possible fraudulent activity on some customer’s credit cards. Though it’s not confirmed or mentioned in this article, according to our experts here at Venminder, it’s likely that Herff Jones had outsourced their credit card processing, meaning that a fourth party of Towson University was ultimately responsible for the breach.
Insight Global now facing lawsuit after COVID-19 related data breach: It didn’t take long for the first lawsuit to be filed against the Pennsylvania Department of Health and its contact tracing vendor. After a data breach affected over 72,000 residents, Lisa Chapman of Pennsylvania filed the class action lawsuit alleging that Insight Global and the Department of Health failed to secure residents’ PHI. They supposedly learned about the breach as early as February but waited until April to take action to secure the information. Another claim states that the DOH lacked a competitive bidding process for the $23 million contract given to Insight Global. A more robust vendor management process might have saved the DOH all of this trouble!
NY HERO Act imposes strict employer health and safety requirements: The pandemic inspired New York Health and Essential Rights Act is expected to go into effect on June 4. The Act requires New York Commissioners of Labor and Health to create a “Model Plan” intended to safeguard against airborne infectious disease exposure. Employers can implement their own policies but it must meet minimum standards on areas such as employee health screenings, personal protective equipment and a designated employee to enforce compliance. Penalties for non-compliance are clearly spelled out, with a civil fine of at least $50 per day or at least $200 per day if the employer has a previous violation. Read the full act here.
Consumer compliance issues highlighted by FDIC: Compliance issues with state non-member banks and thrifts are reviewed in the 2021 Consumer Compliance Supervisory Highlights. All FDIC examinations and industry meetings were conducted virtually since March 2020. It also conducted targeted CARES Act assessments for those with significant mortgage servicing portfolios and confirmed that the institutions had compliance management systems in place. Seventy-four percent (74%) of 2020 violations were related to TILA, RESPA, EFTA, the Truth in Savings Act and the Flood Disaster Protection Act.
SEC likely to crack down on conflict minerals: As we start to see an increased focus on ESG issues, certain organizations should be especially mindful of the SEC’s conflict minerals rule and plans for the responsible sourcing of these minerals (tin, tantalum, tungsten and gold) which are often extracted from conflict zones and can be used to fuel corruption and forced labor. International organizations can sometimes unknowingly have these minerals in their supply chains, which regulations aim to reduce. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 includes a section that requires companies to perform relevant due diligence if they source these minerals from the Democratic Republic of Congo, however it doesn't include specific details about the process. The Dodd-Frank Act instead refers to the OECD Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas as an appropriate framework.
Investigations of big banks predict change at the CFPB: After Wells Fargo and U.S. Bancorp disclosed that they were under investigation, many legal experts are wondering if this suggests a change in the CFPB, leading to more enforcement against big banks. Former Director of the CFPB, Kathy Kraninger, was known for going after smaller firms, which some argued didn't make a big impact. The agency brought 48 enforcement actions last year, which was the second highest total in history, but the penalties were less than 20% of those collected in its peak year. Chi Chi Wu, staff attorney at the National Consumer Law Center, stated the hope and expectation that the CFPB under the Biden administration will expand their reach towards bigger firms.
Vendor management’s responsibility to protect data: The SolarWinds hack and recent Pennsylvania DOH data breach are prime examples of why third-party vendor management is critical to an organization’s security program. Vendor management policies usually involve three components: conducting due diligence on the third party, contractual requirements for the vendor to implement safeguards and monitoring the vendor to ensure compliance. Not only is vendor management a best practice, it’s also a requirement of certain federal laws like the Gramm-Leach-Bliley Act, HIPAA and various other state laws. And, of course, emerging state laws are an additional layer of protection for consumers’ personal data.
Another update on state privacy laws: In the absence of federal privacy legislation, we’ll continue to see a hodgepodge of state privacy laws in various approval statuses. Virginia and Utah are the two most recent laws to be signed in March. VA’s Consumer Data Protection Act closely mirrors California's privacy act (CCPA), while UT’s Cybersecurity Affirmative Defense Act is more narrow in scope. Florida’s proposed House Bill 969 is still in the works and also looks similar to the CCPA, with a private right of action in certain data breaches, which seems to be the biggest point of contention in the Florida Senate. Connecticut also has their Senate Bill 893 that’s making its way through legislature. The Washington Privacy Act of 2021 is still “dead for now” after failing to pass for three years in a row, with disagreement on a private right of action. Also, dead is the Oklahoma Computer Data Privacy Act, which saw opposition on an opt-in requirement by consumers to allow their information to be collected.
Financial services industry under pressure to improve third-party risk management: NYDFS is warning that the “next great financial crisis could come from a cyber-attack,” so the financial services industry had better get to work on their third-party risk management programs. A recent report by NYDFS details a widespread cyber campaign in December 2020 by Russian Foreign Intelligence Service actors that was intended to steal sensitive information by installing malware. This supply chain attack opened back doors into thousands of organizations, although it should be noted that none of the NYDFS’s regulated entities’ networks were actively exploited. The report offers several suggestions including adopting a “zero trust” approach and quickly addressing any vulnerabilities to prevent future incidents.
ESG highlights by the SEC: SEC chairman Gary Gensler highlighted two important updates during his Senate confirmation hearing. First is his adherence to the Supreme Court’s definition of materiality. Currently, information is material and should be disclosed when there is a high possibility of a reasonable investor using the information to make an investment or voting decision. Second, was his statement about ESG disclosures which are being requested by shareholders. This suggests that climate risk, human capital and political spending are also material. It’s predicted that there will be SEC guidance and enforcement activity in three areas: voluntary ESG disclosures, assessment over material omissions from SEC filings and accurate disclosures for ESG funds.
Consequences to paying ransom demands: Ransomware attackers are learning that their methods may be working. Giving into these cybercriminals may lead to more sophisticated ransomware attacks, according to a new report by security vendor Coveware. The report noted that the stolen data isn’t necessarily confidential or sensitive and those who end up paying are sometimes subject to additional demands. Paying these demands creates a false sense of security and puts organizations at risk for future liabilities. The stolen data acts as proof that they have vulnerabilities, which can cause legal obligations for the victims. It’s important to realize that this type of criminal-led economy will only expand as it generates more money from ransom payments.
Recently Added Articles as of May 6
To start off a new month, we bring you plenty of noteworthy headlines. Regulators have been keeping busy as we see an increased focus on environmental, social and corporate governance (ESG) in addition to an update on the OCC Comptroller’s Handbook. Not to mention the resignation of the newly appointed SEC Director of Enforcement. Read on to learn about the latest data breaches in healthcare and an acquisition which will help to standardize third-party risk.
BIOS driver flaws puts hundreds of millions of Dell computers at risk: SentinelLabs discovered five high severity flaws in Dell’s firmware which may be exploited to locally escalate to kernel-mode privileges. These flaws are tracked as CVE-2021-21551, marked with CVSS Score 8.8. The vulnerability and remedies are listed in Dell Security Advisory DSA-2021-008. It’s recommended that both enterprise and consumer Dell customers apply the patch as soon as possible. Although a patch was released, the certificate wasn't yet revoked, which isn’t considered a best practice because the vulnerable driver can still be used in a BYOVD attack.
Nearly half of all organizations have been affected by third-party breaches: Have you suffered a third-party data breach over the past year? You’re not alone! An alarming new report by SecureLink and the Ponemon Institute finds that 44% of organizations have experienced a third-party data breach over the past 12 months (with 74% admitting that it was caused by providing too much privileged access). Sixty-three percent (63%) of respondents stated that they didn’t even evaluate their third party’s security practices because they had a good reputation. Shockingly, 65% of respondents didn’t know which of their vendors had access to their most sensitive data! SecureLink CEO, Joe Devine, puts it plainly, “Organizations need to stop taking a fingers-crossed approach to third-party security.” Let this be a reminder of why you should prioritize your third-party vendor’s security and privacy practices and ensure that you’re conducting thorough and adequate vetting. A vendor’s reputation is only a small piece of the puzzle.
Teamwork is key for vendor customer service: People often forget that vendor-customer relationships are a two-way street that require mutual respect and communication. Organizations need to clearly express their customer service needs and their providers should meet or exceed them. These expectations should be evident throughout all phases of the relationship - from the negotiations and implementation to day-to-day operations and troubleshooting. SC Magazine offers some tips to help you make the most of your vendor relationship. The first practice is to thoroughly vet the vendor’s product and/or service to determine if it’s the best solution for your security objectives. An effective way to identify a company’s needs is to involve the support team during the sales and testing process. On the vendor side, it’s a good idea to provide important details about who to contact with problems or questions. The customer should be aware of the escalation path of a help desk inquiry. It’s also important for both sides to know the customer service do’s and don’ts such as hard sales tactics. The next tip relates to the implementation stage which occurs after the contract is signed. Product training, instruction guides and other multimedia will be beneficial in this process. The original sales/product team should remain in the loop to ensure that the initial implementation went smoothly. The long-term operation phase requires the vendor and customer to remain in communication to resolve any issues and implement future updates. The escalation process should be clearly defined vendors should supplement their customer’s knowledge with ways to improve, upgrade and optimize their solutions. Vendors should also be encouraging user feedback to help improve their products and services.
GOP calls for termination of Atlanta COVID-19 contractor: Pennsylvania GOP leaders didn’t hold back in their criticism of the Atlanta-based contact tracing company that exposed the medical data of tens of thousands of residents. Seventy-two thousand (72,000) residents were affected when employees of Insight Global used unauthorized Google accounts to store names, phone numbers and COVID-19 exposure status of people who were contacted. Pennsylvania plans to drop the company in July when the contract expires but GOP lawmakers are insisting that a new vendor be found immediately. Insight Global has acknowledged that they mishandled sensitive data and offered an apology. Representative Jason Ortitay claims that he contacted the Health Department immediately after being alerted of the situation by a reporter for WPXI-TV. After he didn’t receive a reply, he contacted the governor’s office who then replied several days later, saying that the claims were false.
Proposed regulation by the EU will greatly impact the AI industry: The European Commission is taking bold steps in regulating artificial intelligence. Its new rules and prohibitions for high-risk AI systems, along with suggested fines of up to 6% of annual global turnover, is gaining a lot of interest. Many are speculating how these proposals will affect the AI developers and the industries that use them. Data plays a significant role in the development of machine learning so this regulation is especially relevant to privacy professionals. There are a few initial assumptions that can be made about these proposals. These regulations will provide a new framework for ethical issues like bias mitigation, algorithmic transparency and human oversight of automated machines. Its impact on AI will be similar to the GDPR’s impact on personal data. Data will be at the center of this regulation, which would require providers to use a wide range of techniques to datasets that are used in training, validation and testing of machine learning. AI system providers will also be expected to implement comprehensive governance and risk management controls. This would include the need for regulatory compliance strategies, design procedures and techniques, AI system development and an effective process to evaluate and mitigate the risks that may appear throughout the lifecycle. Conformity assessments would also be required to prove compliance to the regulation’s requirements. There’s also the possibility of uncertainty with user obligations, as the provider’s instructions are not clearly defined in the regulations. Another important takeaway is that the Commission doesn't include a one-stop-shop mechanism which would have allowed a single lead authority to oversee the compliance multi-state organizations. This may cause a type of fragmented supervision of AI systems that are used and marketed across borders. Regulators are increasingly interested in AI throughout the EU, U.S. and other major economies so it’s worth considering whether your organization has taken the appropriate steps to manage the risks in your AI systems.
WA, OK and FL privacy bills still in limbo: With all of the news surrounding privacy blogs, it’s easy to forget that there are still only three states who have successfully passed legislation: California, Virginia and Nevada. Many other states are jumping on board with similar legislation, but have yet to actually pass their bills. This comes as a result of a lengthy negotiation period. The Oklahoma privacy bill failed in Senate in early April 2021. The main point of contention is a provision that would require businesses to obtain consumer consent to collect, use or sell personal data. Washington state’s privacy act is still on hold because of differing opinions on the limited private right of action. And, Florida pressed the pause button on their privacy bill when the House and Senate passed contrasting versions with and without private rights of action. It’s back to the drawing board for most of these states!
Increased SEC focus on ESG and 10-K disclosures: The SEC has posted five public statements and two press releases on environmental, social and governance (ESG) disclosures over just a few months, so it’s safe to say that this is an area that will continue to receive a lot of attention. The recent creation of a Climate and ESG Task Force in the Division of Enforcement will initially focus on material gaps or false statements surrounding climate risks and will closely analyze disclosure and compliance issues related to the ESG strategies of investment advisors. So, what exactly will be the focus of SEC reviews, enforcement and guidelines? This article offers the perspective of a Chief Legal Officer who states that the SEC will likely begin their focus on the 2010 interpretive release that provided guidance about how disclosure requirements apply to climate change issues. These disclosures from the 2010 Climate Change Guidance would be included in existing Form 10-K Disclosures. A March 15, 2021 SEC Public Statement presented 15 topics for public feedback, 14 of which were directly related to climate change disclosures. Director John Coates of the SEC’s Division of Corporation Finance points out that ESG is both very broad and specific because it affects every organization, but in very different ways depending on industry, location and other factors. Therefore, there isn’t a standard set of metrics that covers all ESG issues for every organization. There are three suggested practices for organizations as they prepare and distribute ESG disclosures. First, look at the disclosures from a Rule 10b-5 perspective. This will help avoid misleading statements and you should be careful not to use materiality as a justification. The second suggestion is to evaluate the precedents that are set by the disclosure. It may be tempting to report all positive trends regardless of materiality and omit any negative trends but you should consider the Rule10b-5 effects if these are excluded. Finally, it’s recommended that your Form 10-K or other SEC report aligns with the disclosure. As an example, consider whether a risk assessment that’s completed during an enterprise risk management process is aligned with the risk factors that are presented in your Form 10-K.
Controversial background of SEC’s Director of Enforcement prompts resignation: The newly appointed Director of the Division of Enforcement, Alex Oh, has resigned less than a week after her hiring. This unexpected departure is the result of her involvement in a previous class action lawsuit between Indonesian villagers and Exxon which allegedly involved human rights abuses. Ms. Oh worked as part of the ExxonMobile’s defense team which labeled the opposing lawyers as “agitated, disrespectful and unhinged” in a deposition. The hiring of Ms. Oh faced backlash from three leading progressive advocacy groups who urged SEC Chair Gary Gensler to reconsider her nomination because of her history of defending corporate clients from securities regulations. Melissa Hodgman will return to the role of Acting Director but it’s still unclear if this move will be permanent.
Cyberattack forces Scripps Health to suspend patient portals and go offline: Scripps Health is one of the latest health care systems to be attacked by cybercriminals and it's with widespread consequences. They suspended access to their patient portals and other online applications after their technology servers were attacked. The Scripps main website is also down, with some appointments being cancelled and the San Diego County Office of Emergency Services rerouting ambulances away from Scripps’ facilities as a precaution. Data breaches are often associated with the digital world but a case like this shows just how far those effects can spread.
The Fed praises the operational resiliency of banks during the pandemic: Resilient banking systems and “strong capital and liquidity positions” have helped to enable recovery from the pandemic, according to the Federal Reserve. These observations were recorded in the Federal Reserve’s supervision and regulation report, which also describes the ways in which banks were able to build additional capital, with most remaining above regulatory minimums.
American credit scores at risk following Experian leak: Despite a halfhearted response from Experian, some researchers fear that nearly every American credit score were exposed through an API tool that was apparently left open on a lender site without basic security precautions. Experian Connect API allows lenders to automate FICO-score queries with just a name, address and date of birth. A student at Rochester Institute of Technology discovered this vulnerability and was able to build a command-line tool that allowed him to automate lookups. Experian claimed to fix the unprotected endpoint and insisted the event was isolated to a single client but are still concerned over other exposed APIs that may be vulnerable to hackers. Security experts are criticizing Experian, accusing them of sloppy app development and pointing out that APIs are already highly susceptible to attack and should have been secured.
OCC revises “Credit Card Lending” booklet: The OCC’s Comptroller’s Handbook has been recently updated by the OCC to revise the “Credit Card Lending” booklet. This handbook is used by OCC examiners to review and supervise the banking industry which includes national banks, federal savings associations and federal branches and agencies of foreign banking organizations. There are four main highlights to the revised booklets. It now reflects the current expected credit loss methods used by some banks and the increasing use of models in credit card originations and risk management. It also lists changes to OCC issuances since the last booklet release. It clarifies edits regarding supervisory guidance, sound risk management practices or legal language and has revised some general content for clarity.
DOL guidance expected to address lifetime income, environmental, social and other issues: The Department of Labor’s Employee Benefits Security Administration is expected to release more guidance and initiatives this year on a variety of issues. The Department has already announced it wouldn't enforce two rules. The first rule called “Financial Factors in Selecting Plan Investments” states that ERISA plan fiduciaries can’t invest in “non-pecuniary” methods that sacrifice investment returns or undertake extra risk. The second rule, “Fiduciary Duties Regarding Proxy Voting and Shareholder Rights,” outlines the required fiduciary process of making decisions on casting a proxy vote which was enacted under the previous administration. The Department also recently issued two pieces of guidance surrounding investment. The first guidance provided details for questions that a retirement investor might ask providers of investment advice and the second was aimed towards the investment-advice providers who might rely on the exemption which permits fiduciaries to receive compensation for additional types of guidance and advice. Providers using this exemption must be in compliance by mid-December so EBSA will be providing additional guidance in the upcoming months. Defining a fiduciary will also be an area of focus for the Labor Department.
Bank directors angered by potential increase in OCC fines: Remember the Wells Fargo fake account scandal? According to the OCC, a $3 billion settlement apparently isn’t enough. The proposed increases would at least double, and in one case, more than triple the amount initially sought in the settlement. The American Association of Bank Directors isn't happy, to say the least, calling the notice “extraordinarily unfair.” However, the OCC noted that it could increase the penalties at a later date when they originally filed its charges. These cases against bank executives was one of the largest attempts by U.S. regulators to punish individual bankers. Lack of good faith seems to play a role in these higher penalties, as the OCC pointed to the unwillingness of the Wells Fargo execs to accept responsibility for the scandal. Some law experts, like professor emeritus Art Wilmarth, side with the OCC’s decision to seek more money. He’s long been critical of the Justice Department for their failure in prosecuting big bank executives after the financial crisis and believes the fines could be increased even more.
Vendor delays disrupt UScellular 5G tests: Operational delays from an unnamed UScellular vendor have prevented the wireless network operator from conducting their planned 5G tests in C-band spectrum. These delays have caused a domino effect, with UScelluar requesting the FCC’s permission to extend the testing through January 2022. Other network operators have also requested to conduct similar tests and they may just have a slight advantage over UScelluar, provided that they have more reliable vendors and speedier recovery objectives.
Cancer patients affected by cyberattack: We see another example of a cyberattack that wreaks havoc on the healthcare industry. Swedish company, Elekta, suffered a cyberattack which resulted in the disruption of critical radiation treatments in some health care facilities. Yale New Haven Health System utilizes the Elekta software in its cancer care machines, which went down for several days. About 42 different U.S. healthcare sites saw similar disruptions because of the breach. Hackers are increasingly targeting hospitals and health care systems, often to obtain patient health information. Other attacks could potentially risk patient care if they target medical devices. Elekta accelerated a migration that was in process as a response to the attack.
Related Posts
May 2020 Vendor Management News
Take a look at the latest third-party risk updates and articles our experts recommend during the...
December Vendor Management News
It's the last month of the decade! Stay updated each week with important vendor management news and...
February 2020 Vendor Management News
Make sure you're not the last to know about key vendor management news and articles! We've compiled...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.