November 2024 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of November 28

Happy Thanksgiving! A third-party ransomware attack impacted employee processes at Starbucks, fourth-party risk management is becoming a greater priority, and cyber insurance has a bigger focus on third-party security practices. Check out this week’s news below.

Third-party ransomware attack impacts Starbucks in UK grocery stores: Starbucks’ employee processes were disrupted after a ransomware attack on third-party vendor, Blue Yonder. The third party, a software supply chain company, was attacked last week and disrupted several grocery chains in the UK as well. Processes like employee scheduling and hours management were disrupted. 

Managing fourth-party risks: As organizations increasingly rely on third parties, the supply chain network continues to expand to fourth and nth parties. This introduces greater complexities in effectively managing risks, as fourth and nth parties can be more challenging to manage. To help manage these relationships, the third-party contract should include subcontractor relationships and organizations should have processes to identify critical fourth-party relationships. Third parties should be able to demonstrate how they perform due diligence and ongoing monitoring on fourth-party relationships. An up-to-date inventory of fourth parties can also help organizations better identify and monitor the risks. 

Cyber insurance coverage puts a greater focus on third-party security: Third-party security is becoming a great priority for cyber insurance as breaches become more common. Cyber claims exceeding $1 million rose 14% in early 2024, according to a new study, showcasing the rising expenses and frequency of data breaches. Privacy-related class action lawsuits have also tripled in value over the last two years. Many organizations will face cyber insurance premium increases and more coverage limitations. For example, if unencrypted data is breached, insurance may not cover the costs. Third-party liabilities may also be a coverage exception unless there are documented contractual terms with the third party like data security requirements. There should also be a proactive strategy in place to manage third-party risks to limit exposure. 

NIS 2 requirements for digital service providers: The EU’s Network and Information Systems Directive (NIS 2) came into effect in October and requires digital providers, like cloud services and online marketplaces, to have cybersecurity practices in place. This includes incident reporting obligations, requiring prompt notification of any significant cybersecurity incidents to the authorities, with different thresholds depending on the nature of the service the digital provider offers. Digital providers also need to have comprehensive cybersecurity policies and incident response plans which must extend to their supply chain. Vendor risk management practices like identifying vendor criticality, performing due diligence and assessing their vendor’s compliance with NIS 2, and establishing vendor policies is also required to align with NIS 2. 

Delta data impacted in the MOVEit breach from 2023: Delta was impacted in last year’s third-party MOVEit data breach. The data included names, contract information, and office locations. Delta systems weren’t compromised in the breach, but rather the exposed data came from a third-party vendor. 
Google’s AI technology helps spot 26 vulnerabilities: Google said its AI fuzzing tool has helped identify 26 vulnerabilities in open-source code repositories, including one medium-severity flaw. Google said bugs can remain undiscovered for long periods of time and AI technology can help spot what humans may not be able to find. 

Recently Added Articles as of November 21

This week’s news gave best practices to effectively manage third-party risks, to protect against third-party data breaches, and to mitigate supply chain attacks. Check it all out below. 

Ford confirms a third-party breach of non-sensitive data: Ford Motor Company confirmed a third-party data breach that impacted a small batch of data that’s already publicly available. Hackers said in a post on a cybercrime forum that they’d obtained 44,000 customer records from Ford, but the company said there was no breach of its systems or customer data. Ford said the issue with the third-party supplier has been resolved.

UK publishes guidance on failure to prevent fraud: The UK published guidance on its new failure to prevent fraud rules. This guidance holds organizations liable for fraud committed by anyone who provides services for or on behalf of the organization. This can also impact organizations oversees if fraud is committed in the UK or targets people in the UK. It’s important to note that people providing services to an organization (instead of for or on behalf of) aren’t included in this guidance. External lawyers and accountants are examples of this. Also exempt from the guidance are people providing goods to an organization, as those aren’t considered services. The guidance expects organizations to perform risk assessments, due diligence, and monitoring for fraud risks. 

How a zero-trust model protects against third-party data breaches: More and more third-party vendors have access to an organization’s sensitive data, which can put it at a greater risk of being breached. These breaches can result in multiple consequences for organizations, including reputational damage, financial loss, and operational disruption. The risk of a cybersecurity incident isn’t just your organization and the third party, but also their entire network of third parties. Using the zero-trust model in third-party relationships can help manage these risks. This requires all users to be authenticated, authorized, and continuously validated for security. Data should also be protected before it goes to a third party by using best practices like data encryption. 

Strategies to mitigate supply chain risk in the healthcare industry: Supply chain attacks in the healthcare system can disrupt critical operations and care for patients. By targeting one small supplier, cybercriminals can wreak havoc on multiple healthcare systems. To mitigate the risk of these attacks, it’s important to work with third parties on security practices and include them in tabletop exercises and business risk analyses. To minimize the risk of relying on one vendor too much, healthcare organizations should identify alternative suppliers they can use.  

New privacy feature in Brave allows data deletion: Brave Browser in iOS introduced a new privacy feature that allows users to delete site-specific browsing data. It works on a single site, so data can be shredded in one place without impacting other sites. There are restrictions with Apple, so some data may still remain on people’s devices. 

New security updates released for Palo Alto Networks: Palo Alto Networks released security updates for two actively exploited vulnerabilities. CISA added the vulnerabilities to the Known Exploited Vulnerabilities catalog and federal agencies are required to patch systems by December 9. Organizations should also seek to apply the security updates as soon as possible to protect their systems.

Why real-time data is critical for third-party risk management: Effective third-party risk management requires more real-time risk monitoring and knowing when to walk away from a supplier that’s too risky, according to experts at a recent panel discussion. Many organizations rely on manual efforts to manage third-party risks, but it’s important to use a data-driven approach with automation and external reports for real-time information. Organizations also need to know when they’ll walk away when the risk of a third-party relationship is too great to overcome.

New ransomware targets corporate networks: A new ransomware exploits memory management functions for more sophisticated and stealthy attacks on victims. The ransomware is believed to have been used at least once to target an organization. 

Recently Added Articles as of November 14

This week’s headlines highlighted several third-party data breaches, including more fallout from last year’s MOVEit breach and two healthcare data breaches. Check out this week’s news below.

Medical records compromised in a third-party data breach: Over 300,000 patients' records of protected health information were compromised after a third-party data breach at Presbyterian Healthcare Services. The healthcare organization’s third party was a law firm that stored information including Social Security numbers, medical record and patient account numbers, and health insurance information.

Stolen data from third-party MOVEit breach posted on the dark web: The 2023 MOVEit breach is still causing ripple effects for several organizations. A threat actor posted at least 25 datasets on a hacking site, which includes millions of records. The stolen data encompasses organizations like Amazon, MetLife, and US Bank. The stolen data is employee information, which includes names, email addresses, and phone numbers. About 2.8 million Amazon records were allegedly exposed in the dataset, making it the most of any other company so far.

Adopting a proactive strategy for third-party risk management: Third-party risk management is a critical activity for organizations to perform as the reliance on third parties grows. It’s becoming more of a necessity to combat third-party risks proactively, with continuous monitoring of their activities and risks. Risk intelligence can be a useful tool to monitor third-party risks and prevent problems before they become a larger issue.

The threat of third-party data breaches at financial institutions: Cybercriminals are turning to third parties that have weaker defense practices in place in order to gain access to financial institutions. Experts at a recent summit said financial institutions are now requiring risk management frameworks for their third parties. As the use of third parties increases, the attack surface expands, which forces financial institutions to consider their third parties’ security practices. 

CISA alerts to patched vulnerability: A now-patched critical security flaw with Palo Alto Networks was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog. The vulnerability allows attackers to take over administrative Expedition accounts. CISA said the vulnerability has been actively exploited, which Palo Alto said it’s looking into. Organizations should look to apply the patch as soon as possible.

Third-party data breach impacts a healthcare organization: A third-party data breach impacted healthcare organization TriHealth. The records are from an OB/GYN group that joined the healthcare organization in 2020. The information includes names, addresses, Social Security numbers, and claims and clinical information. 

Recently Added Articles as of November 7

In this week’s news, Nokia investigates claims of a third-party data breach, a UK regulator urges financial institutions to be prepared for third-party operational resilience, and a majority of critical security flaws are due to third parties. Check out all of this week’s news below.

Third-party risk is becoming a top concern for financial institutions: Third-party risk and resilience are crucial elements for financial institutions to consider and review, according to a recent report. The report said third-party risk became one of the top risks in the financial industry, which is likely due to several high-profile third-party incidents and breaches. Regulators also require the financial industry to manage third-party risks. Financial institutions should perform risk assessments, particularly with high-risk third parties, and ensure third parties have strong security practices in place. Reviewing third-party contracts and including provisions around security, business continuity, and performance can also help mitigate the risks. 

Nokia investigates a possible third-party breach: Nokia is investigating a potential third-party data breach after a hacker claimed to have stolen source code. The hacker said it gained access to the data from a third-party contractor that helped Nokia develop internal tools. There’s no evidence at this time that the hacker has the data, but Nokia is still investigating the claims.

UK financial regulator urges operational resilience after CrowdStrike incident: New guidance from the UK Financial Conduct Authority (FCA) is warning financial institutions to be prepared for third-party tech outages. The guidance comes after the CrowdStrike incident over the summer, which caused massive outages after a faulty update. The FCA said financial firms that already need to comply with operational resilience were better positioned to recover after the CrowdStrike incident. The regulator emphasized that financial firms need to focus on operational resilience and have well-defined and tested strategies. 

New malware imitates phone calls from financial institutions: A new version of an Android malware uses voice phishing to trick people into handing out sensitive information. The attack can take complete control of a mobile device and victims are tricked into calling fraudulent phone numbers. The malware can imitate financial institutions with a new, lower interest loan offer. The malware is extremely sophisticated, so people should use extreme caution when giving out any personal information over the phone.

DocuSign exploited to send fake invoices: Cybercriminals are creating and distributing mass fake invoices that appear genuine by bypassing email security protections from DocuSign. When victims sign the fake documents, threat actors are able to authorize payments. This type of abuse has happened frequently at DocuSign, which should always be reported when spotted. Use caution when signing any documents you didn’t expect, and always verify the email and its sender before clicking links.

Third-party privacy risk can lead to an increased risk of data breaches: Privacy is becoming a greater expectation for organizations to follow, including ensuring third parties adhere to privacy regulations and expectations. Organizations often share sensitive data with third parties or outsource tasks, like database management, to third parties. Experts said this can often lead to third-party data breaches, which is why it’s important to review data practices and how much data they share with third parties. 

Third-party cybersecurity risk poses a threat to organizations: Cybersecurity is an increasingly important focus for organizations as more data breaches occur and impact sensitive information. Third-party cybersecurity risks in particular can pose danger to organizations that don’t assess and monitor their third parties. Organizations should seek to hire employees that can help mitigate these risks and use technology to aide their processes. 

More than 78% of critical security debt is due to third-party vulnerabilities: A new study said 50% of financial institutions have high-severity security flaws in their apps. These vulnerabilities can be exploited and lead to costly data breaches for financial institutions. This includes third-party code vulnerabilities, which accounts for 78.6% of critical security debt. If a third-party breach occurs due to a vulnerability, financial institutions may be held accountable for noncompliance with regulatory requirements.