October 2024 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of October 10

In this week's headlines, two financial regulators highlighted third-party risks as a top priority, a third-party ransomware attack impacted more than 200,000 customers, and experts recommended several best practices to prevent third-party cybersecurity incidents. Check out all the news below.

FINRA calls out third-party cybersecurity risks in advisory: The Financial Industry Regulatory Authority (FINRA) highlighted third-party cybersecurity risks in a recent advisory. FINRA pointed to several recent third-party incidents, including the 2023 MOVEit breach, that have impacted member firms. The advisory urged member firms to take steps to protect their organizations from third-party cyberattacks. This includes ongoing risk assessments and monitoring of third parties, updating incident response plans to include third-party incidents, and creating a data inventory to understand what data your third parties can access. 

Three Ivanti vulnerabilities are being actively exploited: Three Ivanti vulnerabilities in its Cloud Service Application are being actively exploited, the company warned. If a cybercriminal was able to successfully exploit the vulnerabilities, it could gain unauthorized access with administrative privileges. Ivanti recommends organizations update to the latest version and review for any modified or recently added administrative users. 

Preparing for third-party cybersecurity incidents: Third-party cyberattacks can cause a lot of damage, particularly if organizations aren’t prepared for the incident. These third-party breaches will likely only continue to grow as cybercriminals become more sophisticated. To be prepared, organizations can follow best practices with business continuity planning, like understanding how third parties are involved in your critical functions, creating backups and contingency plans for those critical functions, and ensuring the business continuity plan addresses third parties. Third parties should also be consistently managed, from risk assessments and due diligence at the beginning of the relationship, continuous monitoring during the relationship, and safe and secure offboarding. 

Best practices to prevent third-party data breaches: Third-party risk management is a key component of preventing data breaches from impacting your organization. Before working with a third party, you should carefully assess the risks of the relationship. It’s also important to set expectations with the third party on your organization’s security standards. This should include ongoing assessments and continuous security training. Following the principle of least privilege can help ensure you don’t share more data than necessary with a third party. A third party’s processes can change over time, which is why it’s important to monitor the third party and set regular check-ins. 

Third-party ransomware attack impacts Comcast customers: A third-party ransomware attack impacted the data of more than 230,000 customers at Comcast. The attack occurred in February on Financial Business and Consumer Solutions (FBCS), which Comcast uses for debt collection. FBCS discovered later in the year that Comcast data had been compromised. The data includes names, Social Security numbers, and Comcast account numbers. 

OCC identifies third-party risks as a key focus area of 2025 examinations: In its 2025 examination priorities, the Office of the Comptroller of the Currency (OCC) listed third-party risks as a key focus area, particularly fintech relationships. Banks should review processes and activities for the third-party lifecycle and pay close attention to critical third-party relationships. Examiners will also focus on third-party payment systems and products and how banks are assessing and mitigating those risks. 

Third-party risks pose challenges to the insurance industry: Insurance will face continuous risks in 2025, particularly with artificial intelligence (AI), third-party risks, and cybersecurity. Cyberattacks can devastate organizations, and smaller organizations can be an easy target, as they depend on third parties but may not have cybersecurity or privacy plans in place. 

Recently Added Articles as of October 3

It’s been another active week in third-party risk management news! From an exploited third-party vulnerability impacting services, third-party risk lessons from the CrowdStrike outage, and new password guidelines from NIST, there’s much to learn from this week. Check it all out below. 

Vulnerability in a third-party application impacts Rackspace dashboards: A zero-day vulnerability was actively exploited in a third-party application, which forced Rackspace, a cloud-hosting provider, to take its monitoring dashboards offline. Cybercriminals were able to access three internal monitoring web servers and limited customer information. The third party has since patched the vulnerability. Rackspace is working to restore full functionality. 

How plan sponsors should mitigate third- and fourth-party risks: Retirement plan recordkeepers rely on third-party vendors for administrative services and tools, so it's important that plan sponsors perform due diligence on these vendors to mitigate risks. This helps plan sponsors remain aware of these subcontractors and which ones have access to data. The Department of Labor recommended that plan sponsors review third parties’ information security practices and policies and audit results. If providers aren’t able to answer questions or complete an assessment, that may be a red flag for plan sponsors. Contracts with recordkeepers should also set requirements for how recordkeepers manage their third parties. 

Mitigating vendor risk in the healthcare industry: The healthcare industry depends on third-party vendors to provide vital healthcare services. However, these vendors also come with data security risks that could leave healthcare organizations vulnerable. Although business associate agreements are useful tools, it can’t prevent a data breach and isn’t enough on its own to manage vendor risks. Use the vendor contract to negotiate liability in the case of a data breach and to set your insurance requirements. After the vendor contract, it’s critical to continuously monitor vendor risks and flag new vulnerabilities as they arise. 

Strengthening business continuity after the CrowdStrike outage: The CrowdStrike outage this summer brought valuable lessons in how to mitigate the risks of these types of events occurring with vendors in the future. Business continuity and disaster recovery plans that encompass your organization’s supply chain are crucial to have in place. Organizations should also review their existing vendors’ service level agreements (SLAs) to ensure outages are addressed, including communication and compensation. Organizations may also need to diversify the vendors they use to avoid concentration risk. 

Steps to manage third-party risks: In recent years, organizations have had to take a closer look at cybersecurity risk and evaluate how to manage it. Third-party vendors continue to be an area of weakness for organizations, highlighted by recent third-party data breaches. These incidents can have a significant impact on organizations, including financial losses and reputational damage. As your organization tries to manage this risk, consider who is in your third-party ecosystem, from software to manufacturers and suppliers. You should also understand what each third party does and provides for your organization, including what data they have access to. It’s also important to classify which vendors are critical to your organization’s operations. These steps are an effective beginning to managing vendor risks. 

NIST updates password guidelines: The National Institute of Standards and Technology (NIST) issued new password guidelines, removing the requirements to use a mixture of character types and regularly changing passwords. NIST suggested that credential service providers (CSPs) stop giving passwords with several character types and to stop mandating password changes unless there’s been a compromise. In the new guidance, CSPs are also required to stop using knowledge-based authentication or security questions. 

Third-party vendors and automatic software updates: At the root of the CrowdStrike outage was an automatic software update. Organizations should evaluate their critical vendors and their processes. Many vendors provide real-time updates to protect their customers; however, organizations should collaborate with those vendors to ensure they’re prepared to respond in the event of an outage. Organizations should also consider where they need real-time updates and where updates can be delayed slightly. High-risk systems may require real-time updates, but lower-risk systems are likely okay to be delayed. Remember to review the vendor’s security practices and certifications, like SOC 2 and ISO 27001. 

T-Mobile and FCC reach $31.5 million settlement for data breaches: T-Mobile agreed to a $31.5 million settlement with the Federal Communications Commission (FCC) over four data breaches that compromised consumer information. T-Mobile must invest half of the money ($15.75 million) in cybersecurity improvements and the other half will go to the U.S. Treasury.