October 2024 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of October 31

Happy Halloween! In this week’s headlines, regulators emphasized the importance of managing third-party risks, experts offered tips for compliance, and two third-party data breaches impacted thousands of people. Check it all out below.

Developing a compliant third-party risk management framework: Third-party risk is a key focus for regulators in the financial industry, especially when it comes to operational resilience and the ability to withstand third-party disruptions. Banks should develop practical plans to manage third-party risks through a third-party risk management framework. This focuses on the progress of managing risks instead of eliminating them altogether. Banks should also develop contingency plans to ensure it’s equipped to handle any third-party incidents. 

NCUA chairman notes increased third-party cybersecurity risks: After an annual cybersecurity briefing, National Credit Union Administration Chairman Todd Harper gave a statement that noted the risks of third-party providers. Seven out of ten cyber incident reports made by credit unions were related to the use of a third party. Third-party data breaches and ransomware attacks have impacted credit union and emphasize the importance of managing third-party risks. The NCUA has advocated for the ability to oversee third-party service providers because of the growing risks. 

Telecommunication service providers are hacked: The U.S. has said that Chinese hackers breached commercial telecommunication service providers. The affected companies were notified and the U.S. provided technical assistance. Other details weren’t immediately available.  

How to manage third-party risks: Managing third-party risks is an essential activity for South African organizations, according to experts at a recent webinar. Organizations are facing increasing cybersecurity risks, particularly from their third-party suppliers. Third-party risk management helps ensure third parties aren’t your organization’s biggest risk. This includes activities like risk assessments and monitoring. However, manual third-party risk management activities are time-consuming and don’t always catch ongoing changes in a third party’s environment. The experts advised to look at tools and technologies to automate these processes. 

Insurance company experienced a third-party data breach: Brighthouse Life Insurance Company was impacted by a third-party data breach. An administrator used by Brighthouse disclosed information to an unauthorized party, which was later breached. Data breach letters were sent to impacted customers. 

Third-party data breach impacts more than 800,000: A third-party administrator for several large insurance firms said its cyberattack in May exposed the data of more than 800,000. This information included Social Security numbers and tax identification numbers. The third party is still investigating the incident. 

How financial institutions can mitigate third-party cybersecurity risk: The financial industry increasingly relies on third-party vendors to provide products and services. However, financial institutions need to secure not only their own systems, but ensure third parties maintain robust security standards. It’s important to have a vetting process in place for vendors and ask questions about the vendor’s security posture and practices. Financial institutions should take an “assumption of breach” mentality and always be prepared to respond. Incident response plans should account for third-party vendors and the plan should be tested periodically. 

Banking malware can bypass anti-fraud measures: A new variant of banking malware can bypass anti-fraud measures and continues to be active despite law enforcement attempts to crack down. The malware is typically distributed through phishing emails. 

SEC releases 2025 examination priorities: The Securities and Exchange Commission (SEC) released its 2025 examination priorities, with several mentions of third-party risks. Broker-dealers, investment companies, and clearing agencies should expect SEC examiners to look at third-party relationships and how firms are managing those risks. Third-party cybersecurity risk is also a focus for 2025 and how firms are safeguarding their operations from the risk. 

Recently Added Articles as of October 24

As we approach the end of October, remember to brush up on cybersecurity practices for National Cybersecurity Awareness Month. This week’s headlines offered tips for preventing third-party data breaches, complying with the EU’s regulatory requirements, and using cybersecurity frameworks to combat third-party AI risks. Check out all the news below. 

Energy sector is at high risk of supply chain attacks: The energy sector in the U.S. is at a high risk of supply chain attacks, according to a new study. Forty-five percent (45% percent) of the industry’s breaches this past year were third-party breaches. The global average this past year was 29%. The majority of the energy sector’s attacks included third parties that were breached more than once. 

Preparing for third-party cybersecurity risks in healthcare: October is National Cybersecurity Awareness Month and it’s a great time to bring awareness to third-party cybersecurity risks in the healthcare industry. Threat actors often target third parties to gain access to multiple healthcare systems at once. Healthcare organizations should follow third-party risk management practices to mitigate risks. This includes reviewing your third-party risk management governance, conducting periodic technical, legal, policy and procedural reviews of the third-party risk management program, and preparing for third-party incidents through planning and testing. 

Mitigating third-party privacy risks: U.S. and global privacy laws are presenting interesting compliance challenges in third-party risk management. It’s important for organizations to consider privacy risks with their third parties, and consider how often they monitor third parties, what information they gather, and whether they have the right resources in place to address third-party risks. Digital advertising technology (adtech) is one area that presents third-party privacy risks to organizations. Adtech provides organizations with data on web traffic, website visitors, marketing effectiveness, etc. Including adtech in third-party risk management can be challenging because there’s often not a direct service agreement in place. Organizations should apply third-party risk management principles to adtech use, including risk identification and assessment, data protection standards, and access control and monitoring. 

Using real-time intelligence to identify third-party vulnerabilities: Supply chain attacks are growing in frequency and the risks need to be mitigated. However, static risk assessments and due diligence processes can miss ongoing changes in a third-party vendor. Organizations need proactive, real-time monitoring of their vendors to assist. Using software can help organizations get real-time intelligence. Integrating this into vendor risk management processes helps identify whether vendors are being targeted or where their vulnerabilities lie. 

Apple vulnerability could allow attackers to access personal user data: A patched security flaw in Apple’s Transparency, Consent, and Control (TCC) framework is likely being exploited to bypass user security preferences. Apple addressed the vulnerability in the mac OS Sequoia 15 update. TCC prevents apps from accessing user personal data without consent, but the bug could allow attackers to bypass the requirement and access the data. Users should be sure to apply the latest updates as soon as possible. 

Complying with the EU’s third-party requirements and preventing cyberattacks: The European Union Agency for Cybersecurity pointed to supply chain risks as a top threat. Various EU laws, such as the General Data Protection Regulation, Digital Operational Resilience Act, and NIS 2, emphasize the importance of managing third-party risks to prevent incidents like cybersecurity attacks. It's recommended that organizations implement measures like data protection clauses in third-party contracts, clear policies and procedures to manage third-party risk through the entire lifecycle, and a process to identify critical third parties. 

Report warns healthcare organizations of concentration risk: Healthcare organizations should be cautious of depending on a single system or process for critical activities, according to Forrester researchers in a recent report. This can lead to high levels of concentration risk, which can disrupt an entire healthcare organization’s operations. Researchers noted that relying on one or two technology vendors can create a single point of failure. The report said organizations should inventory third parties and contracts and be aware of any mergers or acquisitions of technology vendors. 

New York Department of Financial Services issues guidance on AI and third-party AI risks: The New York Department of Financial Services (NYDFS) issued industry guidance on artificial intelligence (AI) and its cybersecurity risks. The guidance doesn’t impose any new requirements on organizations, but rather is intended to be a guide. Threat actors can use AI to launch more sophisticated attacks; organizations can expose nonpublic information by using AI; and organizations can be exposed to third-party vulnerabilities with AI tools and applications. The NYDFS reminded organizations in the guidance of their regulatory duty to mitigate cybersecurity risks, including AI risks. The regulator recommended using risk assessments to identify AI risks, maintain and test plans to respond to cybersecurity incidents, and ensure senior management understands the AI risks. To combat third-party artificial intelligence risks, organizations should review their policies and procedures to ensure they address due diligence and contractual provisions.  

Government contractor pays a fine after a third-party data breach: A U.S. government contractor will pay more than $300,000 to the Justice Department for claims it violated cybersecurity rules after a third-party data breach. The Justice Department alleged the third party wasn’t compliant with the Department of Health and Human Services’ cybersecurity requirements, leading to the breach that compromised medical information. 

Recently Added Articles as of October 17

In this week’s news, a healthcare organization was impacted by a third-party data breach, some EU Member States will miss the NIS2 implementation deadline, and experts offered recommendations to mitigate supply chain attacks. Check it all out below.

CISA notes active exploitation of a SolarWinds vulnerability: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability to its Known Exploited Vulnerabilities catalog. The flaw is in the SolarWinds Web Help Desk software and there’s evidence of active exploit. A threat actor could exploit the vulnerability and gain unauthorized access to data. Organizations should ensure they have the latest fixes applied for network security. 

Third-party incidents are impacting cyber insurance: Third-party cybersecurity incidents in 2024 have impacted cyber insurance, according to a new study. One common threat has been the increasing reliance on technology vendors, so cyber insurance providers will likely pay close attention to third-party cyber risk aggregation moving forward. Ransomware in 2024 caused a 14% increase in the severity of cyber insurance claims and business email compromise remained the leading cause of cyber incidents.  

Safe and secure vendor relationships need verification: Many organizations place a lot of trust in their vendors, but sometimes without verification. This can lead to significant vendor incidents that catch organizations off guard and unprepared. Organizations should more closely scrutinize their vendor relationships and assess the risks. While trust is important in vendor relationships, organizations should also verify that vendors follow contractual obligations, set performance expectations, and continually monitor risks. 

EU Member States are delayed in adopting NIS2 requirements: Most European countries will miss the deadline to implement the European Union’s Network and Information Security Directive (NIS 2). The directive includes key requirements, such as supply chain cybersecurity and incident reporting obligations. The deadline for EU countries to transpose the directive in their own laws is October 17, yet only six Member States have incorporated it. Organizations under NIS 2 should still expect to be held accountable to its requirements, even if some Member States don’t have it transposed yet. 

Entry points in programming systems are vulnerable to supply chain attacks: New research has found that entry points in programming systems may be vulnerable to software supply chain attacks. Programming systems include PyPl, npm, and Ruby Gems. When threat actors target entry points in an attack, they can often sneak in and bypass traditional security defenses. Organizations and their third parties should develop security measures that address these entry-point attacks to protect against supply chain disruptions. 

Healthcare organization is impacted in a third-party data breach: A third-party data breach impacted information at Gryphon Healthcare. The breach allowed access to sensitive information, including names, Social Security numbers, health insurance information, and prescription information. The third party provided medical billing services to Gryphon. 

Monitoring vulnerabilities within cloud environments: Organizations are relying on more and more cloud environments, which can create the challenge of identifying and resolving security incidents quickly. To improve real-time detection, security teams should use multi-layered detection strategies like full-stack detection, anomaly detection, and incident correlation. Vulnerabilities should also be viewed with incident data to allow for better risk prioritization. These steps can help organizations catch incidents more quickly and respond more effectively.

Cisco is investigating data breach claims: Cisco is investigating breach claims after a threat actor allegedly started selling stolen data on a hacking forum. The stolen data includes customer information, a database, and various documentation. 

Taking a proactive approach to third-party cybersecurity risks: As more organizations become impacted by third-party data breaches, it may be time to re-evaluate the strategy and approach to mitigating third-party cybersecurity risk. Third-party cybersecurity incidents can damage an organization’s reputation, cause financial losses, and erode trust in third-party relationships. Following a zero-trust strategy can help organizations better respond to third-party risks. This requires all users to be authenticated, authorized, and continuously validated. Proactive measures like this approach can help organizations be more resilient and prepared for third-party incidents. 

Recommendations to mitigate supply chain attacks: Open-source repositories are being increasingly targeted in supply chain attacks, particularly because of a lack of oversight. Experts said one of the biggest challenges to supply chain attacks is shadow IT and the lack of visibility. Organizations need a comprehensive view to understand where third-party risks exist. Security frameworks within an organization should also be extended to third-party partners. Contracts and legal agreements can help ensure third parties follow your organization’s expectations. Experts also recommended robust third-party risk management programs and having a framework in place that identifies and mitigates third-party risks. 

Recently Added Articles as of October 10

In this week's headlines, two financial regulators highlighted third-party risks as a top priority, a third-party ransomware attack impacted more than 200,000 customers, and experts recommended several best practices to prevent third-party cybersecurity incidents. Check out all the news below.

FINRA calls out third-party cybersecurity risks in advisory: The Financial Industry Regulatory Authority (FINRA) highlighted third-party cybersecurity risks in a recent advisory. FINRA pointed to several recent third-party incidents, including the 2023 MOVEit breach, that have impacted member firms. The advisory urged member firms to take steps to protect their organizations from third-party cyberattacks. This includes ongoing risk assessments and monitoring of third parties, updating incident response plans to include third-party incidents, and creating a data inventory to understand what data your third parties can access. 

Three Ivanti vulnerabilities are being actively exploited: Three Ivanti vulnerabilities in its Cloud Service Application are being actively exploited, the company warned. If a cybercriminal was able to successfully exploit the vulnerabilities, it could gain unauthorized access with administrative privileges. Ivanti recommends organizations update to the latest version and review for any modified or recently added administrative users. 

Preparing for third-party cybersecurity incidents: Third-party cyberattacks can cause a lot of damage, particularly if organizations aren’t prepared for the incident. These third-party breaches will likely only continue to grow as cybercriminals become more sophisticated. To be prepared, organizations can follow best practices with business continuity planning, like understanding how third parties are involved in your critical functions, creating backups and contingency plans for those critical functions, and ensuring the business continuity plan addresses third parties. Third parties should also be consistently managed, from risk assessments and due diligence at the beginning of the relationship, continuous monitoring during the relationship, and safe and secure offboarding. 

Best practices to prevent third-party data breaches: Third-party risk management is a key component of preventing data breaches from impacting your organization. Before working with a third party, you should carefully assess the risks of the relationship. It’s also important to set expectations with the third party on your organization’s security standards. This should include ongoing assessments and continuous security training. Following the principle of least privilege can help ensure you don’t share more data than necessary with a third party. A third party’s processes can change over time, which is why it’s important to monitor the third party and set regular check-ins. 

Third-party ransomware attack impacts Comcast customers: A third-party ransomware attack impacted the data of more than 230,000 customers at Comcast. The attack occurred in February on Financial Business and Consumer Solutions (FBCS), which Comcast uses for debt collection. FBCS discovered later in the year that Comcast data had been compromised. The data includes names, Social Security numbers, and Comcast account numbers. 

OCC identifies third-party risks as a key focus area of 2025 examinations: In its 2025 examination priorities, the Office of the Comptroller of the Currency (OCC) listed third-party risks as a key focus area, particularly fintech relationships. Banks should review processes and activities for the third-party lifecycle and pay close attention to critical third-party relationships. Examiners will also focus on third-party payment systems and products and how banks are assessing and mitigating those risks. 

Third-party risks pose challenges to the insurance industry: Insurance will face continuous risks in 2025, particularly with artificial intelligence (AI), third-party risks, and cybersecurity. Cyberattacks can devastate organizations, and smaller organizations can be an easy target, as they depend on third parties but may not have cybersecurity or privacy plans in place. 

Recently Added Articles as of October 3

It’s been another active week in third-party risk management news! From an exploited third-party vulnerability impacting services, third-party risk lessons from the CrowdStrike outage, and new password guidelines from NIST, there’s much to learn from this week. Check it all out below. 

Vulnerability in a third-party application impacts Rackspace dashboards: A zero-day vulnerability was actively exploited in a third-party application, which forced Rackspace, a cloud-hosting provider, to take its monitoring dashboards offline. Cybercriminals were able to access three internal monitoring web servers and limited customer information. The third party has since patched the vulnerability. Rackspace is working to restore full functionality. 

How plan sponsors should mitigate third- and fourth-party risks: Retirement plan recordkeepers rely on third-party vendors for administrative services and tools, so it's important that plan sponsors perform due diligence on these vendors to mitigate risks. This helps plan sponsors remain aware of these subcontractors and which ones have access to data. The Department of Labor recommended that plan sponsors review third parties’ information security practices and policies and audit results. If providers aren’t able to answer questions or complete an assessment, that may be a red flag for plan sponsors. Contracts with recordkeepers should also set requirements for how recordkeepers manage their third parties. 

Mitigating vendor risk in the healthcare industry: The healthcare industry depends on third-party vendors to provide vital healthcare services. However, these vendors also come with data security risks that could leave healthcare organizations vulnerable. Although business associate agreements are useful tools, it can’t prevent a data breach and isn’t enough on its own to manage vendor risks. Use the vendor contract to negotiate liability in the case of a data breach and to set your insurance requirements. After the vendor contract, it’s critical to continuously monitor vendor risks and flag new vulnerabilities as they arise. 

Strengthening business continuity after the CrowdStrike outage: The CrowdStrike outage this summer brought valuable lessons in how to mitigate the risks of these types of events occurring with vendors in the future. Business continuity and disaster recovery plans that encompass your organization’s supply chain are crucial to have in place. Organizations should also review their existing vendors’ service level agreements (SLAs) to ensure outages are addressed, including communication and compensation. Organizations may also need to diversify the vendors they use to avoid concentration risk. 

Steps to manage third-party risks: In recent years, organizations have had to take a closer look at cybersecurity risk and evaluate how to manage it. Third-party vendors continue to be an area of weakness for organizations, highlighted by recent third-party data breaches. These incidents can have a significant impact on organizations, including financial losses and reputational damage. As your organization tries to manage this risk, consider who is in your third-party ecosystem, from software to manufacturers and suppliers. You should also understand what each third party does and provides for your organization, including what data they have access to. It’s also important to classify which vendors are critical to your organization’s operations. These steps are an effective beginning to managing vendor risks. 

NIST updates password guidelines: The National Institute of Standards and Technology (NIST) issued new password guidelines, removing the requirements to use a mixture of character types and regularly changing passwords. NIST suggested that credential service providers (CSPs) stop giving passwords with several character types and to stop mandating password changes unless there’s been a compromise. In the new guidance, CSPs are also required to stop using knowledge-based authentication or security questions. 

Third-party vendors and automatic software updates: At the root of the CrowdStrike outage was an automatic software update. Organizations should evaluate their critical vendors and their processes. Many vendors provide real-time updates to protect their customers; however, organizations should collaborate with those vendors to ensure they’re prepared to respond in the event of an outage. Organizations should also consider where they need real-time updates and where updates can be delayed slightly. High-risk systems may require real-time updates, but lower-risk systems are likely okay to be delayed. Remember to review the vendor’s security practices and certifications, like SOC 2 and ISO 27001. 

T-Mobile and FCC reach $31.5 million settlement for data breaches: T-Mobile agreed to a $31.5 million settlement with the Federal Communications Commission (FCC) over four data breaches that compromised consumer information. T-Mobile must invest half of the money ($15.75 million) in cybersecurity improvements and the other half will go to the U.S. Treasury.