October 2024 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of October 17

In this week’s news, a healthcare organization was impacted by a third-party data breach, some EU Member States will miss the NIS2 implementation deadline, and experts offered recommendations to mitigate supply chain attacks. Check it all out below.

CISA notes active exploitation of a SolarWinds vulnerability: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability to its Known Exploited Vulnerabilities catalog. The flaw is in the SolarWinds Web Help Desk software and there’s evidence of active exploit. A threat actor could exploit the vulnerability and gain unauthorized access to data. Organizations should ensure they have the latest fixes applied for network security. 

Third-party incidents are impacting cyber insurance: Third-party cybersecurity incidents in 2024 have impacted cyber insurance, according to a new study. One common threat has been the increasing reliance on technology vendors, so cyber insurance providers will likely pay close attention to third-party cyber risk aggregation moving forward. Ransomware in 2024 caused a 14% increase in the severity of cyber insurance claims and business email compromise remained the leading cause of cyber incidents.  

Safe and secure vendor relationships need verification: Many organizations place a lot of trust in their vendors, but sometimes without verification. This can lead to significant vendor incidents that catch organizations off guard and unprepared. Organizations should more closely scrutinize their vendor relationships and assess the risks. While trust is important in vendor relationships, organizations should also verify that vendors follow contractual obligations, set performance expectations, and continually monitor risks. 

EU Member States are delayed in adopting NIS2 requirements: Most European countries will miss the deadline to implement the European Union’s Network and Information Security Directive (NIS 2). The directive includes key requirements, such as supply chain cybersecurity and incident reporting obligations. The deadline for EU countries to transpose the directive in their own laws is October 17, yet only six Member States have incorporated it. Organizations under NIS 2 should still expect to be held accountable to its requirements, even if some Member States don’t have it transposed yet. 

Entry points in programming systems are vulnerable to supply chain attacks: New research has found that entry points in programming systems may be vulnerable to software supply chain attacks. Programming systems include PyPl, npm, and Ruby Gems. When threat actors target entry points in an attack, they can often sneak in and bypass traditional security defenses. Organizations and their third parties should develop security measures that address these entry-point attacks to protect against supply chain disruptions. 

Healthcare organization is impacted in a third-party data breach: A third-party data breach impacted information at Gryphon Healthcare. The breach allowed access to sensitive information, including names, Social Security numbers, health insurance information, and prescription information. The third party provided medical billing services to Gryphon. 

Monitoring vulnerabilities within cloud environments: Organizations are relying on more and more cloud environments, which can create the challenge of identifying and resolving security incidents quickly. To improve real-time detection, security teams should use multi-layered detection strategies like full-stack detection, anomaly detection, and incident correlation. Vulnerabilities should also be viewed with incident data to allow for better risk prioritization. These steps can help organizations catch incidents more quickly and respond more effectively.

Cisco is investigating data breach claims: Cisco is investigating breach claims after a threat actor allegedly started selling stolen data on a hacking forum. The stolen data includes customer information, a database, and various documentation. 

Taking a proactive approach to third-party cybersecurity risks: As more organizations become impacted by third-party data breaches, it may be time to re-evaluate the strategy and approach to mitigating third-party cybersecurity risk. Third-party cybersecurity incidents can damage an organization’s reputation, cause financial losses, and erode trust in third-party relationships. Following a zero-trust strategy can help organizations better respond to third-party risks. This requires all users to be authenticated, authorized, and continuously validated. Proactive measures like this approach can help organizations be more resilient and prepared for third-party incidents. 

Recommendations to mitigate supply chain attacks: Open-source repositories are being increasingly targeted in supply chain attacks, particularly because of a lack of oversight. Experts said one of the biggest challenges to supply chain attacks is shadow IT and the lack of visibility. Organizations need a comprehensive view to understand where third-party risks exist. Security frameworks within an organization should also be extended to third-party partners. Contracts and legal agreements can help ensure third parties follow your organization’s expectations. Experts also recommended robust third-party risk management programs and having a framework in place that identifies and mitigates third-party risks. 

Recently Added Articles as of October 10

In this week's headlines, two financial regulators highlighted third-party risks as a top priority, a third-party ransomware attack impacted more than 200,000 customers, and experts recommended several best practices to prevent third-party cybersecurity incidents. Check out all the news below.

FINRA calls out third-party cybersecurity risks in advisory: The Financial Industry Regulatory Authority (FINRA) highlighted third-party cybersecurity risks in a recent advisory. FINRA pointed to several recent third-party incidents, including the 2023 MOVEit breach, that have impacted member firms. The advisory urged member firms to take steps to protect their organizations from third-party cyberattacks. This includes ongoing risk assessments and monitoring of third parties, updating incident response plans to include third-party incidents, and creating a data inventory to understand what data your third parties can access. 

Three Ivanti vulnerabilities are being actively exploited: Three Ivanti vulnerabilities in its Cloud Service Application are being actively exploited, the company warned. If a cybercriminal was able to successfully exploit the vulnerabilities, it could gain unauthorized access with administrative privileges. Ivanti recommends organizations update to the latest version and review for any modified or recently added administrative users. 

Preparing for third-party cybersecurity incidents: Third-party cyberattacks can cause a lot of damage, particularly if organizations aren’t prepared for the incident. These third-party breaches will likely only continue to grow as cybercriminals become more sophisticated. To be prepared, organizations can follow best practices with business continuity planning, like understanding how third parties are involved in your critical functions, creating backups and contingency plans for those critical functions, and ensuring the business continuity plan addresses third parties. Third parties should also be consistently managed, from risk assessments and due diligence at the beginning of the relationship, continuous monitoring during the relationship, and safe and secure offboarding. 

Best practices to prevent third-party data breaches: Third-party risk management is a key component of preventing data breaches from impacting your organization. Before working with a third party, you should carefully assess the risks of the relationship. It’s also important to set expectations with the third party on your organization’s security standards. This should include ongoing assessments and continuous security training. Following the principle of least privilege can help ensure you don’t share more data than necessary with a third party. A third party’s processes can change over time, which is why it’s important to monitor the third party and set regular check-ins. 

Third-party ransomware attack impacts Comcast customers: A third-party ransomware attack impacted the data of more than 230,000 customers at Comcast. The attack occurred in February on Financial Business and Consumer Solutions (FBCS), which Comcast uses for debt collection. FBCS discovered later in the year that Comcast data had been compromised. The data includes names, Social Security numbers, and Comcast account numbers. 

OCC identifies third-party risks as a key focus area of 2025 examinations: In its 2025 examination priorities, the Office of the Comptroller of the Currency (OCC) listed third-party risks as a key focus area, particularly fintech relationships. Banks should review processes and activities for the third-party lifecycle and pay close attention to critical third-party relationships. Examiners will also focus on third-party payment systems and products and how banks are assessing and mitigating those risks. 

Third-party risks pose challenges to the insurance industry: Insurance will face continuous risks in 2025, particularly with artificial intelligence (AI), third-party risks, and cybersecurity. Cyberattacks can devastate organizations, and smaller organizations can be an easy target, as they depend on third parties but may not have cybersecurity or privacy plans in place. 

Recently Added Articles as of October 3

It’s been another active week in third-party risk management news! From an exploited third-party vulnerability impacting services, third-party risk lessons from the CrowdStrike outage, and new password guidelines from NIST, there’s much to learn from this week. Check it all out below. 

Vulnerability in a third-party application impacts Rackspace dashboards: A zero-day vulnerability was actively exploited in a third-party application, which forced Rackspace, a cloud-hosting provider, to take its monitoring dashboards offline. Cybercriminals were able to access three internal monitoring web servers and limited customer information. The third party has since patched the vulnerability. Rackspace is working to restore full functionality. 

How plan sponsors should mitigate third- and fourth-party risks: Retirement plan recordkeepers rely on third-party vendors for administrative services and tools, so it's important that plan sponsors perform due diligence on these vendors to mitigate risks. This helps plan sponsors remain aware of these subcontractors and which ones have access to data. The Department of Labor recommended that plan sponsors review third parties’ information security practices and policies and audit results. If providers aren’t able to answer questions or complete an assessment, that may be a red flag for plan sponsors. Contracts with recordkeepers should also set requirements for how recordkeepers manage their third parties. 

Mitigating vendor risk in the healthcare industry: The healthcare industry depends on third-party vendors to provide vital healthcare services. However, these vendors also come with data security risks that could leave healthcare organizations vulnerable. Although business associate agreements are useful tools, it can’t prevent a data breach and isn’t enough on its own to manage vendor risks. Use the vendor contract to negotiate liability in the case of a data breach and to set your insurance requirements. After the vendor contract, it’s critical to continuously monitor vendor risks and flag new vulnerabilities as they arise. 

Strengthening business continuity after the CrowdStrike outage: The CrowdStrike outage this summer brought valuable lessons in how to mitigate the risks of these types of events occurring with vendors in the future. Business continuity and disaster recovery plans that encompass your organization’s supply chain are crucial to have in place. Organizations should also review their existing vendors’ service level agreements (SLAs) to ensure outages are addressed, including communication and compensation. Organizations may also need to diversify the vendors they use to avoid concentration risk. 

Steps to manage third-party risks: In recent years, organizations have had to take a closer look at cybersecurity risk and evaluate how to manage it. Third-party vendors continue to be an area of weakness for organizations, highlighted by recent third-party data breaches. These incidents can have a significant impact on organizations, including financial losses and reputational damage. As your organization tries to manage this risk, consider who is in your third-party ecosystem, from software to manufacturers and suppliers. You should also understand what each third party does and provides for your organization, including what data they have access to. It’s also important to classify which vendors are critical to your organization’s operations. These steps are an effective beginning to managing vendor risks. 

NIST updates password guidelines: The National Institute of Standards and Technology (NIST) issued new password guidelines, removing the requirements to use a mixture of character types and regularly changing passwords. NIST suggested that credential service providers (CSPs) stop giving passwords with several character types and to stop mandating password changes unless there’s been a compromise. In the new guidance, CSPs are also required to stop using knowledge-based authentication or security questions. 

Third-party vendors and automatic software updates: At the root of the CrowdStrike outage was an automatic software update. Organizations should evaluate their critical vendors and their processes. Many vendors provide real-time updates to protect their customers; however, organizations should collaborate with those vendors to ensure they’re prepared to respond in the event of an outage. Organizations should also consider where they need real-time updates and where updates can be delayed slightly. High-risk systems may require real-time updates, but lower-risk systems are likely okay to be delayed. Remember to review the vendor’s security practices and certifications, like SOC 2 and ISO 27001. 

T-Mobile and FCC reach $31.5 million settlement for data breaches: T-Mobile agreed to a $31.5 million settlement with the Federal Communications Commission (FCC) over four data breaches that compromised consumer information. T-Mobile must invest half of the money ($15.75 million) in cybersecurity improvements and the other half will go to the U.S. Treasury.