Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

September 2023 Vendor Management News

30 min read
Featured Image

Stay up-to-date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of September 28

In this week’s headlines, it’s clear that strong third-party risk management programs are crucial! Several organizations experienced third-party data breaches, artificial intelligence is becoming a bigger third-party risk, and strengthening your supply chain means looking at the weakest link. There’s so much more to read about, so check out all the news below.  

Attackers try to give developers malicious code from GitHub: Cyberattackers have been using faked commit messages to get into GitHub repositories and inject malicious code. The messages are designed to look like they were generated by GitHub’s automated dependency management tool that identifies and addresses code vulnerabilities. When attackers can plant fake messages, it gives developers malicious code. These attacks were likely automated. Use extreme caution when getting and using code from sites, even trusted sites like GitHub.  

CFPB issues artificial intelligence guidance for issuing credit: The Consumer Financial Protection Bureau (CFPB) issued new guidance on using artificial intelligence to determine whether to extend credit or not. Any creditors that rely on AI or other credit models to make a determination are still required to follow the Equal Credit Opportunity Act and the Fair Credit Reporting Act. Creditors can't rely solely on these types of models, and they must have accurate and specific reasons for applicants. They also can’t use CFPB sample adverse action forms and checklists to generate an AI opinion.  

Denver Airport’s third-party risk management found to be lacking: A recent audit found that the Denver International Airport isn’t monitoring its third-party IT vendors enough. There are no documented policies or procedures, centralized tracking system, or service level agreement requirements for contracts. Unfortunately, that makes the large airport an easy target for cyberattacks. The airport has agreed with the audit results and said it would implement changes. Managing third-party risk should be a priority for every industry, including airlines.  

Australia regulatory agency asks financial institutions to step up third-party risk management: The Australian Prudential Regulation Authority (APRA) warned financial institutions to step up third-party risk management, especially in cybersecurity. Due diligence should be completed before the contract is signed, and third parties should be able to follow leading cybersecurity standards. Access to third parties should be controlled and only given when necessary. Ongoing monitoring is especially important as new vulnerabilities pop up every day. With financial services being such a prime cyberattack target, it’s important to ensure third parties are prepared and secure. 

National Student Clearinghouse breach impacts hundreds of schools’ data: One victim of the MOVEit breach ended up impacting 890 schools across the country. National Student Clearinghouse (NSC) filed its breach notification letter with the state of California. Stolen information includes Social Security numbers, student ID numbers, and some school-related records. NSC provides third-party services like reporting, research, and data exchange to thousands of high schools and universities.  

NFT marketplace victim of a third-party data breach: NFT marketplace OpenSea disclosed a third-party data breach exposed information on users’ OpenSea API Key. Details of the cyberattack weren’t given, including who the breached third party is. Users were asked to replace their current key with a new one. All current keys will expire on October 2. OpenSea is the second largest NFT marketplace.  

Cybersecurity agency and NFL ramp up cybersecurity to prepare for Super Bowl: What’s one of the biggest events of the year and also one of the biggest cyberattack targets? The Super Bowl! The U.S. Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the NFL to conduct a cybersecurity tabletop exercise for the event. Because fans are trying to buy tickets online and log in to stadium Wi-Fi, big events like this can be easy targets. The exercise involved scenarios like a phishing attack, ransomware, and a data breach.  

Crypto analytics company experiences third-party data breach: Nansen, a crypto and blockchain analytics company, was the victim of a third-party data breach that impacted 6.8% of its customers. Hackers were able to access admin rights and gain access to email addresses, some password hashes and in some cases blockchain addresses. Wallet funds were unaffected. The vendor wasn’t named, only that it’s used by many Fortune 500 companies to manage data. Nansen asked all impacted users to change their password.  

Third-party AI risks continue to increase: As artificial intelligence services become more widespread, the risks are increasing. A new report from MIT Sloan Management Review revealed that 78% of organizations use third-party AI services and 55% of AI failures come from third-party tools. It’s important for your organization to define and expand responsible AI programs. As the use of third-party AI services increases, your organization should evaluate third parties’ AI practices and the security behind their tools. Regulations are beginning to be released, so organizations should be prepared to follow regulatory frameworks and best practices. A structured risk management approach can help mitigate third-party risks.  

Lessons in the social engineering attack on Caesars’ third-party IT vendor: Since its ransomware attack a couple weeks ago, Caesars Entertainment confirmed that it was a third-party social engineering attack on an outsourced IT vendor. Attackers gained access to Social Security and driver’s license numbers from the Caesars’ loyal program. The organization then allegedly paid a multi-million-dollar ransom payment. This costly incident is a reminder of the vulnerabilities third parties introduce. It’s important to ensure that your third parties have conducted security awareness training on their employees, require multi-factor authentication, and have incident response plans. Your organization should have strict access controls with third parties and regularly audit your third parties to check their security and penetration testing. These simple social engineering attacks can cause serious damage! 

Third-party artificial intelligence services present new risks for organizations: Artificial intelligence as a third-party service will only continue to grow as the technology continues to revolutionize industries. It’s important to be mindful of the different risks that come with using third-party AI services. Contracts should include risk assessment frameworks, monitoring and auditing requirements for the AI services, and technical safeguards. If a third party isn’t transparent about how its AI model is trained, organizations should use caution with proceeding. 

International Criminal Court is the victim of a cyberattack: The International Criminal Court (ICC), which holds highly sensitive information on war crimes, was the victim of a data breach. The ICC didn’t give much information on what all was taken on the attack. They only shared that they are taking steps to resolve it.  

Executives expect greater supply chain cyberattacks next year: Organization executives are expecting an increase in the number and size of cyberattacks on the supply chain next year. A new Deloitte poll showed that 44% of C-suite and other executives are expecting the increase. Organizations should aim to get better visibility through third-party risk assessments. Nearly half of respondents perform these assessments, but that number dramatically decreases to almost 21% on repeating those assessments annually.  

How to strengthen your supply chain’s weakest link: An increasingly complex supply chain is putting an increased focus on fourth parties. Your vendors likely have their own critical vendors. You can’t just manage the vendor’s risk, but must manage their vendors’ risks as well. Otherwise, your organization’s supply chain is vulnerable to cyberattacks. The wide introduction of artificial intelligence adds another layer of complication with the supply chain, particularly around data sharing and model training. It’s more important than ever to have a strong vendor risk management program that identifies vendor risk and criticality. This is a huge task, so automated platforms and tools can be extremely helpful to creating a streamlined program.  

Recently Added Articles as of September 21

Third-party data breaches dominated the headlines this week, impacting casinos, United Kingdom police, and cryptocurrency. The White House is looking to address cybersecurity regulations, attackers are trying to exploit new vulnerabilities, and one bank is facing a hefty fine for its lack of due diligence. There’s a lot more to catch up on this week, so check it all out below!  

White House looks to tackle cybersecurity regulations: You may have noticed that the White House is taking a bigger role in cybersecurity recently. The administration is trying to establish standard cybersecurity regulations and technical standards. It’s a big task. First is to create a framework for a single set of standards for organizations to follow. Cybersecurity regulations can span from state to state, and can even differ at a federal level, but a full overhaul of cybersecurity regulations may require Congress to get involved. This task is likely to take years, so organizations will just have to wait and watch for regulatory changes.  

Third-party data breaches in different industries can impact financial institutions: Third-party data breaches are jeopardizing organizational security, and they’re becoming more common. Financial institutions are no exception to this, and the information hackers steal can be used to open fraudulent bank accounts. Even breaches in the retail industry can lead to banking headaches, as bank account and Social Security numbers are leaked. Financial institutions should monitor compromised credentials and maintain a list. Payment cards can also be compromised and those should also be monitored. Banks should use these tools to protect customer data that’s compromised in a breach.  

Critical Juniper vulnerability leaves organizations at risk: About 12,000 Juniper firewalls and switches are vulnerable to an execution flaw that attackers can exploit. This critical vulnerability allows attackers to execute code without authentication. Updates were recently released that address the vulnerability. Those who use Juniper should apply these updates as soon as possible.  

Ransomware group is encrypting Azure cloud storage: The BlackCat ransomware gang is using stolen Microsoft accounts to encrypt Azure cloud storage. Using a stolen one-time password from LastPass, attackers can change security policies and encrypt Azure Storage accounts. This sophisticated hacking group is behind many successful breaches, so organizations should monitor their security and watch for any new updates.  

United Kingdom police officer information is stolen in a third-party breach: Greater Manchester Police badge details were compromised in a third-party data breach. The supplier of the badges was the victim of a ransomware attack. Officers’ names, photos, and serial numbers were compromised. This mirrors another attack on London’s Metropolitan Police when hackers accessed a vendor’s IT systems. There was a third attack on officers in Northern Ireland as well. Breaches impact every industry, so it’s crucial to know your third-party vendors and do your cybersecurity due diligence.  

Review your HR vendor’s contract for privacy compliance: Have you reviewed your HR vendor contracts recently? You could be at risk of violating California’s privacy law if employee data rights aren’t covered. With extended protections passed earlier this year, employees now have the same rights that consumers have had. Data provided to HR vendors, like payroll information, could be interpreted as selling data. HR vendors must agree to meet California’s requirements on what they can use the data for and that they’re compliant in processing it.  

Puerto Rico bank fined for lack of due diligence on foreign financial institutions: A Puerto Rico bank has to cough up a hefty $15 million after a huge fine for violations of the Bank Secrecy Act. The action comes from the Treasury Department’s Financial Crimes Enforcement Network (FinCEN). It’s the first time FinCEN has enforced a 2021 rule that requires minimum anti-money laundering program standards for banks that don’t have a federal regulator. The bank failed to complete due diligence on foreign financial institutions and high-risk customers.  

Will generative AI be protected by copyright? It isn’t likely: One of the biggest issues posed by generative artificial intelligence (AI) is potential copyright infringement. The U.S. Copyright Office has held that AI-generated works aren’t eligible for copyright protection. If there’s only a small amount of AI involved in the creation of a piece, it must be disclosed to the Copyright Office. A D.C. District Court upheld this viewpoint in a recent opinion. Since AI-generated work isn’t likely to be protected, organizations should exercise caution when using it.  

Casino and hotel company Caesars suffers a third-party cyberattack: Caesars Entertainment was recently the victim of a third-party cyberattack. Attackers gained access to the hotel and casino organization’s loyalty program database, which included Social Security numbers. Bloomberg reported that Caesars made a ransom payment to the attackers. The third party was an IT support vendor. These types of attacks are becoming increasingly more common. It’s crucial to perform due diligence on vendors and then continuously monitor their risk. This is the second recent attack on a casino, as MGM Resorts deals with the fallout of their own attack.  

New sanctions announced on Russian technology companies: The Russia supply chain is getting even more complicated as the U.S. announced 100 new sanctions against financial institutions, industrial base, and technology suppliers. The sanctions focused on those benefitting from supporting and sustaining the war in Ukraine. Organizations should use extreme caution with foreign third parties that are tied to Russia. It’s crucial to perform due diligence on third-party vendors located in foreign countries, including checking industry news and alerts. Otherwise, organizations could face regulatory penalties in the U.S. and other countries that have sanctions.  

Attackers target Teams messages to lure employees into phishing: A new phishing campaign is targeting corporations using Teams messages. Attackers send phishing messages over Teams with malicious links that lead to a file on SharePoint. An open-source tool allows the attackers to send messages to external organizations. Several security updates were made to address the threat, but people should still use caution with clicking unfamiliar links.   

Third-party data breach at crypto company puts wallets at risk: After a third-party data breach at crypto payments company Fortress Trust endangered client’s wallets, another crypto company stepped in to repair the damage. Ripple, which has acquired Fortress Trust, restored clients’ wallets and there were no breaches to Fortress technology or systems. The breach was traced back to a third-party vendor’s cloud tool.  

Cannabis sales in New York could cause headaches for banks: Banks receiving payment from cannabis sales in New York could face regulatory penalties. A new law in New York allows the city to fine landlords if they knowingly lease space to people who illegally sell cannabis. This could extend to the banks that finance these properties or properties like illegal smoke shops. Banks should use caution and do their due diligence on properties and retail clients.  

Recently Added Articles as of September 14

This week’s headlines brought helpful news on what to do when issues arise in third-party risk management. There are red flags to look for with technology service providers, steps to take to prepare for a vendor business unexpectedly closing, and crucial lessons to learn from the MOVEit breach. There’s also been new cyberattacks, discovered vulnerabilities, and compliance updates, so check out all of the news below! 

GitHub vulnerability exposes repositories to attacks: A new GitHub vulnerability may have exposed repositories to cyberattacks. An attacker could gain control of a repository and create new accounts with the same username to upload malicious repositories and attack software supply chains. GitHub addressed the issue on September 1 by preventing users from creating a repository with the same name as many other repositories.  

MGM Resorts impacted by apparent cyberattack: Reports of a cybersecurity issue at casino MGM Resorts has shut down multiple computer systems, impacting almost every part of MGM’s operations. This includes reservation and booking systems, electronic key cards, and casino floors. The casino floors are back online, but booking systems still appeared to be down. MGM said it notified law enforcement and shut down its systems to protect data, but no further information on the incident was given.  

Red flags to look for with technology service providers: More and more organizations are using technology service providers for crucial business operations, but when those relationships fail, it can lead to severe disruptions. If the provider has unreliable communication, like vague answers or slow responses, it can indicate a lack of commitment. And if the provider isn't proactive, issues may go unaddressed. To help, your provider should offer a detailed project plan before a project begins, and you should be sure to offer a clear vision so the delays don’t come from you! Frequent bugs in the technology, and no support after the project, are other things to watch out for. Before you contract the vendor, be sure to do your due diligence to catch red flags before they’re an issue.  

Proactive third-party risk management is an important team effort: What’s one of the best defenses to operational risk at organizations? What is third-party risk management! As organizations evaluate their third-party risk management programs, they should share data and intelligence across departments for better decision-making on third parties. Find your critical third parties and proactively manage the risk – sometimes software is a great solution for this as it automates the risk analysis process. Move beyond point-in-time data and use real-time risk monitoring. Real-time vendor alerts can move your organization from being reactive to proactive. Third-party risk management isn’t a silo. It involves everyone in the organization working together.  

Microsoft to stop allowing third-party printer drivers: In its Windows update, Microsoft will block third-party printer drivers. This is an effort to strengthen security of Windows as printer driver vulnerabilities can bring significant security risks. In 2025, Microsoft will no longer accept driver submissions from printer vendors, and then in 2026, Microsoft will prioritize Windows Internet Printing Protocol Class drivers.  

Study finds critical vulnerabilities in university websites: A study of 20 university websites found that they were extremely vulnerable to a cyberattack. These sites have more than a million monthly visitors, and six of the universities are in the top 100 list. The study found that universities were late in deploying security updates and some had significant vulnerabilities. It’s important to invest in a secure online presence and update services that patch vulnerabilities.  

Managing third-party risks should be a top priority: It’s increasingly challenging to manage third-party risks as the supply chain becomes larger and more complex. And one weak vendor in the chain can lead to data breaches, fines, and reputational damage. Following the third-party risk management lifecycle and using tools to automate tasks can be a huge help. Do your due diligence on new vendors and outline compliance in the contract. Continuously monitor compliance and have an exit strategy in place in case it’s needed. Cybersecurity has become an obligation for all organizations, and it extends to even small vendors and fourth parties. Using software tools to help manage this growing challenge will help your organization stay safe.   

Healthcare organizations must be prepared for a cyberattack: What should a healthcare organization do in the event of a cyberattack to prioritize patient safety? The Joint Commission released suggested actions that healthcare organizations need to take in the event of a cyberattack. Organizations should implement business continuity and disaster recovery plans and annually evaluate them. The Commission also suggested a downtime planning committee and downtime plans and procedures. All staff should be trained and prepared for an attack. Healthcare organizations should review existing incident response plans to ensure they’ve accounted for items like downtime.  

Financial institutions should evaluate OFAC compliance: Compliance continues to be a high priority for organizations, and compliance with the Office of Foreign Assets Control (OFAC) should be no exception. Financial institutions and other organizations subject to the regulator should conduct a risk assessment to determine compliance needs, as well as reevaluate compliance on an ongoing basis. Things like improper due diligence on customers and clients and exporting to U.S. sanctioned countries are red flags for OFAC and can lead to enforcement actions. 

FDIC releases a new examination tool: The Federal Deposit Insurance Corporation (FDIC) announced a new tool that will exchange examination planning and compliance information. The Banker Engagement Site will allow banks to communicate with FDIC staff and exchange documents and information. The site is only designed for the consumer compliance examination process.  

Apple releases updates to patch vulnerabilities: Apple released emergency security updates to address two zero-day vulnerabilities that could lead to a malicious attack. Specific details weren’t given because of active exploitation. These types of bugs and vulnerabilities are becoming more and more common. It’s important to keep software updated and be aware of new updates that address vulnerabilities.  

Cisco identifies a software vulnerability: Cisco is warning of an exploitation in Adaptive Security Appliance and Firepower Threat Defense software. It can be exploited remotely and gives attackers access to username and password pairs. The vulnerability can be used in brute force attacks. Cisco is working on updates that address the vulnerability, which was identified last month.  

MOVEit breach teaches importance of vendor incident management: At this point, we’ve all heard about MOVEit and the massive breach that impacted thousands of organizations. This major incident makes it clear how important vendor management is. For many organizations, MOVEit was the vendor of a vendor – a fourth party. Those parties are easy to miss, even though they may handle your critical data. During your due diligence, it’s crucial to know what vendors will use to process your data. Data breaches are almost inevitable and so it’s good to have a solid contract that addresses incident response and obligations. And incident response plans should address vendor incidents and vulnerabilities. Cybersecurity breaches may be inevitable, but you can have a good plan in place!  

Your design vendor suddenly closed. What’s next? A vendor unexpectedly announced it’s closing its doors and your organization is left scrambling. It’s not an uncommon scenario, especially in the design industry. Financial stress builds up before a shutdown, but if the vendor is private, you won’t see the financials. Still, there are warning signs you can look for to be prepared. As the supply chain slowly returns to normal, look for empty shelves. Track your documents and communication with the vendor to set a baseline. If things suddenly change – slower delivery, not meeting orders – there could be problems. Recent layoffs can also be a sign, so it’s good to have news alerts and watch for any issues. Reviews and Google Alerts can provide early indications. It’s always good to diversify your supplier base and have a backup plan in place in case a vendor suddenly shuts down. An exit strategy in the contract is a great best practice.  

New interagency rule proposed on long-term debt amounts: The federal banking agencies are looking to prevent more bank failures with a new proposed interagency rule. The rule would require large banking organizations to issue and maintain minimum amounts of long-term debt. The rule was adopted unanimously, but if it’s finalized it will require a three-year transition period. Comments on the rule are due by November 30, 2023.  

New tool will allow cybersecurity professionals to emulate attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) partnered with MITRE to offer an open-source tool that mimics cyberattacks on operational technology. Cybersecurity professionals will be able to test and strengthen their defenses with the tool.  

Recently Added Articles as of September 7

In this week’s news, we’re reminded why it’s so important to have a vendor exit strategy in place in advance of contract termination. There are lessons learned from the bank failures earlier this year, and agency-issued research has discovered common themes. ESG issues continue to heat up, third-party verification and monitoring remains important, and so much more. Read on!  

Phishing kit bypasses multi-factor authentication, attacking Microsoft 365 accounts: Threat actor W3LL created a phishing kit that compromised over 8,000 Microsoft 365 corporate accounts, causing millions in financial loss. Keep an eye on your corporate 365 account… and be sure your vendors are doing the same! 

California Privacy Protection Agency shares draft rules: Recently, the California Privacy Protection Agency (CPPA) shared cybersecurity audits and risk assessment draft rules in preparation for this month’s board meeting. The rules will likely become a part of California Consumer Privacy Act’s second rulemaking package. Some of the proposed requirements would include documented and detailed risk assessments, updating risk assessments due to material changes in processing activities, annually submitting the risk assessment for a compliance certification, and more.  

Third-party verification is crucial: In today’s interconnected landscape, organizations rely on complex networks of third-party vendors for products and services. Due to vendor reliance, organizations are exposed to a variety of risks, including fraud, corruption, environmental and social, and regulatory. To successfully mitigate these risks, it’s crucial for organizations to verify and monitor their vendors, ensuring compliance with relevant laws and standards. Especially as sanctions become more prevalent. 

Reacting to third-party problems: On average, organizations partner with ten third-party vendors to manage their necessary business operations. And an attack on any of your vendors can affect all vendors, creating a domino effect, which is why organizations must successfully manage risk associated with these vendors. To help, it’s important to implement security awareness training. Security awareness training organization-wide ensures your organization and its employees can stay in compliance, which assists with reducing risk.  

Update on the Nevada Consumer Health Data Privacy Act: The governor of Nevada signed the Consumer Health Data Privacy Act, which will go into effect on March 31, 2024. The Act establishes restrictions and responsibilities for regulated entities regarding the collection, processing, sharing, and sale of consumer information and specifically applies to regulated entities dealing with public health information (PHI). 

California’s data broker law to be amended: California is working on amending its current data broker law, with the Delete Act. The Act will affect data broker compliance obligations, likely increasing those under the state’s data broker law and California Privacy Rights Act. It will also affect enforcement authority over data broker provisions, giving authority to the California Privacy Protection Agency.  

Themes discovered that contributed to the recent bank failures: Since the Silicon Valley Bank, Signature Bank, and Republic Bank failures earlier this year, many agencies have issued reports covering factors that contributed to the bank failures and areas to keep in mind moving forward. Some of the findings covered include concentrations/diversification, stress testing, compensation, and risk management/chief risk officer. Regarding risk management/chief risk officer, you can expect more regulatory focus on the CRO position in large and mid-size banks. The bank collapses continue to be analyzed, but it’s clear… banks can expect an increase in enforcement actions and more stringent examinations.  

Minimize onboarding struggles with offshore third-party vendors: Organizations often face challenges when onboarding offshore vendors, including investing significant time in educating vendors on expectations, lack of context about the vendor’s market and goals, communication barriers, and more. To ensure a seamless integration with offshore vendors, several best practices are recommended which include treating vendor onboarding like employee onboarding, planning for a smooth onboarding, fostering long-term relationships, securing your investment, and communicating effectively.  

A New York school district scrambles to find a new bus vendor: North Alleghany school district’s third-party bus contractor abruptly cancelled their contract, leaving officials scrambling to find a solution before school started. District officials reached out to eleven contractors and have been able to restore bus service to two schools. The district transports over 8,500 students, so the loss of transportation was a hardship for many families who relied on bussing to get their children safely to school. This reiterates the importance of establishing a vendor exit strategy well before you sign the contract. It should include a replacement plan with next steps should you suddenly lose a vendor product or service.  

ESG reporting criteria expanded to include human rights: Many of the voluntary ESG standards overlap, with mandatory reporting criteria in various jurisdictions such as Canada, the EU, U.S., and Australia. When organizations are required to disclose information in one jurisdiction, they can enhance their ESG profile by also adhering to internationally recognized ESG metrics. Organizations already reporting under these standards can often repurpose their reports to meet regulatory standards. Current best practices involve aligning reports on human rights and supply chain management, and staying informed on the latest ESG developments will ensure that your organization and its third-party vendors stay compliant. 

Resolve human rights violations through arbitration: Human rights obligations primarily fall on sovereign states, and corporations are responsible for adhering to international human rights standards. However, corporations may struggle to define the scope of obligations that involve both private and public elements and may not be well-equipped to handle certain human rights issues. Despite these challenges, business and human rights arbitration can be valuable in enforcing human rights requirements within third-party contracts, especially in supply chains.  

ESG issues continue to heat up: After the 2022 mid-term elections, the Congressional Republicans announced that their oversight agenda would include ESG issues. Fast forward to 2023, their focus on ESG issues has increased. In February, they established an ESG Working Group that is primarily focused on protecting capital markets from ESG considerations. Throughout this year, there have been many oversight hearing and document requests too, and there is more to expect this fall. Ensure your organization stays up to date on the latest ESG regulations that may come into play. 

Notorious malware platform is taken down: U.S. authorities have announced that an international law enforcement operation has taken down the “Qakbot” malware platform, which was discovered over a decade ago and is believed to have originated from Russia. This platform was widely used by cybercriminals in an array of financial crimes. The U.S. Department of Justice operation, nicknamed Duck Hunt, involved the FBI and over 6 other countries to investigate. Evidence shows that Qakbot malware had infected over 700,000 victim computers and caused hundreds of millions of dollars in damages to various businesses. 

Consumer privacy race continues with new FCC task force: The FCC is working on creating a Privacy and Data Protection Task Force. This task force aims to coordinate efforts across the FCC to address privacy and data protection challenges in the ever-changing digital world. The creation of this task force highlights the need for consistent and adaptive privacy oversight in an era of constant connectivity.  

Overview of the malware loaders used in the first half of 2023: In the first half of 2023, cybercriminals used 7 malware loaders to attack. These include QakBot, SocGholish, Raspberry Robin, Gootloader, Chromeloader, Guloader, and Ursnif, with 30% of intrustions coming from QakBot. Interesting data! 

Artificial intelligence best practices: It’s believed that by 2026 over 75% of large organizations will infuse AI into various processes to heighten efficiency, streamline processes, and more, but there are still significant risks and dangers of AI such as accuracy, transparency, and privacy. Organizations must establish AI governance to ensure AI risks are identified and assessed. NIST recommends these 5 best practices: create transparent documentation, policies, and procedures; empower employees through training; commit to a culture that considers and communicates AI risk; integrate a feedback mechanism into system design and implementation; and keep a tab on third parties. If your organization plans on utilizing AI, be sure to review the AI Risk Management Framework and ensure you have a plan in place to mitigate any risks that may arise.  

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo