September 2024 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of September 12

Two third-party data breaches have impacted more than 2 million people, federal regulators are paying close attention to data privacy, and organizations can prepare for third-party incidents by following several best practices. Read this week’s news and headlines below. 

Third-party data breach impacts almost 1 million: A third-party data breach impacted the information of more than 946,000 people at CMS. The third party, Wisconsin Physicians Service Insurance Corporation (WPS), notified of the breach in July 2024; however, it stemmed from the MOVEit breaches of 2023. At the time, WPS investigated its systems, but didn’t find evidence of exploitation. WPS didn’t discover until 2024 that a threat actor had gained access to files. Some of the information compromised included names, Social Security numbers, and Medicare beneficiary numbers. 

Preparing for third-party vendor outages and incidents: The CrowdStrike outage in July reminded organizations that even large vendors can be vulnerable to issues arising. Before the next incident can occur, organizations should reevaluate who their critical third-party vendors are and their business continuity and disaster recovery plans. Testing various scenarios should include situations where a vendor’s service is no longer available. Incident response plans should also be tested alongside key vendors. Vendor risk assessments can help your organization understand the levels of vendor risks and what must be done to protect your organization. 

Using collaboration to mitigate third-party cybersecurity risks: Third-party incidents can cause your organization’s operations to come to a halt. Cybercriminals have heavily targeted third-party vendors as they're often the weaker links in the supply chain. Many organizations may treat due diligence simply as a check-the-box exercise or they may not have a clear view of critical fourth-party vendors. One strategy to better mitigate third-party risks is for organizations to work together and share critical information about impending and ongoing attacks. How can organizations band together to share information on third-party vulnerabilities and work to protect that third party? This strategy may not apply in every instance, but a willingness for organization to work together could help mitigate third-party cyberattacks. 

How financial institutions can protect against cyberattacks: Financial institutions have long been the target of cyberattacks and the industry is second only to healthcare for the average cost of a data breach. Financial institutions have to protect their systems while also complying with a growing regulatory landscape. It’s recommended to follow cybersecurity best practices, like regular security audits, hardware-based authentication, and advanced email filters to detect issues.

Almost 1.7 million impacted in a third-party data breach: A third-party vendor that handles payments for U.S. and Canadian organizations reported a data breach impacting almost 1.7 million people. Hackers were able to access Slim CD’s network for almost a year. Compromised data includes credit card information and physical addresses. However, the information didn’t include card verification numbers, which lessens the risk of credit card fraud. Because Slim CD is a third party, many people likely didn’t directly use the organization. 

Federal regulator focuses on privacy and third-party data usage: The Federal Trade Commission (FTC) has focused more on data privacy in recent months, particularly how organizations use customer data. A recent order against Avast banned the sale or licensing of any web browsing data for advertising purposes. The order also includes two Avast subsidiaries. The FTC is considering identifiable browsing information to be sensitive data, which can include third-party cookies, webpage URLs, and image domains. In the order, the FTC said browsing data such as health concerns, location, and financial status should not be sold to third parties without first gaining consent from users. Organizations should take note of the order and review any privacy and security claims they make to users, use contractual provisions to limit third-party usage of data, and treat browsing information as sensitive data.

Malware campaign targets banking users: A new malware campaign is targeting mobile users in Brazil. It’s a banking trojan that would allow cybercriminals to use keylogging to gain access to bank information. The malware campaign is primarily through phishing attempts that trick users into installing fake dropper apps. Currently, no apps that hold the malware have been discovered in the Google Play Store, but users should still use caution when downloading applications. 

Recently Added Articles as of September 5

Major Ohio city is victim of a ransomware attack: In July, the city of Columbus, Ohio experienced a ransomware attack, leading to both residents’ and non-residents’ personal information being leaked. Columbus investigated and responded to the breach quickly. Then, a local researcher reported to the media that the incident’s impact was much bigger than the city claimed. The city is suing the researcher for allegedly working with a ransomware gang to download the leaked data and spread it to cause a bigger concern. 

An overview of the core use cases for artificial intelligence (AI) in third-party risk management: AI is making waves in the industry, and it can provide many benefits to organizations, especially when it comes to third-party risk management. There are three core use cases to provide value, which include assessing risks in minutes, increasing resiliency, and streamlining processes. As organizations strategically embrace AI opportunities, it can transform their business operations.  

Over 400,000 breached in a radiology IT vendor hack: Specialty Networks, a Tennessee-based company providing information systems and transcription services to radiology practices, notified 411,037 people of a data breach from last December. Class-action lawsuits have been proposed and Specialty Networks will provide 12 months of identity and credit monitoring to those affected. 

Are you complying with Canadian privacy laws?: Per Canada’s privacy laws, if your organization transfers personal information (PI), it’s responsible for the protection of the information. If PI is mishandled, the organization can be exposed to big risks, like noncompliance with regulatory guidelines. To comply, it’s recommended organizations thoroughly understand their vendors’ privacy and cybersecurity policies and practices, include regulatory statutes in contract terms as needed, audit vendors to verify compliance with privacy and data protections laws and contractual obligations, and ensure vendors return or destroy PI when they should no longer have access. 

Ransomware-as-a-Services (RaaS) continues to be a threat: The U.S. government shared that threat actors associated with the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since it was created in February 2024. Industries attacked include information technology, healthcare, food and agriculture, transportation, and many more. This is a good reminder to remain alert as the trend of RaaS continues. 

FFIEC Cybersecurity Assessment Tool (CAT) to be sunset: The FFIEC announced the CAT will be sunset on August 31, 2025. The assessment tool was created in 2015 to assist financial institutions with identifying risks and determining cybersecurity preparedness. The FFIEC won't continue to update the CAT to reflect current government regulations and recommends institutions refer to those resources, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. 

Preventing cyberattacks with third-party risk management and artificial intelligence: AI can work for both good and evil. It continues to provide value to organizations across many industries, but it has also become another way scammers are successfully attacking organizations. With the introduction of generative AI tools like ChatGPT, scammers’ emails are appearing more credible. To remain vigilant, it’s recommended that organizations continue to have strong third-party risk management practices, including performing vendor due diligence, continuously monitor vendors, and creating vendor management policies. Ironically, AI can also assist with protection from attacks, as it can help with identifying attacks faster. 

FFIEC issues a new booklet: An FFIEC IT Examination Handbook has been updated after 20 years! The Development, Acquisition, and Maintenance booklet gives examiners examination expectations “regarding entities’ development and acquisition planning and execution, governance and risk management, and maintenance and change management practices.” It replaces the Development and Acquisition booklet issued in April 2004.

AI vendor contract considerations: Prior to signing an AI vendor contract, it’s important to conduct due diligence on the vendor and the AI system. This includes reviewing the vendor’s reputation, prior performance, legal issues, the AI model’s architecture, and more. Also consider including contractual provisions, such as a notification requirement should there be any issues with the AI system. Other considerations to keep in mind include clear performance metrics and how intellectual property will be handled.