Posts

what is third party risk management

What is Third-Party Risk Management?

As business operations become increasingly complex and interconnected, third-party risk management (TPRM) is no longer optional.

what is third party risk management

You Are Only as Safe as Your Vendors

Companies rely heavily on third-party vendors, suppliers, and partners to perform critical functions in today’s business landscape. A recent study reports that 71% of organizations have seen their third-party networks increase in the last three years. While these relationships can drive growth and efficiency, they also introduce potential risks that need to be carefully managed.

What is Third-Party Risk Management?

Third-Party Risk Management refers to the strategies and processes used to identify, assess, and mitigate risks from doing business with third-party entities. These external entities can include suppliers, vendors, contractors, affiliates, or any other organization your business interacts with.

The risks associated with third-party relationships can be varied, ranging from operational and financial risks to reputational and legal risks. For instance, if a vendor suffers a data breach, your company could be exposed to operational risks, financial losses, regulatory penalties, reputational damage, lawsuits, and even dissolution.

The Importance of TPRM in Today’s Business Environment

In recent years, high-profile incidents have highlighted the significant risks that third-party relationships can pose. 59% of organizations reported experiencing a data breach caused by a third party, with 54% reporting breaches within the last 12 months.

The consequences of not effectively managing third-party risks can be severe, from data breaches involving third-party vendors to operational disruptions caused by supplier failures.

Furthermore, regulatory bodies are increasingly focusing on third-party risk management. Data regulations like HIPAA, SEC, CCPA, and the New York Shield Act, among others, include requirements for data protection that require robust third-party risk management practices in place.

Implementing Effective TPRM: Key Steps for Business Executives

Effective third-party risk management requires a strategic and proactive approach. Here are some key steps that business executives should consider:

  1. Conduct Thorough Due Diligence: Before engaging with a third party, conduct a comprehensive due diligence process to understand their capabilities, reliability, and track record. This process includes assessing their financial stability, compliance status, and cybersecurity measures.
  2. Establish Clear Contracts: Ensure your contracts with third parties clearly outline roles, responsibilities, and expectations, including defining performance metrics, data protection requirements, and penalties for non-compliance.
  3. Regularly Monitor Third Parties: Continuous monitoring of your third parties is crucial for detecting and responding to potential risks promptly. Implement regular audits, performance reviews, and compliance checks.
  4. Develop a Response Plan: Have a contingency plan in place to respond to incidents involving third parties. This plan should include steps for mitigating damage, notifying stakeholders, and resolving the issue.
  5. Leverage Technology: Utilize technology solutions to streamline your TPRM processes. This can include a solution that will automate due diligence, monitor third-party performance, alert you to potential risks, as well as strategic guidance.
  6. Conduct a Risk Assessment: Regularly review your third-party relationships to identify any potential risks and address them promptly.

The reality of today’s digital ecosystem means that third-party risk management is a critical aspect of modern business strategy. By understanding the potential risks and implementing effective solutions, business executives can protect their organizations, enhance operational resilience, and drive sustainable growth.

DOWNLOAD THE FREE GUIDE → Comprehensive Guide to Third-Party Risk Management

 

by
Data Breach Detection

Breach Detection: Could You Detect a Data Breach?

With the increasing reliance on technology in today’s business world, the risk of data breaches is at an all-time high, making breach detection a crucial factor in protecting sensitive data.

Data Breach Detection

Detecting a data breach early on can help organizations limit the damages, preserve their reputation, and prevent further unauthorized access to their systems. Despite this importance, many businesses struggle to identify data breaches as they happen, only realizing something is wrong when it’s too late. We outline some helpful insights about the importance of breach detection and the strategies they can adopt to improve their breach detection capabilities to protect their business before, during, and after a data breach.

Causes of a Data Breach

A variety of factors can cause a data breach, including human error, malicious attacks, and software errors. Human error includes misconfiguring security settings or sending sensitive data to the wrong recipient. Malicious activities, such as ransomware attacks or phishing scams, are escalating and increasing in frequency and can lead to unauthorized access to sensitive information or data loss. Additionally, software system errors or vulnerabilities can provide entry points for attackers to exploit.

The growing reliance on third-party vendors and the complexity of supply chains have also increased the potential for supply chain attacks, where attackers target a third-party vendor’s systems to get access to valuable information. Therefore, understanding the causes of data breaches is vital for businesses to identify vulnerabilities and implement appropriate security measures to prevent them.

Data Breach Detection

The majority of data breaches are discovered by external sources, meaning that an external entity, rather than the affected business, was the first to recognize the breach. This makes it clear companies need to improve their data breach detection systems to monitor and detect potential breaches in real time.

With so many data breaches occurring every day, it’s critical for organizations to stay vigilant and invest in the latest technologies, and to detect potential breaches as soon as possible. By prioritizing breach detection and response, businesses can mitigate the damage caused by a breach, protect their customers’ data, and maintain their reputation.

Identifying High-Value Data

Identifying and securing high-value data is critical in protecting sensitive information from unauthorized access, loss, or theft. High-value data can include business trade secrets, intellectual property, financial information, personally identifiable information, and other sensitive information that could harm your business or customers if leaked or breached. To identify high-value data, a company must conduct a thorough inventory of data assets, categorize data based on sensitivity, and apply appropriate security controls to protect it from unauthorized access.

Effective security controls should include access controls, encryption, multi-factor authentication, and data loss prevention tools. Protecting high-value data may require additional resources and investment, but the potential cost of a data breach can be devastating. By prioritizing data protection for high-value data, businesses can minimize the risks associated with a data breach and build a trusted reputation with their customers.

Active Monitoring Processes

Active monitoring processes are essential for preventing data breaches and protecting sensitive information from unauthorized access. Active monitoring involves continuous monitoring of a system’s security posture to identify potential threats, suspicious activities, or vulnerabilities. By proactively monitoring networks, applications, and data usage, businesses can quickly detect and respond to security incidents before they become full-blown breaches.

Active monitoring processes can include but are not limited to, security information and event management (SIEM) solutions, intrusion detection and prevention systems, network and endpoint protection tools, and data analytics platforms. These tools provide a holistic view of the organization’s security posture and enable businesses to take timely action against probable security threats. Through active monitoring and timely response, organizations can prevent data breaches, protect sensitive information, ensure compliance, and maintain their reputation.

Rapid Remediation After a Data Breach

Rapid remediation is a crucial step in limiting the damage caused by a data breach. Once a breach has been detected, acting quickly and decisively to contain it and minimize the harm is essential. Rapid remediation strategies may include, among others, isolating affected systems, disabling breached accounts or systems, restoring from backups, identifying and removing malware or other malicious software, and conducting forensic analysis to determine the extent and root cause of the breach. The ultimate goal of rapid remediation is to lessen the severity of the breach and protect sensitive data from further exposure.

By responding to a breach quickly, businesses can reduce their financial and legal liabilities, safeguard their reputation, and mitigate operational disruptions. Effective remediation requires a well-defined incident response plan, including clear roles and responsibilities, thorough documentation, and continuous improvements in response to changing threat landscapes.

In conclusion, data breaches are becoming more sophisticated and prevalent, making breach detection an essential component of data protection strategies. Therefore, organizations must stay up to date with the latest technologies and adopt a multilayered approach to cybersecurity, including monitoring, training, and incident response planning.

Related Content

Looking to evaluate your organization’s current security coverage? Use our Cybersecurity Evaluation Checklist to help you appraise your firm’s cybersecurity readiness. This checklist is a jumping-off point to help your enterprise determine its ability to mitigate the risk of cyberattacks before it is too late.

Cybersecurity Checklist

 

Only by adopting a proactive, comprehensive approach can organizations hope to prevent significant breaches, mitigate their impact, and protect sensitive data. However, when it comes to data breaches, it’s not a matter of if but when. Therefore, businesses must continuously assess their IT security posture and adopt proactive measures to detect and respond to potential breaches. Only then can they safeguard sensitive data, ensure compliance, maintain operations, avoid liability, and avoid the headlines.

by
NY SHIELD Act Data Privacy Laws

The NY SHIELD Act: What You Need to Know

As data breaches increase in frequency and severity, regulators are implementing new data privacy laws to reduce consumer risk.

Currently, there are no comprehensive data security or privacy laws at the federal level. As a result, individual states are implementing laws to protect their residents. Unfortunately, this creates a complex maze of overlapping data privacy laws businesses must follow. The NY Shield Act is an example of one of these laws.

NY SHIELD Act Data Privacy Laws

What is the NY Shield Act?

The NY Shield Act, or Stop Hacks and Improve Electronic Data Security Act, is a set of laws that require businesses to take specific steps to ensure the security and privacy of sensitive customer data. Implemented in 2020, it amended the New York state’s existing data breach notification law to impose stricter data security requirements on companies to protect consumers’ personally identifiable information from misuse, breach, or unauthorized access.

Who Needs to Comply with the NY Shield Act?

The NY Shield Act applies to all companies operating in New York State or gathering information from residents of New York, even if they are not based in New York or the United States.

What’s Required of Businesses?

Businesses must implement a Data Security Program and reasonable safeguards to ensure private information is stored and erased safely. This prescription includes physical, technical, and administrative controls to protect sensitive information. Additionally, businesses must notify customers whose data has been compromised if a breach occurs.

What Are the Consequences of Non-Compliance?

Businesses must take “reasonable” steps to comply with the NY Shield Act. Companies that fail to take these steps or lack proper security measures could face fines and penalties. Fines for non-compliance start at $5,000 up to a maximum of $250,000, and the state Attorney General can also initiate a civil action case and levy penalties against violators.

Recent civil actions lawsuits for violations of the Shield Act include:

  • Wegman’s agreed to pay $400,000 in penalties in June 2022 after it was discovered that cloud storage containers hosted on Microsoft Azure were left unsecured and open to public access, potentially exposing consumers’ data.
  •  A 2020 agreement with EyeMed that resolved a 2020 data breach that compromised the personal information of approximately 2.1 million consumers nationwide required that the company pay $600,000 in penalties.
  • In 2022, the NY AG and 45 other Attorneys General received $1.25 million from Carnival Cruiseline as part of a multistate settlement after a 2019 data breach exposed the personal information of 180,000 Carnival employees and customers nationwide.

 

“In the 21st century, there’s no excuse for companies to have poor cybersecurity systems and practices that hurt consumers,” wrote NY Attorney General Letitia James regarding the Wegman’s settlement.

Is this like CCPA?

Yes and no. CCPA is a data privacy law, while the SHIELD Act is a security regulation. The California Consumer Privacy Act focuses on data privacy, and the NY SHIELD Act is a security law. The CPRA, a later update to the CCPA, includes data security provisions.

The main takeaway is that, just as with the CCPA, businesses must comply with the Shield Act if it conducts business in the state or collect information from residents, even if the company is located outside the state.

What Are the Key Requirements of the SHIELD Act?

The NY Shield Act requires companies to:

  • Implement security measures appropriate for the size, scope, and type of business.
  • Ensure their service providers maintain the same level of data security as you do.
  • Create a written Information Security Program to protect sensitive customer information from unauthorized access or use.
  • Regularly assess and test the security of your systems.
  • Provide training to your staff on security and privacy best practices.
  • Notify customers in a timely manner in the event of a data breach.

How Can I Comply with the NY Shield Act?

The best way to comply with the NY SHIELD Act is to create an Information Security Program that addresses the requirements of the law. The program should include policies and procedures for protecting sensitive information, such as multifactor authentication and access control measures, regularly testing your systems, training staff on data security best practices, and providing timely notification to customers in the event of a breach. You should also ensure that any third-party vendors you use are compliant.

Data Security vs. Data Privacy: What’s the Difference?

It’s essential to understand that data security and data privacy are not interchangeable terms. While both aim to protect data, they focus on different aspects. Data privacy focuses on individuals and their rights to protect their personal information from being used by companies and governments without consent. Data security protects against unauthorized access to sensitive information by employees, bad actors, or malicious software. Ultimately, the goal is to ensure that data remains safe so that organizations and consumers can trust that their data is being used as intended.

Next Steps for Compliance

The NY SHIELD Act is a vital law for protecting sensitive information and maintaining consumer trust in an organization. Business executives must ensure full compliance with the law, including implementing a data security program, performing routine assessments, and appropriately responding to security incidents. Working with an IT partner experienced with the Shield Act and other data privacy laws and regulations is ideal. Protecting customer data is essential in today’s digital world and can only be achieved through implementing effective security measures.

by
SOX Compliance Requirements

What is SOX Compliance & What are the Requirements? (2023 Update)

As cyberattacks increase and intensify, the hardening of security measures becomes even more of a necessity, as does compliance with a network of laws and regulations, including SOX compliance.

SOX Compliance Requirements

What Is SOX Compliance?

First passed in 2002, the Sarbanes Oxley Act (SOX) requires publicly-traded companies to maintain transparency in financial reporting, preventing fraudulent accounting activities, protecting investors, and improving investor confidence.

The Act includes compliance requirements about external auditors, corporate governance, internal control assessments, and financial disclosures.

SOX IT Compliance Requirements and Reporting

When it comes to IT, SOX compliance requires firms to have policies and procedures in place to prevent, detect, and disclose material cybersecurity risks and incidents. Companies also need to prove that they have data safeguards and procedures in place and that they are operational. This includes quality access management, preventative security measures, and redundant and secure backups.

Additionally, another requirement is that security systems must be able to detect data breaches, and the organization needs a communication plan for notifying leadership and investors of identified breaches. In reporting and during an annual SOX compliance audit, businesses must attest to and provide evidence that these internal controls exist.

One extremely challenging SOX cybersecurity requirement is that businesses are responsible for reporting material cybersecurity risks within four business days after the registrant determines that it has experienced a material cybersecurity incident. This can mean that an organization must disclose a risk or incident before regular reporting or a yearly SOX audit.

Related Content → IT Security and Compliance. What’s the Difference?

SOX in 2023

In both 2011 and 2018, the SEC published guidance for interpreting existing rules in connection with cybersecurity threats and incidents.

However, in 2022, the SEC recommended a proposed rule that would require registrants to provide enhanced disclosures about “cybersecurity incidents and cybersecurity risk management, strategy, and governance.” This rule is part of the Fall 2022 Unified Agenda of Regulatory and Deregulatory Actions released by the Office of Information and Regulatory Affairs. SEC Chair Gary Gensler released a statement in early 2023 acknowledging the Commission’s support of the proposed agenda.

It is significant to note that SOX requires signing officer(s), typically an Executive Officer, to attest that the information in their internal control and financial reports is accurate. They cannot contain any false statements, nor can they omit material information. They also need documentation demonstrating that the organization is SOX compliant. Intentionally or inadvertently generating misleading compliance reports or falsifying information not only leads to noncompliance but can also result in upwards of $5 million in fines and 20 years in prison.

In 2022, the news that Uber’s CISO was convicted of federal charges for failing to disclose a 2016 data breach broke, demonstrating just how severe the consequences of non-compliance can be for individuals as well as companies.

Understanding Risks and Their Impact

How do you know what your material cybersecurity risks and incidents are? How do you know if your firm has experienced a breach?

If your IT team does not have the expertise to continuously analyze risks and understand SOX compliance requirements, they may not see correlations that signify a material risk. Without expert guidance, your firm may miss the context or severity of threats. Businesses may not report minor security incidents deeming them to be immaterial. But what if all these smaller threats and incidents turn out to be a much larger problem? Unable to see the connection between events, an organization could unintentionally omit a material cybersecurity risk in its reporting.

Even worse, failure to evaluate the risk appropriately can lead to security breaches, data loss, lawsuits, and other costly damages.

With such high penalties for failure to appropriately disclose material cybersecurity risks and incidents, it is critical for businesses to implement compliance processes and risk management practices to identify and assess threats across their network. Identified risks need to be assessed and treated appropriately and promptly. This process of assessing and implementing measures to modify risk is known as risk treatment.

To understand the risks in your firm’s environment, it needs continuous network monitoring and the expertise and systems for evaluating and conducting a risk assessment. Partnering with an IT firm with specialized knowledge of the compliance requirements outlined in SOX is ideal to ensure compliance and improve your security posture.

Actively Monitoring for Cybersecurity Threats

There is a difference between performance monitoring and cybersecurity monitoring.

Performance monitoring lets you know if systems are operating efficiently, but it doesn’t tell you what security threats exist or the severity of those risks.

In 2023, the risks from malicious cyberattacks and technology are substantial and are a constant threat. It is no longer acceptable to run occasional cybersecurity scans and assume you are seeing an accurate picture of your overall security posture. Instead, to have a complete understanding of the risks and incidents that occur on your network, you need 24x7x365 activity monitoring.

With a managed detection and response (MDR) platform, a team of security analysts with skills in forensic analysis can identify, evaluate, and provide a response plan to threats and breaches within your network.

SIEM Technology

Without the help of security analysts and security information and event management (SIEM) technology, you may not see the significant link between small risks or incidents.

Security experts use SIEM platforms to correlate and analyze threats. This helps to provide context and severity of risks, which is instrumental in determining materiality.

Keep in mind that you need a security expert to utilize the full benefits of these types of internal security controls.

Meeting SOX Compliance Requirements with Comprehensive Cybersecurity

As mentioned, to maintain SOX compliance, your organization needs to be able to measure the materiality of cybersecurity risks and incidents.

Without the right tools, expertise, and testing, your business could experience a breach causing tremendous financial costs, permanent data loss, or even closure.

Even if your organization is not required to be SOX compliant, implementing internal controls and data protection procedures increases your overall security posture. For a private company or a non-profit, which are not mandated to have SOX compliance programs, creating and monitoring security controls is considered to be a cybersecurity best practice.

Related Content →  Evaluate your security readiness with our  Cybersecurity Checklist.

To learn more about SOX cybersecurity and compliance solutions, reach out to Coretelligent’s team of experts.

by
Lessons Learned from Data Breaches

Lessons from the Biggest Data Breaches in 2022

Data Breaches 2022 Humans tend to move on to the next big thing quickly, and with rapidly changing security and regulatory environments, CISOs are no different. We all face new challenges daily, but as we focus on the latest priority in front of us, we must also remember to look back and revisit previous events to ensure we’re practicing hard lessons learned.

Thousands of hacks and data breaches have been reported this year, with victims ranging from public and private companies to local governments and school districts. However, several breaches stand out to me, and now that the dust has settled on them, I think they warrant a deeper dive to uncover what lessons can be gleaned from them.

In this post, I’ll share the story of three data breaches and highlight the salient details you need to know to protect your organization in this age of cybercrime.

Three Significant Data Breaches in 2022

  1. The Okta Breach

Okta works with several partners to help manage its enterprise. Hackers targeted an employee of one of these partners, the Sitel Group, who had privileged access to provide customer service to Okta clients and data. That account was empowered to reset passwords and reset multifactor authentication.

The Sitel Group serves many more customers than Okta. To perform their jobs, support staff often need administrative privileges in their customer’s environment. The attack highlights the increased risk of outsourcing access to your organization’s internal environment.

  1. The Microsoft Breach

In March, Microsoft revealed that an employee account was compromised, which granted hackers “limited access” to Microsoft’s systems and allowed the theft of the company’s source code. Microsoft referenced the hackers’ use of “social engineering and identity-centric tactics” in a blog post detailing the breach. This attack illustrates why training employees about phishing and other social engineering tactics is so important.

  1. The Nvidia Breach

Nvidia, one of the world’s largest graphics processing unit (GPU) manufacturers, was breached in a cyberattack that resulted in the theft and release of over a terabyte of proprietary data and over 71,000 employee credentials. In a statement after the breach, an Nvidia spokesperson did not disclose how hackers were able to gain access, only referring to the attack as a “cybersecurity incident,” but a well-known hacking group quickly took credit for the attack.

What Do These Attacks Have in Common?

It is no coincidence that I am looking back at these three cyber events. The hacks were all claimed by a hacking group known as the Lapsus$ group. Lapsus$ claimed responsibility for the Okta breach, the Microsoft breach, and the breach of Nvidia, among other high-profile targets. The most surprising piece of information about that group is it’s allegedly run by a group of teenagers.

Lessons to be Learned from Teenagers?

The tactics used by the Lapsus$ group are wholly unsophisticated but have still proven time and time again to be effective. The good news is that because their tactics are easily thwarted, organizations have plenty of opportunities to avoid getting hacked by following best practices.

  • Lesson #1: Lapsus$ primarily relied on social engineering schemes to gain access to a target directly or seek access via an organization’s supply chain or service providers. The group claimed that its goal was financial and that it had no political agenda; however, its chaotic approach caused just as destruction in its pursuit of exploiting data.
  • Lesson #2: The Lapsus$ group’s attacks should be a reminder that even the most robust cyber defenses can be circumvented if attackers exploit weak links in the chain. These weak links can be found in both the technical and human domains, but the likeliest way for hackers to gain access is via end-users. As a result, organizations need to be vigilant in educating employees about cyber threats and how to identify and avoid them.
  • Lesson #3: Third-party risk management is also critical in protecting against the type of supply chain attack used against Okta. Companies need to vet their service providers and have security protocols in place to prevent attackers from exploiting these relationships to gain access to sensitive data.

Related Content →  What’s a Supply Chain Attack? Watch the video to learn more.

  • Lesson #4: Additionally, the Lapsus$ group’s attacks show that even small groups of relatively primitive attackers can cause much damage. This fact should be a reminder that organizations must be prepared for all threats, not just those from well-funded and well-developed cybercriminals.

It is important to remember that breaches can and will happen, whether perpetrated by Lapsus$ or other sources, and your company’s response can make all the difference in whether it will survive unscathed. The risk of lost revenue, fines and penalties, and reputational damage require that your company set and follow disaster response and recovery plans.

Reduce Your Risk from Data Breaches?

There are a variety of actions your firm can take to reduce your risk of being hacked, but here are a few key points to keep in mind:

  • Employ multifactor authentication.
  • Review all critical users’ access levels.
  • Perform due diligence for service providers and third-party vendors.
  • Conduct tabletop exercises to identify possible gaps in controls and training. For example, if an internal employee shared their credentials with an attacker, how could you tell?
  • Take care of your employees. Disgruntled employees are more susceptible to bribes.

Data Breaches 2022

Related Content →  Evaluate your security readiness with our  Cybersecurity Checklist.

Next Steps

Lapsus$’s attacks are a reminder that cyber defenses can be circumvented if attackers can exploit the weakest links in the chain. The best defense is to employ a multilayered cybersecurity solution that includes end-user training, comprehensive security policies and protocols, incident response planning, regular security audits, and more.

In today’s digital world, data is the new currency. And like any other type of currency, it needs to be protected from those who would exploit it. Unfortunately, the Lapsus$ group is just one example of the many cyber criminals out there looking to profit from the data of others.

Whether you work with an internal team or outsource your IT functions, employing robust cybersecurity solutions and regularly reviewing them against your risk profile is critical. Reach out to our security professionals for help evaluating your cybersecurity program to find gaps and areas that need improvement. Implementing security controls is not “set it and forget it” but must routinely be assessed to match the needs of your business and the external challenges of today’s cyber landscape.

JasonAbout Jason

Jason Martino is passionate about the intersection of security and compliance. He is responsible for Coretelligent’s internal cybersecurity programs, governance, risk, compliance activities, and educating staff and customers on an ever-evolving threat landscape.

by