Tag Archives: Vendor Disclosure

April 2024 Data Breach Round Up

april 2024 data breaches

In April 2024, numerous cybersecurity incidents occurred, mirroring previous occurrences. These incidents, yet again, serve as a reminder of the ongoing threat landscape that organizations across various sectors face. From retail giants to healthcare conglomerates, no entity appears to be immune to the ever-changing tactics employed by malicious actors in the digital sphere.

Let’s explore these breaches in detail, uncovering the stories that underscore the critical need for continuous monitoring and proactive risk management strategies in today’s interconnected world.


  1. Giant Tiger

    Giant Tiger, a prominent Canadian discount retailer, suffered a data breach that affected approximately 2.8 million of its customers. This breach came to light when an anonymous hacker posted the stolen data, including email addresses, names, phone numbers, and physical addresses, on a cybercrime forum. The breach data has since been added to the HaveIBeenPwned website, enabling users to check if their information has been compromised. The source of the breach was traced to a third-party vendor responsible for handling Giant Tiger’s customer interactions and communications. Although the leak did not include payment details or passwords, it poses a significant risk of phishing and identity theft. Giant Tiger has informed all affected customers and is actively managing the fallout from the disclosure.

  2. Home Depot

    On April 8, Home Depot confirmed a data breach involving a third-party SaaS vendor, which accidentally exposed names, work email addresses, and user IDs of some employees during system tests. This breach was disclosed after threat actor IntelBroker leaked data about 10,000 employees on a hacking forum. Security experts stress the importance of robust third-party risk management and the need for uniform security protocols across business ecosystems to mitigate such breaches, which could lead to targeted phishing attacks and further security compromises.

  3. Roku

    In a recent statement, Roku disclosed that its security systems detected unauthorized access to approximately 15,000 user accounts earlier this year through credential stuffing—using stolen login details from other sources. Despite these intrusions, Roku confirmed there was no compromise within their systems. A second incident involved around 576,000 accounts, but again, no sensitive information or full payment details were accessed. In response, Roku has reset passwords for affected accounts, implemented refunds for unauthorized transactions, and introduced two-factor authentication for all accounts to enhance security. Roku urges customers to create strong, unique passwords and remain vigilant against suspicious communications to further protect their accounts.

  4. Nextperia

    On April 12, 2024, Nexperia announced that an unauthorized party had accessed certain IT servers in March. The company quickly isolated the compromised systems and cut off internet access to contain the breach. With the help of cybersecurity firm FoxIT, Nexperia is actively investigating the breach’s scope and has taken significant steps to terminate the unauthorized access. The incident has been reported to the relevant authorities, including the ‘Autoriteit Persoonsgegevens’ and the police, who are being updated on the investigation’s progress. Due to the ongoing investigation, Nexperia has stated that further details cannot be disclosed at this time. Nexperia, headquartered in the Netherlands, is a leading global semiconductor company, noted for its significant contributions to electronic components across various industries.

  5. MITRE

    On April 19, 2024, MITRE acknowledged a cybersecurity breach within its Networked Experimentation, Research, and Virtualization Environment (NERVE), a platform used for collaborative research and development. Despite robust security measures, a foreign nation-state was identified as the perpetrator of this breach. Immediate steps were taken to contain the breach by disconnecting the NERVE environment and launching a comprehensive investigation with both in-house and external cybersecurity experts. MITRE has informed the relevant authorities and those affected, and is working on secure alternatives for collaboration. Jason Providakes, president and CEO of MITRE, emphasized the organization’s commitment to transparency and the advancement of cybersecurity practices across the industry. MITRE, known for its contributions to cybersecurity standards and tools, continues to share insights gained from this incident to aid the broader security community.

  6. Kaiser

    Kaiser, a prominent U.S. health conglomerate, is informing millions of current and former members about a data breach that occurred when the company inadvertently shared patients’ data with third-party advertisers, including tech giants like Google and Microsoft. The breach was identified after an investigation revealed that certain online technologies used by Kaiser transmitted personal information to external vendors. The compromised data includes member names, IP addresses, and details indicating usage of Kaiser’s services and websites. Kaiser promptly removed the tracking code from its platforms. This incident underscores a concerning trend in the healthcare sector, where online tracking codes have been used to share sensitive patient information with advertisers. Kaiser plans to notify approximately 13.4 million affected individuals and has fulfilled legal requirements by reporting the breach to relevant authorities. This breach marks one of the largest health-related data breaches of 2024, as listed by the U.S. Department of Health and Human Services.

  7. FBI Warning

On April 12, the FBI issued a warning regarding a significant surge in SMS phishing attacks aimed at Americans concerning unpaid road toll fees. Beginning last month, thousands of individuals reported being targeted by scammers. The FBI’s Internet Crime Complaint Center received over 2,000 complaints since early March, indicating a widespread campaign across at least three states. The malicious texts claim recipients owe money for outstanding tolls, with identical language across reports. The phishing messages contain hyperlinks impersonating state toll services, with phone numbers varying between states. Although the FBI did not mention E-ZPass in their warning, it’s noted that the scam also targets E-ZPass customers. The FBI advises recipients to report the scam, avoid clicking links, verify their accounts through legitimate websites, contact customer service, delete any phishing texts, and take measures to secure personal and financial information if they’ve interacted with the messages.


As April comes to a close, these data breaches serve as powerful reminders of the urgent need to strengthen our systems. Each breach brings new insights, pushing everyone involved to take a hard look at their security measures, beef up their defenses, and stay sharp against emerging threats.


In our quest for cyber resilience, teamwork and sharing what we know are key. By working together and staying committed to protecting our digital world, we can tackle the challenges of cyberspace head-on, with confidence and resolve.


March 2024 Data Breach Round Up

March 2024 Data Breaches

A few months into 2024, and data breaches are on the rise. This surge highlights the need for improved security measures and greater awareness. These instances of unauthorized access to confidential data expose vulnerabilities in our interconnected systems. A deeper look into these breaches uncovers broader cybersecurity issues that necessitate immediate, coordinated efforts for digital information protection. In a time when data breaches are becoming more advanced, traditional security measures are no longer adequate.

This is where comprehensive security assessments and compliance become invaluable. Evaluating your company’s security posture and aligning it with industry standards can help identify vulnerabilities before exploitation. Compliance isn’t just about ticking boxes—it’s about creating a robust framework that bolsters security measures and instills trust in clients.

However, the real game-changer in the fight against cyber threats is the integration of AI  into your security strategies. AI can analyze vast amounts of data at an unprecedented speed, identifying potential threats and anomalies that might go unnoticed by human eyes. It can also predict potential vulnerabilities, allowing companies to fortify their defenses proactively.

Let’s jump into the data breaches that shook the industry in March 2024, a stark reminder of the ever-evolving challenge of maintaining digital security. 

AT&T

AT&T has initiated a mass reset of customer account passcodes following a leak that exposed millions of records online, including sensitive information such as names, addresses, and Social Security numbers. The leaked data, dating back to 2019 or earlier, affects about 7.6 million current and 65.4 million former AT&T account holders. Despite the leak, AT&T has stated there’s no evidence of unauthorized system access. The leak, including encrypted passwords easily decryptable, was first identified when a security researcher shared their findings with TechCrunch. AT&T is contacting affected current and former customers to inform them about the breach and the steps being taken to secure their accounts.

Fujitsu

Fujitsu, a leading global IT services provider, recently announced a significant security breach where malware infected its systems, leading to the theft of customer data. The company, ranking as the sixth largest in its sector with a workforce of 124,000 and revenues of $23.9 billion, plays a pivotal role in technology, offering a wide array of products and services, including cloud solutions and IT consulting. The breach, affecting systems holding sensitive customer information, prompted immediate action from Fujitsu to isolate infected computers and enhance monitoring. Despite no reports of the data’s misuse, Fujitsu has notified relevant authorities and is in the process of alerting affected customers. This incident follows a 2021 security breach involving Fujitsu’s ProjectWEB tool, which compromised government agencies and led to significant data theft, underscoring ongoing cybersecurity challenges.

MarineMax

MarineMax, a leading yacht retailer, reported a cyberattack in March, revealing that hackers, identified by the Rhysida ransomware gang, compromised its systems and stole data including employee and customer personal information. Despite initial claims of not storing sensitive data on the breached systems, a subsequent investigation uncovered that the cybercrime group accessed and extracted data, which is now being offered for sale on the dark web for 15 Bitcoin (over $1 million). MarineMax, with operations spanning 130 locations globally and reporting $2.39 billion in revenue last year, has engaged external cybersecurity experts to mitigate the breach’s impact, notified law enforcement, and is in the process of notifying affected individuals and regulatory bodies. The Rhysida gang, known for its ransomware-as-a-service operations since May 2023, has targeted various organizations, including the British Library and healthcare entities, marking this incident as part of a broader pattern of cyberattacks by the group.

PandaBuy

PandaBuy, an online shopping platform facilitating purchases from Chinese e-commerce sites, experienced a data breach affecting over 1.3 million users. The breach, executed by threat actors ‘Sanggiero’ and ‘IntelBoker’ through exploiting critical API vulnerabilities, exposed comprehensive user data including names, contact details, order information, and addresses. The compromised data was offered on a forum for a nominal cryptocurrency fee, with a sample provided to validate its authenticity. Despite attempts to downplay the incident, evidenced by moderated discussions on Discord and Reddit, the breach’s reality was confirmed by data breach aggregator Have I Been Pwned (HIBP), advising impacted users to change their passwords and be cautious of potential scams. PandaBuy has yet to officially address the breach publicly, as concerns over user privacy and platform security escalate.

France Travail

France Travail, the national unemployment agency in France, has reported a significant data breach affecting approximately 43 million individuals, stemming from a cyberattack between February 6 and March 5. The agency, which aids in job placement and financial support, acknowledged that personal details of job seekers over the past two decades, including sensitive information like social security numbers and contact details, were compromised. While bank details and passwords remain unaffected, the exposed data raises serious concerns for identity theft and phishing risks. France Travail has notified the National Commission of Informatique and Liberties (CNIL) and is advising those potentially impacted to exercise caution with their communications. This incident, surpassing the scale of previous breaches including a 10 million person breach last August and the recent Viamedis and Almerys breach, marks a record for cybersecurity incidents in France.

Prioritizing Compliance & Cybersecurity in the Wake of Rising Data Breaches:

Digital security is a complex tapestry, with challenges increasing in both frequency and severity. This complexity calls for action. We must strengthen our defenses, both as organizations and individuals. At Findings we understand the pivotal role of security assessments, compliance, and AI in safeguarding your digital assets. Our suite of services is designed to provide a comprehensive security solution that not only helps prevent data breaches but also ensures that your company is equipped to handle any cyber threats that come its way. From detailed security assessments that highlight your strengths and weaknesses to AI-driven insights that keep you one step ahead of cybercriminals, we are your partner in establishing a resilient and compliant security posture.

As we reflect on the lessons from the top breaches in March 2024, let us use them as a stepping stone towards a more secure and trustworthy digital future. 

Vendor Breach Reporting in the Modern Market

Vendor Breach Reporting guidelines findings 2024

We’ve hit a point in time where data breaches are becoming more common and the repercussions more severe. This highlights that the importance of effective vendor breach reporting cannot be overlooked. As companies are relying more and more on third-party vendors for a variety of services — from cloud storage solutions to customer relationship management systems, the potential for data breaches originating from these vendors escalates. This blog will explore the current landscape of vendor breach reporting, highlighting the challenges, best practices, and the evolving regulatory environment that shapes how businesses respond to and report breaches.

Understanding the Landscape

The modern market is interconnected, with businesses routinely sharing sensitive information with vendors. This symbiotic relationship, however, introduces vulnerabilities. A breach at a vendor can have cascading effects, compromising the data integrity of all connected businesses. The 2023 Verizon Data Breach Investigations Report underscores this point, noting an uptick in incidents originating from third-party vendors.

Challenges in Vendor Breach Reporting

One of the primary challenges in vendor breach reporting is the detection and attribution of breaches. Identifying that a breach has occurred, and tracing it back to a specific vendor, requires sophisticated monitoring tools and a high degree of coordination between parties. Moreover, the variability in reporting requirements across jurisdictions adds a layer of complexity, making compliance a moving target for global businesses.

Best Practices for Effective Reporting

To navigate these challenges, businesses must adopt a proactive and comprehensive approach to vendor management and breach reporting. Key strategies include:

  • Due Diligence: Before entering into agreements with vendors, assess their security policies and incident response capabilities. Regular audits can ensure ongoing compliance with agreed-upon standards.

  • Transparent Communication: Establish clear lines of communication for reporting potential security incidents. This includes setting up contractual obligations for vendors to notify you immediately in the event of a breach.

  • Incident Response Planning: Develop a coordinated incident response plan that includes vendors. This plan should outline steps for breach investigation, notification, and mitigation, ensuring a swift and unified response.

  • Regulatory Compliance: Stay informed about the evolving regulatory landscape. Many regulations have set stringent requirements for data breach notification, including specific timelines and conditions under which breaches must be reported. Failure to comply can result in significant fines, legal fees, and damage to a company’s reputation.

The Evolving Regulatory Environment

Governments around the world are tightening regulations around data protection and breach notification. The trend is towards more stringent reporting requirements, with an emphasis on consumer protection. For instance, amendments to the GDPR and CCPA are pushing for shorter notification windows and greater transparency in the event of a breach. More recently, in 2024, The Federal Communications Commission (FCC) has finalized new breach reporting rules that significantly tighten the requirements for telecommunications carriers in the US. Now, these carriers have only seven days to disclose data breaches. The rules have expanded the definition of breaches to include inadvertent access or disclosure of customer information, which now encompasses not only Customer Proprietary Network Information (CPNI) but also personally identifiable information (PII) such as names, government ID numbers, biometric data, and email addresses/passwords. This change aims to cover a broader range of data and ensure customers are notified of breaches unless the carrier determines no harm is reasonably likely to occur. The updated rules now require that, in addition to the FBI and U.S. Secret Service, the FCC must also be notified of breaches.

Lastly, The Federal Trade Commission (FTC) has introduced an amendment to its Safeguards Rule, imposing a 30-day deadline for non-banking financial organizations to report incidents involving 500 consumers or more. This amendment aims to bolster consumer data security by demanding comprehensive incident reports, driving stronger security practices in the financial sector.

Closing Thoughts:

In the modern market, effective vendor breach reporting is not just a regulatory requirement; it’s a critical component of a company’s overall cybersecurity strategy. By implementing best practices for vendor management and staying abreast of regulatory changes, businesses can better protect themselves and their customers from the fallout of data breaches. As the digital landscape continues to evolve, so too must the strategies for safeguarding against and responding to security incidents. The key to resilience in the face of these challenges lies in preparation, partnership, and proactive engagement with the issue of vendor breach reporting.

 

Findings Can Help

5 Critical Steps In Maintaining A Vulnerability Disclosure Policy

5 critical steps vulnerability disclosure policy

Once upon a time, the vendors that your company chose to work with were your own business. There was little pressure to disclose supply chain vendors to the world at large.
 
Those days are gone. Today, businesses face pressure from a variety of sources to establish a vendor and vulnerability disclosure policy in order to maintain a transparent supply chain.
 
Government regulators are demanding vulnerability disclosure policies in the wake of initiatives like the White House’s call for more stringent supply chain cybersecurity protections. Partners expect transparency, too – which is why companies like Palo Alto Networks and Nestlé detail their suppliers on their websites.
 
 
From the perspective of consumers as well, vulnerability disclosure policies have become a priority. Alexis Bateman and Leonardo Bonanni note in the Harvard Business Review, “researchers at the MIT Sloan School of Management found that consumers may be willing to pay 2% to 10% more for products from companies that provide greater supply chain transparency.”
 
 
For all of these reasons, now is the time for company shareholders and security teams to establish strong vulnerability disclosure policies and supply chain transparency, if they have not already. While it’s important to avoid giving away too much information – because doing so could harm your competitive advantage – CISOs also don’t want to be left playing catchup when a vulnerability arises within their supply chain. They don’t want regulators, partners, customers and shareholders asking questions about why there wasn’t more transparency and disclosure before an incident, especially in situations where proactive disclosure could have helped to mitigate the impact of a rapidly spreading attack or threat.
 
 
Of course, establishing and managing a vulnerability disclosure policy is easier said than done. To help with this mission, we are unpacking the five critical steps they should be taking to establish supply chain transparency and ensure effective disclosure of vulnerabilities (Also known as VDP).

 

Step 1: Set vendor disclosure goals

Supply chain transparency doesn’t mean disclosing every detail of your supply chain to the world. Instead, CISOs should set goals about how much information to disclose. Their policies should reflect the level of risk that each supply chain component or vendor poses to stakeholders.
 
For example, a vendor that supplies software that your business uses internally poses less of a risk than one who helps to provide customer-facing systems., A security issue in the latter is likely to be harder to contain and to have a bigger impact on your users and business. For that reason, a vulnerability disclosure policy might treat suppliers for line-of-business apps and customer-facing apps differently.
 
Keep in mind, too, that risks constantly change, so you should revisit your vendor disclosure goals at least yearly.

 

Step 2: Map suppliers and flow

Supply chain transparency is about more than just listing who your vendors are. It’s equally critical to understand how information flows between vendors, and how a vulnerability in one part of the supply chain impacts the rest of the chain.
CISOs can unpack this information by mapping suppliers to the ‘flow of information’. From there, look for gaps where failure to contain a vulnerability or disclose it quickly could impact other vendors or customers.
 
Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

Step 3: Optimize reporting systems

A strong vulnerability disclosure policy requires effective reporting about where vulnerabilities like to hide and which vendors they involve. Since it’s not practical to generate this information manually at any kind of scale, CISOs should leverage automatic vendor disclosure reporting systems that can generate disclosure information automatically.
 
Baking vendor disclosure into existing business processes, can also help to make reporting more systematic and automated. Supply chain transparency is an important component of corporate responsibility. Many businesses are also considering ESG as an integrated part of their cybersecurity risk management, so including it in your vendor disclosure policy just makes sense.

 

Step 4: Gather information continuously

Again, risks change constantly. So do the vendors within your supply chain and the role they play in it. That’s why security teams must continuously gather and update information about vendors and vulnerabilities, then adjust vulnerability disclosure policies accordingly.
They should also make sure that information is available to all stakeholders. Every person in the organization should be able to see whether there is a supply chain risk and report it to the security team.
 
 

Step 5: Report findings and engage vendors

Vulnerability disclosure shouldn’t be a passive affair. You can’t just list vendors or report vulnerabilities periodically on your website.
Instead, you should engage actively with your vendors to report findings, make collaborative decisions about vulnerabilities and address specific risks as quickly as possible.
 
The point of vulnerability disclosure policies, after all, is to lower risk for everyone. You can do that only by acting on the information you discover.
 

Continuous monitoring for vendor disclosure is essential
You may have noticed a theme running throughout the vulnerability disclosure steps described above: The importance of continuous monitoring and disclosure.
 
Continuous monitoring and disclosure means the ability to detect, report on and react to supply chain risks in real time. They’re critical because, once again, risks and vendors constantly change, so continuous monitoring is the only way to ensure you never miss a threat. Periodic audits or one-off reports are not enough to stay on top of risks or demonstrate a genuine commitment to your supply chain security.
 
Keep in mind, too, that continuous monitoring and reporting will support the image of your business as one that takes supply chain security seriously. In turn, it helps you to gain a competitive advantage, since partners and customers will see continuous transparency and reporting as a positive quality.
 
 
While continuously monitoring risk across your supply chain may seem daunting, Findings makes it easy with automated supply chain security, and our innovative continuous and cloud monitoring apps to support and scale your entire supply chain. 
 
See for yourself by signing up for a free trial.

5 Critical Steps In Maintaining A Vulnerability Disclosure Policy

5 critical steps vulnerability disclosure policy

Once upon a time, the vendors that your company chose to work with were your own business. There was little pressure to disclose supply chain vendors to the world at large.

 

Those days are gone. Today, businesses face pressure from a variety of sources to establish a vendor and vulnerability disclosure policy in order to maintain a transparent supply chain.

 

Government regulators are demanding vulnerability disclosure policies in the wake of initiatives like the White House’s call for more stringent supply chain cybersecurity protections. Partners expect transparency, too – which is why companies like Palo Alto Networks and Nestlé detail their suppliers on their websites.

 

 

From the perspective of consumers as well, vulnerability disclosure policies have become a priority. Alexis Bateman and Leonardo Bonanni note in the Harvard Business Review, “researchers at the MIT Sloan School of Management found that consumers may be willing to pay 2% to 10% more for products from companies that provide greater supply chain transparency.”

 

 

For all of these reasons, now is the time for company shareholders and security teams to establish strong vulnerability disclosure policies and supply chain transparency, if they have not already. While it’s important to avoid giving away too much information – because doing so could harm your competitive advantage – CISOs also don’t want to be left playing catchup when a vulnerability arises within their supply chain. They don’t want regulators, partners, customers and shareholders asking questions about why there wasn’t more transparency and disclosure before an incident, especially in situations where proactive disclosure could have helped to mitigate the impact of a rapidly spreading attack or threat.

 

 

Of course, establishing and managing a vulnerability disclosure policy is easier said than done. To help with this mission, we are unpacking the five critical steps they should be taking to establish supply chain transparency and ensure effective disclosure of vulnerabilities (Also known as VDP).

 

 

Step 1: Set vendor disclosure goals

Supply chain transparency doesn’t mean disclosing every detail of your supply chain to the world. Instead, CISOs should set goals about how much information to disclose. Their policies should reflect the level of risk that each supply chain component or vendor poses to stakeholders.

 

For example, a vendor that supplies software that your business uses internally poses less of a risk than one who helps to provide customer-facing systems., A security issue in the latter is likely to be harder to contain and to have a bigger impact on your users and business. For that reason, a vulnerability disclosure policy might treat suppliers for line-of-business apps and customer-facing apps differently.

 

Keep in mind, too, that risks constantly change, so you should revisit your vendor disclosure goals at least yearly.

 

 

Step 2: Map suppliers and flow

Supply chain transparency is about more than just listing who your vendors are. It’s equally critical to understand how information flows between vendors, and how a vulnerability in one part of the supply chain impacts the rest of the chain.

CISOs can unpack this information by mapping suppliers to the ‘flow of information’. From there, look for gaps where failure to contain a vulnerability or disclose it quickly could impact other vendors or customers.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

 

Step 3: Optimize reporting systems

A strong vulnerability disclosure policy requires effective reporting about where vulnerabilities like to hide and which vendors they involve. Since it’s not practical to generate this information manually at any kind of scale, CISOs should leverage automatic vendor disclosure reporting systems that can generate disclosure information automatically.

 

Baking vendor disclosure into existing business processes, can also help to make reporting more systematic and automated. Supply chain transparency is an important component of corporate responsibility. Many businesses are also considering ESG as an integrated part of their cybersecurity risk management, so including it in your vendor disclosure policy just makes sense.

 

 

Step 4: Gather information continuously

Again, risks change constantly. So do the vendors within your supply chain and the role they play in it. That’s why security teams must continuously gather and update information about vendors and vulnerabilities, then adjust vulnerability disclosure policies accordingly.

They should also make sure that information is available to all stakeholders. Every person in the organization should be able to see whether there is a supply chain risk and report it to the security team.

 

Step 5: Report findings and engage vendors

Vulnerability disclosure shouldn’t be a passive affair. You can’t just list vendors or report vulnerabilities periodically on your website.

Instead, you should engage actively with your vendors to report findings, make collaborative decisions about vulnerabilities and address specific risks as quickly as possible.

 

The point of vulnerability disclosure policies, after all, is to lower risk for everyone. You can do that only by acting on the information you discover.

 

 

Continuous monitoring for vendor disclosure is essential

You may have noticed a theme running throughout the vulnerability disclosure steps described above: The importance of continuous monitoring and disclosure.

 

Continuous monitoring and disclosure means the ability to detect, report on and react to supply chain risks in real time. They’re critical because, once again, risks and vendors constantly change, so continuous monitoring is the only way to ensure you never miss a threat. Periodic audits or one-off reports are not enough to stay on top of risks or demonstrate a genuine commitment to your supply chain security.

 

Keep in mind, too, that continuous monitoring and reporting will support the image of your business as one that takes supply chain security seriously. In turn, it helps you to gain a competitive advantage, since partners and customers will see continuous transparency and reporting as a positive quality.

 

 

While continuously monitoring risk across your supply chain may seem daunting, Findings makes it easy with automated supply chain security, and our innovative continuous and cloud monitoring apps to support and scale your entire supply chain. 

 

See for yourself by signing up for a free trial.

Your Vulnerability Disclosure Policy Can Be Easier Than You Think

Your-Vulnerability-Disclosure-Policy-Can-Be-Easier-Than-You-Think

It’s easy to recognize the importance of creating a vulnerability disclosure policy. Vulnerability disclosure policies, or VDPs, are important because they help you track vulnerabilities within your supply chain and determine how to disclose security risks that arise within the supply chain. That’s a best practice for any business, not to mention a formal requirement for companies wishing to do business with the DOD and U.S. government agencies.

It can be pretty hard, however, to figure out how to define and enforce such a policy. If you’re like many businesses, you may struggle to determine which types of vulnerabilities to disclose, how to report them, and how to integrate these rules into a policy document that your business uses as a systematic guide whenever supply chain vulnerabilities arise.

Fortunately, it’s easy enough to work past these challenges. By taking a step-by-step approach to creating a vulnerability disclosure policy, you can define and enforce disclosure rules tailored to your business’s needs with much less effort than you may imagine.

More information below on managing and building relationships with your vendors:

The insider’s guide to coordinated vulnerability disclosure

&

Watch below: How you can interact with vendors and suppliers  – headache free

The main purpose of vulnerability disclosure

Establishing an effective vulnerability disclosure policy starts with understanding what such a policy is supposed to do.

Vendor disclosure programs  have two main benefits:

Streamlined vulnerability reporting: A VDP defines who in your organization handles vulnerability reporting. This is important because many companies don’t know who the right person is to generate and distribute reports. Without a predefined reporting policy, you’re likely to end up with delays, or reports that never happen at all because no one knew who was supposed to create them.

Real-time reporting: Just as important, VDPs make it possible to react in real-time to vulnerabilities and breaches. As soon as you detect a security issue, you can report it to stakeholders or CISA, as required based on factors like which systems the incident impacts and how severe it is. The ability to disclose issues immediately and be fully transparent demonstrates a strong commitment to security on the part of your organization, which in turn helps your brand weather security events. Rapid disclosure may also be a compliance requirement for some businesses, as we’ve noted. But rapid disclosure means you need a complete view over your whole supply chain, not an easy task unless you have an automation tool to help with checking and reporting vulnerabilities.

Every VDP should be designed with these benefits in mind.

The six components of a vulnerability disclosure policy

To enable efficient, real-time vulnerability reporting, you should create a VDP in the form of a document that details six key facets of vulnerability disclosure.

1. Compliance policies

Your VDP should specify which compliance rules your business needs to meet, and which vulnerability disclosures those rules require.

The details in this section of the VDP will vary depending on your business and its compliance context. Not only do compliance requirements vary between geographies and industries, but businesses may also be exposed to different mandatory disclosure rules based on factors like the size of the business and the nature of a given breach. These are a few of the important policies you may come across ISO27001, NIST, ENISA, CMMC ISO, GDPR, HIPPA, CPPA (to name a few), and these need to be kept up-to-date with compliance rules changing every so often.

Whatever your specific requirements are, the goal of this section of your VDP should be to spell out the business’s disclosure responsibilities relative to its compliance mandates. 

2. Contractual obligations

In addition to compliance mandates, your business may be required by the contracts it signs with vendors, customers or partners to disclose vulnerabilities. Thus, one section of your VDP should address contractual vulnerability disclosure obligations.

Be sure to detail in this section not just when and to whom you have to disclose security issues, but also how the disclosures should be communicated. Typically, your agreements with other businesses will specify how communication is to be maintained in this context. By including this detail in your VDP, you ensure that you can find it easily, without having to piece through contracts.

3. Supply chain obligations

If vulnerabilities arise somewhere in your supply chain as opposed to your own systems, you may need to disclose those, too. Your VDP should include a section that spells out your obligations in this regard. It should also include information about how you maintain visibility into your supply chain and determine that a vulnerability has affected it.

4. Risk management and assessment

Every vulnerability is unique, and the ability to contextualize it based on its seriousness is critical for effective disclosure. Toward this end, define within your VDP how to calculate the overall security severity of each vulnerability, as well as how this security score impacts your disclosure procedures.

If you use risk assessment tools to automate the scoring process (as you should if you want it to take place in real-time and with minimal effort on the part of your team), include that information in the VDP, too.

5. Insurance coverage

In many cases, insurance can cover at least some losses incurred due to a security issue within your supply chain. For this reason, be sure that your VDP details which security insurance you have and how it applies to disclosures. 

6. Incident response plans

Disclosing vulnerabilities is one thing, mitigating is another.. Your VDP should include an overview of how your business responds to security incidents in order to ensure that they are remediated. In addition, if you’re required to keep stakeholders aware of progress toward remediation while an incident response is underway, spell out how you’ll do that within your VDP. 

Take a look at how Log4j, Kaseya and other recent supply chain attacks have caused damage

How vulnerability disclosure statements optimize security

With a comprehensive VDP statement, you ensure that you are prepared to react in a way that minimizes the incident’s impact on your business, your vendors, your partners, your customers, and your supply chain in general.

In turn, you can make informed decisions about the following:

  • When to keep doing business with vendors who introduced a vulnerability into your supply chain
  • How to work with vendors to keep their risk levels low – and, by extension, keep your supply chain secure
  • When to switch to different vendors to lower your risk
  • Communicate effectively both “upstream” (meaning with your vendors and suppliers) and “downstream” (with customers and partners) when a vulnerability arises, as the image below from FIRST.org, a global organization focused on security improvements, illustrates

You can’t prevent every vulnerability or security incident. But you can prepare ahead of time to react quickly and effectively in meeting your obligations to disclose security issues when they happen – whether they stem from a vulnerability within your own IT estate or a problem that originated with another business in your supply chain.

You can make the vulnerability disclosure process even more efficient, which automates supply chain security detection and reporting.

Learn More Findings – Optimizing Supply Chain Compliance

Why Cyber Insurance Won’t Save You When You’re In Need

Why cyber-insurance won't save you when you're in need | Findings | Supply chain automation

Cyber Insurance Is Great – Except When It’s Not

It would be great if cybersecurity insurance provided an affordable, reliable means of protecting your business from the innumerable cyber threats it faces today.

Unfortunately, it doesn’t. While cyber insurance has its purposes and can be a good investment, it’s hardly a panacea when defending against cybersecurity risks. It’s a type of product that has hit a “plateau,” as Harvard Business Review puts it because cyber insurance has not evolved quickly enough to meet modern security threats.

That’s why, for example, cyber insurance won’t reliably protect you against supply chain security attacks. Even if you find a policy that does address supply chain threats, actually claiming your insurance benefit may take so long that the insurance doesn’t end up doing your business much good following a significant breach.

Please keep reading for an overview of the advantages and drawbacks of cyber insurance and tips on when it does and doesn’t make sense to rely on cyber insurance alone.

 

Here’s the top reasons why CMMC will be good for your business

 

What Does Cyber Insurance Cover?

Cyber insurance was introduced in the 1990s and was hailed to protect against IT-related risks that are typically not covered by other types of business insurance. The original intent was to give companies a means of protecting against the financial fallout resulting from data breaches and disruptions to critical IT systems.

Several insurance companies offer cyber insurance today, including Hiscox, The Hartford, CNA, and Nationwide.

 

5 Potential Disadvantages of Cyber Insurance

On the surface, cyber insurance probably sounds like a simple way to make sure a cyber attack doesn’t render your business bankrupt. In reality, though, cyber insurance isn’t necessarily so rosy. There are a number of potential pitfalls or drawbacks to purchasing cyber insurance.

 

1. High Costs

The first is the simple cost of cyber insurance. Although cyber insurance premiums were relatively affordable in the past, they have surged in cost in recent years, as this graph of policy costs shows:

Cyber premiums

Source: https://blog.alta.org/2021/09/cyber-coverage-premiums-increase-25-survey-shows.html

Thus, the cost of cyber insurance may be too high for many businesses today.

 

2. Management Challenges

Cyber insurance is not a set-it-and-forget-it affair. You have to manage your coverage actively by ensuring that your policy is kept up-to-date as your risks change – which they typically will, because you’ll roll out new systems or collect new types of data, for example, your original policy may not have covered that.

Most cyber insurance policies also place strict requirements on the insured to keep detailed records, secure their systems, and manage risks. If you fail to demonstrate that you took the steps required to protect your business against a breach, an insurer may deny your claim.

This isn’t to say that managing cyber insurance is infeasible. But it is to say that businesses shouldn’t underestimate how much effort goes into it.

 

3. Coverage Limitations

It’s easy to fall into the trap of assuming that as long as you’ve purchased cyber insurance, you’re covered against any and all cyber-related risks.

The truth, unfortunately, is that cyber insurance policies will always have exclusions or limitations regarding what they cover. “Insurers are demanding great security and are cutting back the amounts of cover they are willing to offer,” ZDNet reports. If you don’t read your policy disclosures very carefully, you may find that a breach you thought was covered is not.

Also, remember that merely interpreting coverage rules can be complicated – so complex that you may need to go to court to prove you are entitled to coverage. That’s what Merck had to do in a recent claim involving $1.4 billion in losses following a cyberattack. Merck, whose insurer said the claim was excluded from its cyber insurance policy because it was an act of war instead of a standard cyberattack, prevailed in that case.

But for smaller companies, in particular, this should be a warning: Going to court to defend your cyber insurance entitlements can be costly and time-consuming. Even if you have a legitimate claim, you may never get a payout if your insurer contests it and you lack the resources to defend it.

 

4. Claiming Insurance Takes Time

Even if you don’t have to go to court to get your insurer to payout, there’s no guarantee that cyber insurance will result in immediate financial assistance following a breach. The claims process could take months or even years, especially if it requires collecting detailed information about the source of a breach to determine whether the breach is covered.

If a cyber event causes significant financial disruption, then your business may not be able to survive it if the insurance claim process takes too long.

 

5. The Supply Chain is Not Insured.

In general, cyber insurance covers risks that affect your IT resources directly. Software supply chain threats originate in third-party systems and are not usually covered.

This is especially bad news given that advanced supply chain attacks are projected to increase by about 650 percent in the coming years. It means that investing in cyber insurance is not reliable for protecting against supply chain risks. For that, you need different tools – like a software supply chain risk assessment and disclosure platform.

 

Here is your supply chain security crisis management plan

 

The Future of Cyber Insurance

Cyber insurance may well evolve to close the gaps described above in the future. We may see a reduction in costs, for example, or the creation of new policies that specifically address supply chain risks. Indeed, the U.S. Government Accountability Office has found that more insurers are creating dedicated cyber insurance policies, which could lead to more comprehensive coverage down the line.

Even if that happens, though, it’s impossible to guarantee that any cyber insurance product will fully protect your business against all threats. That’s why it’s critical to invest in other tools that help you detect and respond to risks. The security blanket of a cyber insurance policy doesn’t suffice to keep your business safe.

We agree, by all means, to invest in cyber insurance if it makes sense for your business. But don’t blindly entrust your company’s financial health to insurance alone.

Instead, invest as well in solutions like Findings, which automates cyber risk assessment and management – including not just within your business’s environment but across your supply chain. 

 

Request a demo

3 Predictions about CMMC 2.0’s Impact on Compliance Operations in 2022

3 Predictions about CMMC 2.0’s Impact on Compliance Operations in 2022

Most compliance frameworks change from time to time. But it’s sporadic to see the exceptional level of change that the Cybersecurity Model Maturity Certification, or CMMC, is currently undergoing. In a bid to make CMMC compliance more straightforward and affordable – and, by extension, help smaller businesses sign contracts with the U.S. Department of Defense, which requires CMMC compliance from its vendors – the U.S. federal government has revamped or rewritten critical components of the CMMC. The updated version is known as CMMC 2.0.

But, if you follow compliance news, you probably already know that the CMMC is evolving. You may not yet know what the CMMC changes mean for the typical business.

To provide some insight into that topic, here’s a look at the top three changes likely to result from the CMMC overhaul. Changes have already started to take effect over 2021 and will continue throughout 2022 for many businesses as they adapt to the brave new world of CMMC 2.0.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Prediction 1: Increased CMMC compliance self-assessments

One of the most meaningful updates the government has made to CMMC is allowing self-attestation of compliance. Previously, businesses hired outside auditors to attest to their CMMC compliance.

Couple that change with the fact that the CMMC 2.0 has only three compliance steps instead of five, and it would seem very likely that we’ll see more and more businesses performing CMMC self-assessments in 2022 and beyond. Instead of hiring outside auditors and consultants, companies will take the more cost-effective self-assessment approach.

This change will also likely translate into a more significant number of SMBs becoming CMMC-compliant. In the days of CMMC 1.0, when compliance assessments cost a lot more, it was harder for smaller businesses to gain compliance attestation.

It’s essential to keep in mind that not every business can self-attest, of course. According to the DoD, only about 140,000 of the 220,000 total companies in the defense industrial base hold “federal contract-related data,” which entitles them to self-assessments. The rest will have to use the traditional, more costly assessment approach to get a higher level of assessment.

There are specific procedures to follow, including having a senior company official attest to your compliance and submitting the attestation to the Supplier Performance Risk System (SPRS). Keep in mind, too, that even if you self-assess, you can’t simply file a report and call your business CMMC-compliant. Still, the process is cheaper and easier than relying on outside consultants.

Prediction 2: More CMMC compliance transparency

More self-assessments will likely also contribute to a tendency among companies to embrace the principle of transparency when it comes to CMMC compliance. That’s because disclosing security vulnerabilities is an essential step toward making self-attestations credible.

As a result, expect transparency to become the rule, not the exception, for companies pursuing CMMC compliance. In particular, more businesses are likely to establish vulnerability disclosure programs to communicate clearly about security issues.

This will mark a significant shift from the present. Traditionally, companies have tended to be tight-lipped about vulnerabilities. They had only disclosed them when they were legally required to do so. But in the future, adopting a transparency approach to security and openness will help businesses establish their credibility and good-faith commitment to the CMMC – and, by extension, it will help position them to win government contracts.

Prediction 3: CMMC compliance will demand-supply chain security automation

While VDPs are one step toward transparency and self-assessing your CMMC compliance, another critical practice is automating software supply chain security. Given the sharp uptick in software supply chain security risks, that’s especially true.

Supply chain security automation tools make it fast and accessible to identify security risks within the supply chain and document and disclose them based on compliance requirements. Instead of manually tracking and disclosing risks, as they do today, businesses seeking CMMC compliance are likely to embrace supply chain security automation.

SMBs, in particular, are poised to take more significant advantage of supply chain security automation tooling, which will help them decrease compliance costs and complexity. (This is another reason, by the way, why the updated CMMC framework is likely to result in more involvement by SMBs in the CMMC space.)

Crystal balls

These are our predictions about how CMMC 2.0 will change the way businesses approach CMMC compliance. But since we here at Findings have built a world-class supply chain security and compliance automation platform, we’d like to think we have a pretty well-informed perspective on this topic.

We’d also like to think that, as more and more businesses seek solutions for automating CMMC compliance, they’ll turn to Findings. Findings offer the automated assessments, best practice recommendations, and reporting features businesses to need to self-assess and simplify compliance operations. In turn, it reduces the number of questions you need to answer during compliance processes from hundreds to just a few.

Ultimately, Findings places compliance with frameworks like CMMC within reach of every business, not just those with teams of compliance experts and expensive compliance consultants.

Learn more by signing up for a free trial

The Top 20 Cybersecurity and Supply Chain Conferences of 2022

The-Top-20-Cybersecurity-and-Supply-Chain-Conferences-of-2022

As the supply chain security and cybersecurity landscape evolve, the industry becomes increasingly savvy about protecting digital assets. This year brings a slew of events dedicated to managing and enhancing cybersecurity knowledge and awareness. Some events will take place in person, while others will be virtual, making it possible for anyone to participate. We love this new reality!  

These conferences will not be missed, so open your calendar app and plan accordingly!

Cybertech Global TLV

March 1 – 3, 2022

Tel Aviv, Israel 

Cybertech features a diverse array of speakers from dozens of countries worldwide who are leaders in the cyber industry. Top executives, government officials, and leading decision-makers in the field will give the talks and lectures at the event. Cybertech includes conference sessions, special events by invitation, and a grand exhibition allowing attendees to meet and mingle with one another.  

Speakers include known industry personalities from Israel, the US, and Europe, including Amir Sage, Cyber Coordinator of the Cyber Security Department in Israel’s Ministry of Foreign Affairs; Merav Kenan, CEO of the Israeli High-Tech Association; Umino Atsushi, Director of the Office of the Director-General for Cybersecurity, MIC, Japan; and Janne Kankanen, CEO of the National Emergency Supply Agency of Finland. 

Pharma Supply Chain & Security World 2022

Corvus Global Events

March 15 – 16, 2022

Online

Counterfeit drugs are an ongoing problem for pharmaceutical companies that enter the supply chain at several points. This virtual event focuses on optimizing supply chain challenges in the pharmaceutical supply industry. In this online conference, participants will learn to create value across the supply chain by streamlining and designing an optimal supply chain network. 

Innovations like IoT, AI, ML, and blockchain will be explored for their applications in transforming the pharmaceutical supply chain. 

Among the speakers at the Pharma conference is Emre Gollu, Supply Chain Associate Director at UCB, and Himanshu Agrawal, Director – Global Process Owner & Innovation Lead, Supply Chain Logistics at GSK. 

Women in Cybersecurity

March 17 – 19

Cleveland, Ohio

The three-day WiCyS conference is the flagship event of Women in Cybersecurity. This organization has been around for a decade and is dedicated to advancing the role of women in the field of cybersecurity. The conference brings together veterans and newcomers to the industry from all walks of life and offers resume review and career mentoring opportunities. 

This event is focused on opportunities for women but is open to all genders. 

A slew of workshops, presentations, panel discussions, and more will feature speakers such as Sarba Roy, Product Security Engineer at Intel, and Natalie Pittore, Chief of Enduring Security Frameworks at the NSA. 

CISO Sydney

March 22 – 23, 2022

Sydney, Australia

Managing digital assets and services risks for supply chain security will major this year’s CISO Sydney event. At this event, Australia’s leading experts in information security will share their insights into improving cybersecurity culture and awareness. CISO Sydney encourages participants to “Be inspired, collaborate, disrupt.” 

The featured keynote speaker is the Honorable Karen Andrews, MP Minister for Home Affairs of the Australian government. 

She will discuss the government’s plans to protect the country, communities, and industries against cyberattacks. CISO Sydney promises to be a lively, social gathering exploring how Australian organizations approach cybersecurity from a holistic perspective. 

Cybertech Miami

(This conference was postponed)

Miami, Florida

This year’s Cybertech family of conferences will include an inaugural event in Miami. The summit will gather cyber leaders from the United States and Latin America to discuss challenges and solutions in cybersecurity today.

Some of the themes will include the role of media organizations in cybersecurity, cyber influence on intelligence-gathering, and the impact of 5G technology on cybersecurity. The full lineup of speakers at Cybertech Miami is yet to be announced, but seeing as this event is part of the Cybertech Global family, it promises to be an exciting, dynamic conference. 

The Official Cyber Security Summit

March 25, 2022

Atlanta, GA and online

This 7th annual daylong conference is jam-packed and focuses on educating attendees about protecting vulnerable business applications and critical infrastructure. It offers attendees the opportunity to meet some of the leading solution providers in the United States and discover products and services bringing innovation to enterprise cyber security. 

The sessions, presentations, and panel discussions feature some top cybersecurity experts today. Admission includes meals and networking opportunities, and a virtual live-stream option is available. 

Chad Hunt, Supervisor of the FBI’s Computer Intrusion Squad, will be a keynote speaker at the summit. Those looking to get a head start can already access the summit’s online Security Content Sharing portal to learn about protecting businesses from cyber attacks. 

GFMI’s 14th Edition Third-Party Vendor Risk Management for Financial Institutions

April 11 – 13, 2022

New York, NY

The Global Financial Markets Institute’s 14th edition event will offer third-party risk professionals innovative perspectives on supply chain resilience and provide new insights into managing third-party risk. 

Taking place in the heart of the world’s financial center, speakers at this event include some of the foremost experts in cybersecurity and risk management from the big banks. 

Key sessions include Scotiabank’s talk on boosting supply chain resilience and MUFG Union Bank’s session on identifying concentration risk. Among the notable speakers are Donald Saxinger, Chief of IT Supervision at FDIC, and Dolly Singh, Managing Director, Global Head of Corporate Third Party Oversight at JP Morgan. 

Supply Chain Meetup

April 26 – 28, 2022

Online

Focused on the retail supply chain’s current state and evolution, Supply Chain Meetup is a virtual gathering that provides collaboration, networking, learning, and career development opportunities. The online event will bring together hundreds of experts from across the retail supply chain. The full lineup will be announced in the coming weeks.  

Cybersecurity and Privacy Professionals Conference 

May 3 – 5, 2022

Baltimore, MD

This event allows attendees to discuss trends and issues in information security and privacy with their peers and hear from some of the leading solution providers in the field. 

The theme of this year’s conference is The Future is Ours to Shape: Developing Staff and Operations for Tomorrow’s Cybersecurity and Privacy. Cybersecurity and privacy professionals were invited to submit their proposals for this grassroots educational event, including information-sharing, networking, and collaboration.

Cybertech Asia

(Postponed: Cybertech Asia has been postponed till May 2023 )

Sands Expo, Singapore

Cybertech Asia will take place in Singapore next summer. The event will be being held in partnership with Milipol, Asia-Pacific’s leading international homeland security international event. The conference will feature a range of sessions and special events on cybersecurity. The entire speaker schedule is yet to be announced, but interested parties can already get involved through an online portal that can be used for networking with other conference-goers. 

Cybertech Asia serves as a dialogue on threats and solutions that impact the global community. Topics covered at the conference include finance, mobile, health, mobility, insurance, and more. 

RSA San Francisco 

June 6 – 9, 2022

San Francisco

At the four-day RSA Conference, cybersecurity professionals come together to discuss perspectives and challenges and network with one another. The event features an Expo in which attendees will find products and solutions and a digital-only option for those unable to attend the conference in person. 

Some of the notable speakers include Dr. Christopher Pierson, Founder and CEO of BlackCloak. Tim Weston, Cybersecurity Coordinator at the DHS/TSA, and Alyssa Miller, Business Information Security Officer at S&P Global Ratings. 

Gartner Security and Risk Management Summit 

June 7 – 10, 2022

National Harbor, MD

The Gartner Management Summit is aimed at chief information security officers and leaders in cybersecurity and risk management. It will feature keynote speakers from leading IT security personalities alongside experts from Gartner’s team of unbiased analysts. The conference will focus on establishing an agile security program, fostering a human-centric security culture, and devolving risk ownership. 

Participants will choose to attend sessions from among eleven unique tracks, such as Cyberthreat: Mitigation, Preparedness, Exposure Management; Infrastructure Security; Midsize Enterprise; Identity and Access Management, and several others. 

Cybertech Global UAE – Dubai

June 13 – 14, 2022

Dubai, United Arab Emirates

Cybertech Dubai will focus on timely topics in cybersecurity with industry experts and government officials worldwide. Cybertech Dubai features a diverse range of speakers in the global hub that connects Europe, Africa, and the Far East. 

The sessions and special events will focus on AI, Advanced IoT, big data, cloud, blockchain, and more. Leaders will deliver talks in government and enterprise from throughout the US, Europe, the Middle East, and Asia. 

Total Security Conference Hong Kong

July 7, 2022 

Hong Kong

CISOs, heads of IT, heads of security, and regulators face a rapidly-changing climate filled with new vulnerabilities. As cyberattacks become more sophisticated and remote work becomes the norm, security and risk mitigation priorities evolve. The 8th annual Total Security Conference focuses on ensuring a seamless transition to virtualization through efficiently securing data, endpoints, and operational touchpoints. This conference features information sessions, meetings, and networking to allow corporate, public, and government agencies to enhance their approach to cybersecurity. 

The lineup of speakers is not yet finalized; stay tuned…

CSO50 Conference and Awards

September 2022 

Location to be announced

The CSO50 Conference and Awards feature risk strategies for rising threats. It will showcase innovation to protect and defend risk leadership and innovation to preserve and defend risk leadership and innovation. 

Top leaders in risk management and cybersecurity will be awarded at the conference and present talks on recent developments in the industry. 

Some of the speakers slated to present at this conference include Keith Slotter, VP Corporate Security at JetBlue Airways; Nicole Ford, VP & CISO at Carrier; and Jessica Bair, Director of the Cisco Secure Technical Alliance at Cisco. 

National Cyber Summit

September 21 – 22

Huntsville, Alabama

NCS2022 is billed as the nation’s most innovative cybersecurity-technology event. It offers educational, collaborative, and workforce development opportunities for industry visionaries and rising leaders in the field. 

The summit will bring together leaders of both enterprise and government organizations to discuss digital forensics, supply chain cybersecurity research, data mining, and the societal impacts and ethics of cybersecurity. Several tracks of the conference will run concurrently, and the list of speakers includes Chris Cleary, Principal Cyber Advisor of the US Navy; Brian Turner, Executive Assistant Director of the Criminal, Cyber, Response, and Services Branch of the FBI; and Merritt Baer, Principal Security Architect at Amazon Web Services.  

InfoSec World

September 26 – 29, 2022

Coronado Springs, Lake Buena Vista, Florida

One of the longest-running events of its kind, InfoSec World is in its 28th year and offers some of the industry’s premier education and networking opportunities. This year’s conference includes summits and workshops on supply chain security, ransomware, threat testing, cryptocurrency, cloud security, and more. Each of these topics will be expanded upon at the conference, such as the cloud security summit and supply chain workshop, taking place on the event’s final day. 

Speakers are yet to be finalized, and the world’s leading companies have been presenters at previous InfoSec conferences. InfoSec World provides attendees with the tools and information they need to stay at the forefront of today’s cybersecurity challenges.

International Cyber Expo

September 27 – 28, 2022

London, England

The International Cyber Expo unites government, industry, and academia at a series of roundtable discussions, pavilions, exhibitions, demonstrations, and a summit. All focused on the primary issues facing cybersecurity professionals today. The expo will also showcase the latest products, technologies, and services from over 350 leading industry suppliers. Attendees will include leaders in cyber policy, government, CISOs, export leaders, and other C-suite professionals coming together to discuss protecting and securing high-level networks.

Cyber Security World Asia 

October 12 – 13, 2022

Marina Bay Sands, Singapore

This event brings together industry leaders from some of the top cybersecurity companies throughout Asia and the world. Cyber Security World is suitable for security professionals in dozens of roles who share a common desire to invest in cybersecurity and defend their businesses from cyber threats. 

This year’s lineup is still being finalized, but past exhibitors include the world’s leading cyber security suppliers and the latest technologies and solutions. An exciting rapid-fire pitch showcase will feature at the conference, allowing companies to pitch their products and solutions to potential investors, partners, and customers. 

Insider Threat Summit

3 November 2022

Monterey, California

The Insider Threat Summit unites government agencies with private enterprises to discuss the problem of insider threats. This year’s conference will focus on vulnerabilities about cybersecurity challenges. Topics will include risk analysis and continuous evaluation or monitoring, AI and machine learning, economic espionage, counterintelligence, threat monitoring, and more. 

There you have it – our picks for the top 20 cybersecurity and supply chain security events of 2022. Whether you plan to attend in person or join some of these events virtually from the comfort of your own home, you’re sure to gain valuable insights into the latest cybersecurity developments. 

Waiting for that next conference and eager to learn more about automating your supply chain security? Request a demo

Prioritizing Third-Party Assessments by leveraging Inherent Risk

Prioritizing-Third-Party-Assessments-by-leveraging-Inherent-Risk

In third-party risk management, inherent risk is defined as the level of risk on your organization.

Therefore, the inherent risk represents the natural level of risk that your organization will incur by working with a particular vendor (without managing that risk and/or mitigating security gaps).

Why is Inherent Risk so Important?

As a work tool, inherent risk enables the security team to map the organization’s critical vendors. Subsequently, the organization can prioritize the third-party assessment process.

Here is a quick example:

Let’s assess two vendors: Vendor A and Vendor B.

Vendor A offers on-premises software development services with an inherent risk score of 80. The score is calculated by:
The risk from potential data leakage from unsecured development methods;
Exposure to the company’s business information and procedures; and
Exposure to employee personal identifiable information (PII).

Conversely, Vendor B offers a cloud-based Security as a Software (SAAS) product with an inherent risk score of 86. The score is calculated by:
An additional, potential uncontrolled attacking vector;
The cloud service provider and the vendor’s implemented security controls; and
The service availability risk.

By mapping all of the potential ‘known’ risk factors, the security team can prioritize an assessment audit for Vendor B because Vendor B’s inherent risk score is higher than Vendor A’s. 

Inherent Risk vs. Residual Risk

The difference between inherent risk and residual risk is that inherent risk represents the risk score before the organization takes any action to mitigate the risk. (The residual risk, therefore, represents the risk remaining after the vendor replied to a security/regulatory assessment request, and all the gaps have been mitigated.)

More significantly, residual risk is the risk an organization is willing to take after all considerations have been accounted for.

How to Create an Inherent Risk Score Methodology?

To calculate the inherent risk for a vendor, the organization’s security team needs to consider all the aspects of the organization that the vendor’s proposed service can compromise.

A handful of examples are as follows:

  1. Technology – In case of downtime, how the technology will affect your service.
  2. Compliance – Appreciating the vendor’s compliance with the relevant regulations and how it processes their data.
  3. Legal – Exposure to lawsuits and fines.
  4. Privacy – The risk from handling, managing, and/or processing PII by third-party vendors.
  5. Business Continuity Plan (BCP) – Continuity, availability, and integrity are the three key factors of risk that an organization will be exposed to whenever they work with a vendor.

To create an effective inherent risk methodology, you must consider:
a. The impact of the vendor’s service on your business; and
b. The probability (or, rather, the likelihood) that their service will become an issue to your organization.

Ultimately, during the procurement or ongoing process, you need to ask (either yourself or the relevant personnel in the organization) a set of questions. The answers to those answers will enable you to produce a risk score that provides you/your organization with a clear understanding of the threat your organization faces due to working with a particular vendor.

How to Implement a Successful Onboarding Process for a Vendor?

A security assessment process is a lengthy one, mainly if the assessment is done manually over an excel spreadsheet.

Generally speaking, the process for many organizations contains:

  1. A new vendor starts the procurement process;
  2. The procurement officer approaches the security team;
  3. The security team return to the procurement officer with the inherent risk (vendor profiling) questions;
  4. The procurement officer sends the assessment to the vendor by email in an excel spreadsheet.
  5. The vendor answers the questions in the excel spreadsheet (or ignores them).
  6. A final decision is made.

The described process may take between three to four months to complete, and this does not even take into consideration:

a. The gaps that may have been found during this process (the residual risk);
b. The reduction plan that the vendor needs to respond to; and 
c. The high risk the organization may face is because of the time that passes from starting to work with the vendor to the mitigation of the gaps.

Furthermore, the security team faces significant problems managing the risks from all the other third parties working with the organization by conducting a manual process. 

Neglecting the “Longtail” Vendors

Due to the effort, time, human resources, and cost of maintaining the onboarding mentioned above process for all the organization’s third-party vendors, organizations tend to focus on 15%-20% of their most critical vendors. Consequently, organizations tend to neglect their “longtail” vendors, i.e., small, low- to medium-risk vendors.

At Findings, we conducted an internal study that found organizations at an astonishing 30% exposure to significant market vulnerabilities (SolarWinds, Kasya, etc…) due to their neglect of their “longtail” vendors.

Since the COVID-19 pandemic started, it has become routine for nefarious players online to exploit the vulnerabilities of third-party vendors to attack an organization. An organization can’t “hope for the best” anymore. The security team must scale the process to the entire supply chain.

How to Streamline the Procurement/Security Process? 

To set, manage, and scale an efficient third-party assessment process that will enable all parties to have a continuous, hands-on capability, the organization must streamline the process using automation tools.

By implementing an automation tool, you need to look for a service that supports the process end-to-end, one that gives you the flexibility to make changes and adjustments when necessary.

Findings’ Approach to Inherent Risk

  1. Streamline the internal process between departments to evaluate the inherent risk for every vendor rapidly;
  2. Provide a pre-defined inherent risk model; and
  3. Customize your own inherent risk.

How Can You streamline the Internal Process between Departments to Evaluate a Vendor’s Inherent Risk?

Findings have replaced internal back and forth communication by emails during the onboarding process of a potential new vendor or as an ongoing requirement by regulations. Instead, we used the questions found in the excel spreadsheet (the “questionnaire”) and wrapped them into a process that we call “BO” (Business Owner). In other words, our platform enables an internal resource to open a new vendor audit request to the security team.

Additionally, the process is designed to automatically produce an inherent risk score, so the security team only needs to open the new request, see the score, and prioritize accordingly.

Lastly, every member of the process is always notified whenever there is a change in the vendor’s status during the process.

 

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!