Gregory C. Rasner - Cybersecurity and Third-Party Risk

Insurance companies in Texas and Colorado (2020): Insurance carriers were impacted by a breach at Vertafore, which provides software to insurance companies.

First Federal Community Bank, Bank of Swainsboro, First Bank & Trust, Rio Bank (2020): ABS, a bank software provider, released the PII for the banks' customers.

Hotels.comand Expedia (2020): Channel manager vendor, Prestige Software, was breached, exposing names, credit card information, and reservation details.

Australian Stock Exchange (2020): An undisclosed amount of protected data was exfiltrated from the media‐monitoring vendor Insentia.

Google (2020): A law firm known as Fragomen, Del Rey, Bernsen & Loewy disclosed information that Google used for the I‐9 process (i.e., proof of ability to work in the United States).

City of Odessa (2020): Click2Gov, a frequently breached vendor, leaked details on how Odessa residents paid their utility bills.

Tribune Media and Times Media Group (2020): Marketing company, View Media, was breached, releasing information about 38 million U.S. residents.

Buffalo, NY, area hospitals; FeedMore; and Phipps Conservatory (2020): Blackbaud, a data management vendor, released the names, medical services numbers, dates of patient services, and a list of donors.

Rochester YMCA (2020): An undisclosed software vendor was breached for the names, addresses, and gift history of donors.

SEI Investments (2020): MJ Brunner, a third‐party software provider to SEI Investments, was breached, affecting customers at dozens of investment banks.

Bank of America (2020): Caused by an unnamed third‐party merchant, Paycheck Protection Plan (PPP) application business details, including Social Security numbers (SSNs), emails, addresses, and more, were released.

Citrix (2020): An undisclosed vendor disclosed Citrix's customer data, which was exposed on the Dark Web.

Marriott (2020): A Russian franchise operator was the reason for the second breach at this hotel chain in just two years. This time over 5 million records were compromised.

T‐Mobile (2020): An email vendor's breach was the reason that thousands of customer names, addresses, phone numbers, emails, rate plans, and more were exposed. This is the second public breach for T‐Mobile, with the last one occurring in 2015.

Radio.com(2020): Its cloud‐hosting provider misconfigured their instance, which resulted in its customers' PII being made public.

Chubb (2020): A third‐party service provider released internal sensitive data about Chubb.

General Electric (2020): Canon, which was used by GE for business processes, was breached, resulting in information on past and current GE employees and sensitive data being released.

Amazon, eBay, Shopify, Stripe, PayPal (2020): A third‐party application breach was the reason for the release of over 8 million records on sales information, customer names, emails, mailing addresses, and credit card information including the last four digits of account numbers.

SpaceX, Tesla, Boeing, Lockheed Martin (2020): Viser, a parts manufacturer, released partial schematics for a missile antenna and other restricted internal data.

Carson City (2020): Click2Gov caused the release of residents' names, addresses, email, debit/credit cards, card security codes (CVV), and bank account and routing numbers.

Idaho Central Credit Union (2020): A mortgage portal provider was hacked, releasing customer banking information.

Nedbank (2020): Nearly 2 million customer PII records were released by Computer Facilities (Pty) Ltd., a marketing and promotional firm.

Mitsubishi (2020): A large amount of internal restricted data was exfiltrated via an undisclosed vendor in China.

P&N Bank (2020): A third‐party customer relationship manager (CRM) hosting company caused the loss of nearly 100,000 customer records.

Ubiquiti Inc (2021): A maker of Internet of Things devices, it lost an undisclosed amount of customer names, email addresses, passwords, addresses and phone numbers due to a third‐party cloud provider.

Bonobos (2021): This men's clothing retailer had the data for over 7 million customers (addresses, phones numbers, account info, partial credit card information) stolen from its cloud data provider.

US Cellular (2021): The fourth largest wireless carrier in the U.S. exposed the private data of almost 5 million customers from its CRM software.

According to a Ponemon Institute survey in 2019, 60 percent of the companies surveyed admitted to not performing adequate cybersecurity vetting of their third parties. Thirty‐three percent replied they had no or an ad‐hoc cybersecurity vetting process. Fifty‐nine percent admitted being affected by a third‐party breach in the previous year. In that same survey, the companies also admitted to sharing their data on average with and requiring protection from a whopping 588 third parties. Following those numbers, this means over half the companies admitted to not performing their cybersecurity due diligence on nearly 600 third parties. Note, these statistics are pre‐COVID‐19 pandemic. However, post pandemic, the cyberattack increase was over 800 percent, according to the FBI as of May 2020. Prior to the pandemic, the problem was pronounced, with the breaches listed including Capital One, Home Depot, and others. However, the lack of due diligence and programs to review the cybersecurity of third parties by so many firms led to an explosion of breaches. And, as everyone is someone else's third party (i.e., every company is selling to someone and using vendors to assist in that effort), the problem was magnified to a boiling point.

Third‐Party Risk Management (TPRM) as a discipline is not very old. In the financial sector, it was not mandated by the Office of the Comptroller of the Currency (OCC) until 2013, when it regulated that all banks must manage the risk of all their third parties. OCC 2013‐29 defined “third party” as any entity a company does business with, including vendors, suppliers, partners, affiliates, brokers, manufacturers, and agents. Third parties can include upstream (i.e., vendors) and downstream (i.e., resellers) and non‐contractual parties. Other regulated sectors have seen similar requirements, often indirectly via privacy regulations. For example, General Data Protection Regulation (GDPR) or the California Privacy Rights Act (CPRA) require many companies subject to these regulations to perform due diligence on vendors who have access to their customer data. This may not lead to a full‐blown risk management division or group, but someone will be required to perform some oversight in an organized process, lest they get subjected to the extreme financial penalties both regulations require.

Other risk domains exist in TPRM: strategic, reputation, operational, transaction, and compliance domains. Why is the focus in this book on the cybersecurity domain exclusively? That is where the money is. While there are financial and reputational risks for the other domains, none of them provide the level of risk to a firm such as the risk of information security. As described previously, there are number of breaches that can be directly attributed to a cybersecurity breach at a vendor. It is not that these other domains aren't important, but none of them have the impact that a cybersecurity risk poses to a firm, financially or reputationally. Perform an internet search on the other domains, and you will struggle to find results. A similar search on cybersecurity breaches produces more results than one can list in a single page. Like any organization with more than one domain, if one of those domains presents a higher risk for practitioners, and evidence shows that Information Security does, then that domain needs more research, resources, and results.