Cybersecurity and Third-Party Risk. Gregory C. Rasner
Чтение книги онлайн.

Читать онлайн книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner страница 13

СКАЧАТЬ software provider to SEI Investments, was breached, affecting customers at dozens of investment banks.

       Bank of America (2020): Caused by an unnamed third‐party merchant, Paycheck Protection Plan (PPP) application business details, including Social Security numbers (SSNs), emails, addresses, and more, were released.

       Citrix (2020): An undisclosed vendor disclosed Citrix's customer data, which was exposed on the Dark Web.

       Marriott (2020): A Russian franchise operator was the reason for the second breach at this hotel chain in just two years. This time over 5 million records were compromised.

       T‐Mobile (2020): An email vendor's breach was the reason that thousands of customer names, addresses, phone numbers, emails, rate plans, and more were exposed. This is the second public breach for T‐Mobile, with the last one occurring in 2015.

       Radio.com (2020): Its cloud‐hosting provider misconfigured their instance, which resulted in its customers' PII being made public.

       Chubb (2020): A third‐party service provider released internal sensitive data about Chubb.

       General Electric (2020): Canon, which was used by GE for business processes, was breached, resulting in information on past and current GE employees and sensitive data being released.

       Amazon, eBay, Shopify, Stripe, PayPal (2020): A third‐party application breach was the reason for the release of over 8 million records on sales information, customer names, emails, mailing addresses, and credit card information including the last four digits of account numbers.

       SpaceX, Tesla, Boeing, Lockheed Martin (2020): Viser, a parts manufacturer, released partial schematics for a missile antenna and other restricted internal data.

       Carson City (2020): Click2Gov caused the release of residents' names, addresses, email, debit/credit cards, card security codes (CVV), and bank account and routing numbers.

       Idaho Central Credit Union (2020): A mortgage portal provider was hacked, releasing customer banking information.

       Nedbank (2020): Nearly 2 million customer PII records were released by Computer Facilities (Pty) Ltd., a marketing and promotional firm.

       Mitsubishi (2020): A large amount of internal restricted data was exfiltrated via an undisclosed vendor in China.

       P&N Bank (2020): A third‐party customer relationship manager (CRM) hosting company caused the loss of nearly 100,000 customer records.

       Ubiquiti Inc (2021): A maker of Internet of Things devices, it lost an undisclosed amount of customer names, email addresses, passwords, addresses and phone numbers due to a third‐party cloud provider.

       Bonobos (2021): This men's clothing retailer had the data for over 7 million customers (addresses, phones numbers, account info, partial credit card information) stolen from its cloud data provider.

       US Cellular (2021): The fourth largest wireless carrier in the U.S. exposed the private data of almost 5 million customers from its CRM software.

      Third‐Party Risk Management

      Other risk domains exist in TPRM: strategic, reputation, operational, transaction, and compliance domains. Why is the focus in this book on the cybersecurity domain exclusively? That is where the money is. While there are financial and reputational risks for the other domains, none of them provide the level of risk to a firm such as the risk of information security. As described previously, there are number of breaches that can be directly attributed to a cybersecurity breach at a vendor. It is not that these other domains aren't important, but none of them have the impact that a cybersecurity risk poses to a firm, financially or reputationally. Perform an internet search on the other domains, and you will struggle to find results. A similar search on cybersecurity breaches produces more results than one can list in a single page. Like any organization with more than one domain, if one of those domains presents a higher risk for practitioners, and evidence shows that Information Security does, then that domain needs more research, resources, and results.

      While the fines and publicity for failure to follow TPRM guidelines are not as big, instances of regulators acting can be found:

       In 2020, the OCC assessed an $85 million civil money penalty against USAA for failure to implement and maintain an effective risk management compliance.

       In 2020, the OCC assessed a $60 million civil money penalty against Morgan Stanley for not properly decommissioning some Wealth Management business data centers.

       In СКАЧАТЬ