Are ransomware events considered in your Operational Resilience Plans for third party service providers?
The Federal Bureau of Investigation (FBI), Cybersecurity & Infrastructure Security Agency (CISA), and the U.S. Department of the Treasury have released a joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware. They believe North Korean state-sponsored cyber actors have used Maui ransomware since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
Maui ransomware utilizes a hybrid encryption approach to render its victim's files useless. Maui is designed for manual execution by the threat actor, allowing its operators to specify which files to encrypt and target the most important assets on a network.
The updated CSA highly discourages paying ransoms as it does not guarantee files will be recovered and may pose sanctions risks. The CSA encourages entities to adopt and improve cybersecurity practices and report ransomware attacks to law enforcement.
To ensure appropriate oversight activities, we've identified five key steps to incorporate into your risk management plans:
- Exit & Replacement Strategy
It is important to maintain an exit strategy in the event one of your vendors is unable to provide the agreed-upon products/services. Your strategies should consider an abrupt and ongoing loss of service associated with a ransomware attack. Contingency plans should be actionable and include communications to key stakeholders. - Contract Review
Legal contract documentation between your firm and vendor should accurately reflect the relationship and products/services being provided. A periodic review of contractual language is needed to ensure agreements reflect changing cyber definitions and that data protection clauses are added to legacy agreements. - Profile Management
Consistently reviewing your risk profile ensures that the information maintained on the vendor relationship is correct and up to date. Updated profiles will ensure the relationship reflects the correct inherent risk and that the appropriate level of due diligence is conducted. - Due Diligence Assessments
You should confirm if the vendor has appropriate internal controls, identify any gaps, and determine the residual risk for the relationship. You can partner with your vendors to develop remediation plans to close any identified control gaps. - Continuous Monitoring
Without insights data for assessing your third parties between point-in-time due diligence assessments, you run higher risks of missing crucial changes in their risk posture and that could put various actions in jeopardy. Monitoring the risk domain ratings and daily changes is only helpful if you have defined actions when thresholds are reached. Actions may include additional oversight activities, due diligence questions, excluding a vendor from a RFP, or terminating a relationship.
How S&P Global KY3P® can help:
KY3P® helps you manage your end-to-end vendor portfolio lifecycle on a single platform with on-demand, multi-dimensional vendor risk assessments. Our tools let you continuously monitor risk through partnerships with industry-leading data providers specializing in financial health, cybersecurity ratings, data-breach analysis, location risk, and more. Our managed services scale your third-party risk management program while minimizing constraints caused by the difficulties of attracting and retaining risk management teams.
Find out more: https://ihsmarkit.com/products/ky3p.html
S&P Global provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.