The Federal Bureau of Investigation (FBI), Cybersecurity &
Infrastructure Security Agency (CISA), and the U.S. Department of
the Treasury have released a joint Cybersecurity
Advisory (CSA) to provide information on Maui ransomware. They
believe North Korean state-sponsored cyber actors have used Maui
ransomware since at least May 2021 to target Healthcare and Public
Health (HPH) Sector organizations.
Maui ransomware utilizes a hybrid encryption approach to render
its victim’s files useless. Maui is designed for manual execution
by the threat actor, allowing its operators to specify which files
to encrypt and target the most important assets on a network.
The updated CSA highly discourages paying ransoms as it does not
guarantee files will be recovered and may pose sanctions risks. The
CSA encourages entities to adopt and improve cybersecurity
practices and report ransomware attacks to law enforcement.
To ensure appropriate oversight activities, we’ve identified
five key steps to incorporate into your risk management plans:
- Exit & Replacement Strategy
It is important to maintain an exit strategy in the event one of
your vendors is unable to provide the agreed-upon
products/services. Your strategies should consider an abrupt and
ongoing loss of service associated with a ransomware attack.
Contingency plans should be actionable and include communications
to key stakeholders.
- Contract Review
Legal contract documentation between your firm and vendor
should accurately reflect the relationship and products/services
being provided. A periodic review of contractual language is needed
to ensure agreements reflect changing cyber definitions and that
data protection clauses are added to legacy agreements.
- Profile Management
Consistently reviewing your risk profile ensures that the
information maintained on the vendor relationship is correct and up
to date. Updated profiles will ensure the relationship reflects the
correct inherent risk and that the appropriate level of due
diligence is conducted.
- Due Diligence Assessments
You should confirm if the vendor has appropriate internal
controls, identify any gaps, and determine the residual risk for
the relationship. You can partner with your vendors to develop
remediation plans to close any identified control gaps.
- Continuous Monitoring
Without insights data for assessing your third parties
between point-in-time due diligence assessments, you run higher
risks of missing crucial changes in their risk posture and that
could put various actions in jeopardy. Monitoring the risk domain
ratings and daily changes is only helpful if you have defined
actions when thresholds are reached. Actions may include additional
oversight activities, due diligence questions, excluding a vendor
from a RFP, or terminating a relationship.
How S&P Global KY3P® can help:
KY3P® helps you manage your end-to-end vendor portfolio
lifecycle on a single platform with on-demand, multi-dimensional
vendor risk assessments. Our tools let you continuously monitor
risk through partnerships with industry-leading data providers
specializing in financial health, cybersecurity ratings,
data-breach analysis, location risk, and more. Our managed services
scale your third-party risk management program while minimizing
constraints caused by the difficulties of attracting and retaining
risk management teams.
Find out more: https://ihsmarkit.com/products/ky3p.html
Posted 02 August 2022 by Charles Basner, Director, Product Management, KY3P, S&P Global Market Intelligence
IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.
This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.