Blog: Are ransomware events considered in your Operational Resilience Plans for third party service providers? – IHS Markit

The Federal Bureau of Investigation (FBI), Cybersecurity &
Infrastructure Security Agency (CISA), and the U.S. Department of
the Treasury have released a joint Cybersecurity
(CSA) to provide information on Maui ransomware. They
believe North Korean state-sponsored cyber actors have used Maui
ransomware since at least May 2021 to target Healthcare and Public
Health (HPH) Sector organizations.

Maui ransomware utilizes a hybrid encryption approach to render
its victim’s files useless. Maui is designed for manual execution
by the threat actor, allowing its operators to specify which files
to encrypt and target the most important assets on a network.

The updated CSA highly discourages paying ransoms as it does not
guarantee files will be recovered and may pose sanctions risks. The
CSA encourages entities to adopt and improve cybersecurity
practices and report ransomware attacks to law enforcement.

To ensure appropriate oversight activities, we’ve identified
five key steps to incorporate into your risk management plans:

  1. Exit & Replacement Strategy
    It is important to maintain an exit strategy in the event one of
    your vendors is unable to provide the agreed-upon
    products/services. Your strategies should consider an abrupt and
    ongoing loss of service associated with a ransomware attack.
    Contingency plans should be actionable and include communications
    to key stakeholders.

  2. Contract Review
    Legal contract documentation between your firm and vendor
    should accurately reflect the relationship and products/services
    being provided. A periodic review of contractual language is needed
    to ensure agreements reflect changing cyber definitions and that
    data protection clauses are added to legacy agreements.

  3. Profile Management
    Consistently reviewing your risk profile ensures that the
    information maintained on the vendor relationship is correct and up
    to date. Updated profiles will ensure the relationship reflects the
    correct inherent risk and that the appropriate level of due
    diligence is conducted.

  4. Due Diligence Assessments
    You should confirm if the vendor has appropriate internal
    controls, identify any gaps, and determine the residual risk for
    the relationship. You can partner with your vendors to develop
    remediation plans to close any identified control gaps.

  5. Continuous Monitoring
    Without insights data for assessing your third parties
    between point-in-time due diligence assessments, you run higher
    risks of missing crucial changes in their risk posture and that
    could put various actions in jeopardy. Monitoring the risk domain
    ratings and daily changes is only helpful if you have defined
    actions when thresholds are reached. Actions may include additional
    oversight activities, due diligence questions, excluding a vendor
    from a RFP, or terminating a relationship.

How S&P Global KY3P® can help:

KY3P® helps you manage your end-to-end vendor portfolio
lifecycle on a single platform with on-demand, multi-dimensional
vendor risk assessments. Our tools let you continuously monitor
risk through partnerships with industry-leading data providers
specializing in financial health, cybersecurity ratings,
data-breach analysis, location risk, and more. Our managed services
scale your third-party risk management program while minimizing
constraints caused by the difficulties of attracting and retaining
risk management teams.

Find out more:

Posted 02 August 2022 by Charles Basner, Director, Product Management, KY3P, S&P Global Market Intelligence

IHS Markit provides industry-leading data, software and technology platforms and managed services to tackle some of the most difficult challenges in financial markets. We help our customers better understand complicated markets, reduce risk, operate more efficiently and comply with financial regulation.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s