Is supply chain cyber risk a big deal? The U.S. government certainly believes so: in February 2023, it was announced that a new supply chain risk management office is being launched to help agencies, industry and other partners to enact cybersecurity regulations, guidance and policies – as well as help to protect the country against malware1.
The three ways your supplier can expose you to cyber risks are:
- Data breach (the most common problem): a cyberattack against a supplier could expose sensitive data, including product, design and contractual information;
- System breach (uncommon, but very problematic): a cyberattack on a service provider that has access to your systems can allow cybercriminals to gain access to your most confidential and sensitive information;
- Supplier breach: cyberattacks on a specific supplier often cause them to go offline, but usually not for long enough to disrupt their deliveries to customers.
How should companies and governments protect themselves?
The first step is to tighten processes around access to internal systems. Typically, only a small number of service providers need to have access to your information storage. These vendors should be considered “high risk” and subject to significant vetting.
In many companies, Human Resources (HR) or Information Technology (IT) are responsible for managing these vendors. Be mindful that, when these vendor relationships are not managed by Supply Chain teams, these service providers may escape supplier due diligence and monitoring. Whoever manages these suppliers should monitor them closely, preferably using the Supply Chain team’s standard vetting and monitoring processes.
Restricting information sharing
The second step to improving cybersecurity is restricting information sharing with suppliers. This, however, is much easier said than done – particularly to continue doing it consistently.
One effective approach is to only share documents with suppliers in a secure environment – whether that’s in a secure cloud or via laptops that your company has provided to a supplier.
Six steps to mitigating supply chain cyber risks:
- Identify suppliers who currently have access to sensitive information;
- Review each supplier’s access and restrict it to only those suppliers where access is essential;
- For the suppliers deemed essential for information sharing, set a restrictive policy governing what information can be shared;
- Review these suppliers’ cyber risk profiles;
- Given their vulnerability level, identify adequate options for information sharing; and
- Select a cost-effective approach.
Actions one through three are internal. Action four is usually best sourced from an external provider of cyber assessments. For example, Moody’s Analytics’ Supply Chain Catalyst has integrated cyber risk ratings from BitSight. The ratings measure suppliers’ likelihood of experiencing a cyber incident. Based on these supplier profiles, actions five and six can be managed internally in consultation with IT security experts.
While a cyber-attack in isolation is unlikely to disrupt supplier performance, when compounded with other, non-cyber risk factors or without proper mitigants in place, it can lead to significant disruption.
That’s why the final step that organizations can take to reinforce their cybersecurity defenses in supply chains is not strictly a cyber-related action at all. We recommend that organizations prepare for deliveries from suppliers to be disrupted and delayed with basic risk mitigation – such as stockpiling inventory.
Find out more about our supplier risk solutions.
1 https://supplychaindigital.com/digital-supply-chain/biden-appoints-new-supply-chain-risk-cyber-chief.
