We use performance cookies to collect information about how you use our website (for instance which pages you visit most often). Cookies help us to improve your online experience with Aspen. Find out more here

close

Aspen Opinion

Recognition & Limitation: Supply Chain Cyber Risks

June 9, 2016

As supply chains become more complex, what defenses are available to protect against new cyber risks?

The Aspen White Paper, “Cyber Risk and the Evolution of Supply Chains discusses protection strategies against a constantly changing threat.

Global supply chains are a way of life for modern businesses, but in the constant search for affordable labor and services, new challenges and risks continue to emerge. The 2011 Tohoku, Japan earthquake and tsunami drove home the realization that a single point of failure at a single link can halt the flow of goods across an entire supply chain. To meet these challenges, businesses are finding new ways to increase communication and coordination across their supply chains, using technology to integrate systems and create contingency plans should a supplier be taken offline for any reason.

Supply chain risk

The evolution of supply chain development has brought with it an evolution of risks. Potential risks come from many directions and are not limited to physical production but include dependency on vendors for payroll, social services and benefits and causes include, for example, natural catastrophes, political risk and machine failure. Beyond the flow of goods, the quality of products can be compromised at any point along a supply chain, from the raw materials to the semi-finished product. 

Cyber in a business risk

Some supply chain trends play into the hands of those who perpetrate cyber attacks. For example, efforts to integrate supply chains by connecting systems and getting them to talk to one another create opportunities for cyber criminals to infiltrate systems throughout the chain by penetrating the weakest link.

The good news is that awareness among businesses is increasing and companies are taking the threat more seriously than ever. Whereas cyber may have been seen as an IT risk historically, it is now generally recognized as an enterprise risk management (ERM) challenge, with the conversation about how to address it elevated to include a company’s board and executive team. In other words, it is becoming clear that cyber risk is a significant business risk.

Cyber liability

For a business, recognizing cyber risk within its four walls is one thing, but organizations must also understand this risk in the context of their supply chains. An attack may not be limited to a supplier's systems. A more recent trend shows cyber attacks can cause physical damage at facilities. Supply chains are becoming more integrated and connected, which carries both benefits and risks: a more integrated supply chain can enable real time communication and efficiencies but can also entail greater vulnerability.

The liability landscape is being reshaped by supply chains; increasingly, a company could be liable for a defect that originated at one of its suppliers. This is just as relevant for data as it is for products and services. The company initially entrusted with customers’ data is generally seen as the data owner for purposes of liability and legal duty. This means that while the data may have been passed on to and compromised at a supplier, the initial holder, with some exceptions, will have to respond to the breach.

Preparedness and Protection

Protecting and preparing an organization is challenging enough and so thinking about the potential vulnerabilities along an entire supply chain can seem daunting. There are steps organizations can take, at the very least, to begin to understand what they do not know, particularly with respect to sensitive data within the organization and across its supply chain:

  • Know the business: Know where the data is, where it is duplicated, who has access internally and externally (i.e. where the data sits, moves, and resides).
  • Protect the company: While insurance will not prevent a cyber attack, it will help a company recover more quickly in the event of a data breach or network security failure. The key is for companies to consider their insurance needs, i.e. they must know what they have before they know what to protect. Insurance can cover costs associated with responding to a breach, including investigation, notification, and legal costs. When considering supply chain risk in general, companies should also ask about coverages, such as contingent business interruption, which covers costs associated with a property loss at a supplier's location.
  • Identify the supply chain: Businesses should understand that their vendors and suppliers may use subcontractors. A good proactive first step towards managing cyber risk in a supply chain is properly identifying the vendors and suppliers within it and knowing who exactly is handling data and how.
  • Set standards and manage network access: Businesses should consider creating cyber security standards for partners within the supply chain that will be handling data. Are suppliers at least the company’s equal when it comes to security? Sometimes a company may discover a supplier has more stringent standards than its own. Some cloud providers, for example, are as successful as they are because they are more secure and robust than the companies that use their services.
  • Negotiate contracts: To the extent possible, a company should negotiate favourable terms in its contracts with vendors and suppliers, including the ability to undertake audits. Beyond the actual coverage protections, the underwriting process is usually thorough and sophisticated, and can act almost as a second audit beyond the company's own due diligence when vetting that vendor.

In summary, companies should stick to consistent principles and identify processes, protocols, and systems to manage weak links. The goal is for a company to understand what rights it has, and to establish clear expectations about obligations in the event of a breach at a vendor.

Threat intelligence and information sharing

When it comes to data security and breach response, there is a wealth of available information on specific threats that companies can leverage. Obtaining the data, however, is only an effective strategy if a company is able to properly interpret and leverage it. Information and actionable intelligence are different and companies must be able to identify the few pieces of information that will actually improve outcomes. Companies should make smart decisions about what security operations they can in-source and what they should out-source, keeping in mind how they can bake security into their outsourcing decisions.

Once a company understands and can leverage threat intelligence, it may consider sharing relevant information among its suppliers and vendors. The challenge is sharing meaningful and actionable intelligence rather than all information that passes through systems. The company should consider when and how to appropriately share information, bearing in mind that it is not a managed security provider for its vendors. Hiring vendors that have effective security capabilities is ideal, but for a subset of vendors with useful services but limited security resources, periodically sending an email advising them about a threat to look out for may be an information sharing strategy companies could employ.

Realistic approach

It is not possible to eliminate cyber risk entirely throughout a global supply chain. Taking steps to limit risk should not be misinterpreted as an airtight defense against threats. But understanding the organization's operations, its supply chain, and its vulnerabilities can lead to the next best thing: resilience, or avoiding the potential for a single point of failure to disrupt the entire supply chain.

The first step, if not already taken, is to understand the operation and supply chain. Key personnel within the organization should be assembled to identify how much and what kind of data is held and where it sits. The supply chain should be audited, in as far as it is feasible, and protection implemented as thoroughly as possible through contracts with suppliers and vendors. An insurance professional can then advise about the proper coverages to help protect against cyber threats and othersupply chain risks. The goal is to recognize the threats, limit exposure, and ensure supply chain redundancy.

Download a PDF of this Aspen Opinion

 

Back to articles

The above article/opinion reflects the opinion of the author and does not necessarily represent Aspen's views. The article reflects the opinion of the author at the time it was written taking into account market, regulatory and other conditions at the time of writing which may change over time. Aspen does not undertake a duty to update these articles.