Aspen: supply chain cyber risk

The evolution of supply chain development has brought with it an evolution of risks. Potential risks come from many directions and are not limited to physical production but include dependency on vendors for payroll, social services and benefits and causes include, for example, natural catastrophes, political risk and machine failure. Beyond the flow of goods, the quality of products can be compromised at any point along a supply chain, from the raw materials to the semi-finished product.

Some supply chain trends play into the hands of those who perpetrate cyber attacks. For example, efforts to integrate supply chains by connecting systems and getting them to talk to one another create opportunities for cyber criminals to infiltrate systems throughout the chain by penetrating the weakest link.

The good news is that awareness among businesses is increasing and companies are taking the threat more seriously than ever. Whereas cyber may have been seen as an IT risk historically, it is now generally recognized as an enterprise risk management (ERM) challenge, with the conversation about how to address it elevated to include a company’s board and executive team. In other words, it is becoming clear that cyber risk is a significant business risk.

For a business, recognizing cyber risk within its four walls is one thing, but organizations must also understand this risk in the context of their supply chains. An attack may not be limited to a supplier’s systems. A more recent trend shows cyber attacks can cause physical damage at facilities. Supply chains are becoming more integrated and connected, which carries both benefits and risks: a more integrated supply chain can enable real time communication and efficiencies but can also entail greater vulnerability.

The liability landscape is being reshaped by supply chains; increasingly, a company could be liable for a defect that originated at one of its suppliers. This is just as relevant for data as it is for products and services. The company initially entrusted with customers’ data is generally seen as the data owner for purposes of liability and legal duty. This means that while the data may have been passed on to and compromised at a supplier, the initial holder, with some exceptions, will have to respond to the breach.

Protecting and preparing an organization is challenging enough and so thinking about the potential vulnerabilities along an entire supply chain can seem daunting. There are steps organizations can take, at the very least, to begin to understand what they do not know, particularly with respect to sensitive data within the organization and across its supply chain:

• Know the business: Know where the data is, where it is duplicated, who has access internally and externally (i.e. where the data sits, moves, and resides).

• Protect the company: While insurance will not prevent a cyber attack, it will help a company recover more quickly in the event of a data breach or network security failure. The key is for companies to consider their insurance needs, i.e. they must know what they have before they know what to protect. Insurance can cover costs associated with responding to a breach, including investigation, notification, and legal costs. When considering supply chain risk in general, companies should also ask about coverages, such as contingent business interruption, which covers costs associated with a property loss at a supplier’s location.

• Identify the supply chain: Businesses should understand that their vendors and suppliers may use subcontractors. A good proactive first step towards managing cyber risk in a supply chain is properly identifying the vendors and suppliers within it and knowing who exactly is handling data and how.

• Set standards and manage network access: Businesses should consider creating cyber security standards for partners within the supply chain that will be handling data. Are suppliers at least the company’s equal when it comes to security? Sometimes a company may discover a supplier has more stringent standards than its own. Some cloud providers, for example, are as successful as they are because they are more secure and robust than the companies that use their services.

• Negotiate contracts: To the extent possible, a company should negotiate favourable terms in its contracts with vendors and suppliers, including the ability to undertake audits. Beyond the actual coverage protections, the underwriting process is usually thorough and sophisticated, and can act almost as a second audit beyond the company’s own due diligence when vetting that vendor.

In summary, companies should stick to consistent principles and identify processes, protocols, and systems to manage weak links. The goal is for a company to understand what rights it has, and to establish clear expectations about obligations in the event of a breach at a vendor.