We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:

X

Risk in Context

B2B Cyber Risk: Suppliers Need to Limit Exposure

Posted by Tom Fuhrman November 19, 2015

The cyber breaches that make headlines — credit card data thefts in particular — are usually those affecting companies at the tip of the supply chain iceberg. What doesn’t get the same visibility are cyber-attacks that are further down the supply chain — the vendors, suppliers, service providers, and  other B2B partners that are essential to the success of consumer-facing organizations.

Given the interconnectedness of today’s businesses, sophisticated hackers view enterprise networks and all their extensions as one big “attack surface.” Gone are the days when a company could dismiss the threat with a “why would a hacker target us?” defense. Hackers see the relationships between customers and suppliers, which often involve access to data and networks, as attack opportunities.  

As a supplier, not only your value proposition, revenue, and reputation are on the line, but also those of your customers’ — making suppliers a key stakeholder in cybersecurity. With that in mind, here are five steps to help better protect the supply chain:     

  1. Get your cyber house in order. Suppliers have a duty to implement enterprise-wide cyber security programs calibrated to business needs. Increasingly, contracts and service-level agreements (SLAs) include cyber security requirements. You are part of a chain — don’t be the weak link!
  2. Expect your B2B partners to get their houses in order too. Because you inherit risks from your own B2B providers, you should put clear security expectations on them. Include your requirements in contracts and SLAs — specify controls, security measures for your data in their possession, liability protections, and insurance. Require greater protections from the suppliers that present the greatest risk.
  3. Understand your aggregate risk. Manage the security risks of your supply chain as a portfolio, considering aggregate risks caused by common dependencies.
  4. Know the origin of components you acquire. If you build on software or IT components produced by others, you need confidence that the parts don’t contain malware, backdoors, rogue code, or other design deviations. You need traceability to the point of origin of the chips, software, or subassemblies that go into your products, and to be able to verify their integrity.
  5. Ensure tight controls for software development and procurement.  Software is at the heart of virtually all cyber- attacks. If you develop software, secure coding practices are essential. Additionally, you should conduct static and dynamic security testing, both for your own code and that which you procure.

It’s a simple fact that supply chains are targets of hackers. All stakeholders in the B2B environment have an obligation to minimize cyber risks.  

To learn more about managing third-party relationships, please read Why You Need to Build Cybersecurity Into Third-Party Relationships and How to Do It.

Related to:  Cyber Risk , Cyber Risk

Tom Fuhrman

Managing Director, Marsh Risk Consulting