Skip to main content

Article

Reducing Supply Chain Cyber Exposure

Learn the steps to take to identify and reduce the risk of cyber-attacks on service providers and vendors.

Cyber-attacks on service providers and vendors — often referred to as supply chain cyber-attacks — continue to grow. It is impossible to eradicate supply chain vulnerabilities. You can reduce the risk of being compromised by taking measures in advance, such as engaging outside resources for support. After an event, you should also perform a post-mortem analysis to identify losses and reduce the likelihood of another attack.

Take steps to identify and minimize supply chain/vendor exposure

Create a vendor inventory

Accounting for third parties in your risk management program is critical.

Pay attention to:

  • Any third-party vendor with authorized access or connectivity to your organisation’s IT network.
  • Any third party with access to your organisation’s data.
  • Consultants with access to your IT network and/or data.

Assess your vendor risk

Your vendor inventory should include a detailed description of the service(s) provided, and the last time the vendor’s risk posture was reviewed. The risk from the third-party vendor needs to be assessed, ideally by a cross-functional team that includes representatives from legal, compliance, privacy, information security, risk, and procurement, among others. A clearly defined risk assessment and a vendor approval process is also important to help understand vendor risk.

According to a recent survey by Marsh and Microsoft, MEA firms take many cybersecurity actions, but widely overlook their vendors/digital supply chains. In fact, 60% have not conducted a risk assessment of their vendor/supply chain.

Communicate

Collaborate frequently with any third-party vendors that have access regarding their cyber risk posture and services. Be aware of the ecosystem that exists between you, your third-party vendors, and your vendor’s vendors (fourth-party vendors) that your vendors may rely upon.

Minimize access

Follow the principle of least privilege. Many third-party data breaches occur because the third-party vendor is given unnecessary access to data and/or IT systems. Use network segmentation to separate third-party vendors from unrequired critical applications and data. Consider dividing third party vendors that have access to the organisation’s IT network into separate segments based on the services/functions they provide.

Engage outside resources when a vendor is compromised

Mitigate first

When your systems are compromised following a cyber incident, mitigation is the top priority. Depending on the nature of the compromise, mitigation could involve patching, upgrading software versions, moving applications behind firewalls, disabling internet access, and checking for indicators of compromise (IOCs). The discovery of such indicators should trigger a full digital forensics investigation to understand the impact on systems and data.

Provide notice to your insurance carrier

Consult with your broker and notify your cyber insurance carrier as quickly as possible. Most cyber insurance policies provide coverage for incident response services, including legal and forensics assistance. These are frequently subject to prior consent and most carriers have vendor panel requirements.

Following a vendor or supplier compromise, assess and re-evaluate plans and vendors, and leverage cyber insurance

Learn post-mortem lessons

Revisit the prevention steps discussed above to reduce the chance that your organisation will be exposed again to vendors’ security vulnerabilities.

Review and update response plans

Evaluate incident response, disaster recovery, and crisis management plans in the context of the vendor compromise and determine what worked, what did not, and any adjustments needed.

Replace the vendor

Reconsider using the same vendor that caused the problem and investigate the use of other, lower risk providers.

Use cyber insurance to cover the claims expenses

Analyze whether the vendor's or supplier's compromise resulted in out-of-pocket costs, extra expenses that could be covered by your cyber insurance policy's business interruption coverage, or a loss of revenue due to system unavailability. Consider whether contractual indemnification or other provisions address recouping losses from the vendor. Expect liability exposure if regulated data was exposed. Engage forensic accountants as needed to evaluate losses and prepare the proof of loss.

According to our recent survey, companies with cyber insurance were likely to have taken more actions to build security and to have stricter controls in place than those without. 50% of surveyed MEA organizations stated, "it is a best practice/ standard in our industry to have cyber insurance," while 54% claimed "we cannot cover all of the potential costs of a cyber incident without insurance." 

Cyber-attacks against the supply chain continue to grow — and some are simply impossible to eliminate. With that in mind, consider an approach rooted in cyber risk management. Whereas a traditional cybersecurity approach focuses primarily around mitigation, cyber risk management understands that not all risks can be removed and not all attacks can be prevented, especially when it comes your supply chain. Instead, focus on minimizing risk and reducing your potential exposure.

Related insights