Defining And Uncovering The Cyber Risks In Your Digital Supply Chain

A supply chain attack is when an attacker gains access to your data through one of your vendors or partners. These types of attacks present threat factors with enormous opportunities for exploitation. A successful attack against even a single vendor or supplier can yield sensitive data across multiple organisations.

Interior of a classic warehouse with a pallet

Are cyberattacks against supply chains inevitable? The bad news: Yes. The good news: While it may not be possible to prevent all supply chain cyberattacks, the risk and impact can be potentially managed and minimised.

Why Are Attackers Targeting Supply Chains?

A supply chain attack is when an attacker gains access to your data through one of your vendors or partners. These types of attacks present threat actors with enormous opportunities for exploitation. A successful attack against even a single vendor or supplier can yield sensitive data across multiple organisations.

What Is a Digital Supply Chain?

A digital supply chain can be defined as:

1. The digital aspects of a physical supply chain or a traditional supply chain powered by digital technology.

2. The chain of technology companies involved in the delivery of digital products.

These two definitions overlap, as almost all supply chains can be considered digital — and third-party technology vendors may supply the technology used in the digital supply chain.

Thus, it’s important to understand your vendor ecosystem and how they support your digital supply chain. Do you know who provides the digital products and services which your company relies on? Or any critical products/services, for that matter?

As you look deeper into your digital supply chain, consider potential risks from:

Third-party vendor/suppliers, which include any entities that provide products or services to your organisation to maintain daily operations, and/or provide products or services on behalf of your organisation (for example, technology vendors and critical component/product suppliers). These third parties can pose a risk to all organisations, especially those that have technology connectivity or access to data.

Fourth-party vendor/suppliers, which are the suppliers of your suppliers. Every company outsources parts of its operations to multiple vendors and suppliers. Those suppliers, in turn, outsource parts of their operations to other suppliers.

The larger your ecosystem is, the bigger your attack surface and potential vulnerabilities are.

Many organisations struggle to understand their complex digital supply chains and the myriad vendor relationships that support their operations — especially those that have access to IT systems and/or data. Regardless of how it’s defined, the expansion of an organisation’s digital supply chain can bring increased cyber risk.

How Does This Play Out?

Consider the digital supply chain risks in the following scenarios, where an organisation:

What Can You Do?

As we see more attacks on critical technology vendors and organisations’ digital supply chains, it’s more important than ever to define what is meant by digital supply chain, how the term is understood within your organisation, and what types of cyber risks manifest from your critical third-party vendors and digital supply chain.


  • Prioritise certain security practices, such as establishing zero-trust architecture, government-wide endpoint detection and response, multifactor authentication, and encryption for data at rest and in transit.
  • Develop best practices for coding and require attestation to confirm adherence to those standards.
  • Set requirements for testing software code, including the use of automated tools and penetration testing.
  • Leverage the use of secure cloud computing.
  • Identify the most critical software and associated security controls.
  • Propose a consumer product labelling program that evaluates security of Internet of Things (IoT) devices.

While supply chain cyberattacks can’t all be prevented, they can be identified and managed to reduce impact. Supply chain resilience can be achieved through identification and understanding of the risks and their potential impact, planning for when an attack happens, and finding the right balance between risk mitigation and risk transfer.

What organisations can do now

  • Review existing government guidance

In 2021, the US National Institute of Standards and Technology (NIST) issued supply chain guidance — Key Practices in Supply Chain Risk Management: Observations from Industry — to help companies find and fortify weaknesses in their supply chain. Among the practices to address cyber supply chain weaknesses, NIST recommends:

                o   Making supply chain cybersecurity an organisation-wide effort.

                o   Assessing the organisation’s supply chain and focusing risk management on the most critical suppliers.

                o   Closely collaborating with suppliers.

                o   Building cyber resilience.

NIST’s guidance also provides practical recommendations to implement the key practices. Regulators for critical infrastructure sectors like healthcare, transportation, and life sciences could potentially adopt similar cyber supply chain standards.

  • Strengthen regulatory reviews for technology procurement

Most companies already have thorough processes for reviewing regulatory requirements. That process may now need to become more anticipatory. For example, a company might use software manufactured in a designated “adversarial nation” under the DOC rule but not banned by any regulation. Companies should not only monitor and respond to changes in regulations, but also evaluate their use of foreign-manufactured technology that could come under the rule. That examination could influence buying decisions today that could avoid disruptions in the future.

  • Assess and develop metrics to evaluate supply chain cybersecurity maturity

While developing assessments and metrics may be challenging, this may soon not be optional. Guidance issued by the United States Securities and Exchange Commission in 2018 states that companies must align cyber risk management to specific business impact categories. Following the widespread breaches of the supply chain and the federal government’s heightened attention to supply chain cybersecurity, organisations should consider whether the supply chain is within the scope of that guidance.

  • Develop criteria to evaluate the security of off-the-shelf technologies and services

Organisations are recommended to use objective criteria to establish a process for assuring that the technology used to build the network meets their minimum standards for security and improve their overall risk position.  Organisations can also leverage available guidance. 

Marsh Cyber Can Help

  • Marsh’s robust suite of cyber supply chain offerings includes:
  • Third party-vendor risk management framework development.
  • Quantification of digital supply chain cyber risk.
  • Incident response and business continuity planning in support of incidents caused by vendors.
  • Cyber incident management services, including claims support and proof of loss for digital supply chain cyber incidents.

Insurance brokerage services designed to address losses caused by vendors and to digital supply chains.


Digital Supply Chain Cyber Risks

Contact Us

For more information about Cyber Risk and how Marsh can support your business, please contact your Marsh representative.

About Marsh

Marsh is the world’s leading insurance broker and risk advisor. With over 45,000 colleagues operating in 130 countries, Marsh serves commercial and individual clients with data-driven risk solutions and advisory services. Marsh is a business of Marsh McLennan (NYSE: MMC), the world’s leading professional services firm in the areas of risk, strategy and people. With annual revenue nearly $20 billion, Marsh McLennan helps clients navigate an increasingly dynamic and complex environment through four market-leading businesses: Marsh, Guy Carpenter, Mercer and Oliver Wyman. For more information, visit, follow us on LinkedIn and Twitter or subscribe to BRINK.

This document and any recommendations, analysis, or advice provided by Marsh (collectively, the ‘Marsh Analysis’) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. This document contains proprietary, confidential information of Marsh and may not be shared with any third party, including other insurance producers, without Marsh’s prior written consent. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA 21/267