Skip to main content

Article

Digital innovation and cyber risk in global supply chains

Digitalization, when applied to the logistics supply chain is valued at US$1.5 trillion globally. It enables entities to collect data and drive insights, incorporate smart solutions, model and plan for future disruptions, and automate activity.

Aerial of cargo container ship carrying container under big crane loading cargo import and export service transportation at sea port.

The global supply chain is one of the greatest human endeavors, functioning millions of times every day. Moving a small electrical appliance, for example, from manufacturing in Asia to doorstep delivery in Amsterdam, Buenos Aires, Cairo, or Delaware is a feat of many steps, with many handlers and many modes of transport.

We are in a time where interconnected systems and reliance on third-party data are at an all-time high. This poses challenges to logistics entities that go far beyond internal system integrity or hacking, crossing into areas such as the potential for redirection of goods via cyber breach, cyberattacks commandeering autonomous technology, or business interruption that stems not only from attacks on organizations’ systems but on those of the interconnected supply chain partners — upstream or downstream.  

The global supply chain is also one of the most interesting stories of evolution, with constant rewiring in the interest of customer demand, speed, efficiency, transparency, and margin. There have been seismic events, such as the invention of containerization, which have revolutionized the industry, and there are daily microevolutions underway in the maritime, cargo, and logistics supply chain sub-sectors that include automation, robotics, and digitalization.

Digitalization, when applied to the logistics supply chain (widely referred to as logistics 4.0) is valued at US$1.5 trillion globally. It enables entities to collect data and drive insights, incorporate smart solutions, model and plan for future disruptions, and automate activity. Reductions in the cost of technologies is enabling new entrants into the supply chain market, bringing new ways of doing things and new partnerships. Use of autonomous vehicles, stackers, robots, and cobots is on the rise. Artificial intelligence (AI) and machine learning are revolutionizing logistics through decision support, and automation, with possibilities making today’s organizations more efficient, resilient, flexible, and sustainable.  

There are more upsides to digitalization, but there are flip-side considerations too. Partly as a consequence of greater data capabilities and digitally connected technologies, every sub-sector in the supply chain industry is potentially more vulnerable to, and more affected by, cyber risk. Event impact can be costly, disruptive, and litigious if data is involved, reducing or removing the benefits of improved efficiency and margin gained by digitalization.

Cyberattacks lead to unfulfilled customers

A cyber event at a shipping company, major port, or logistics company, could have serious consequences for those entities. Reportedly, 90% of all goods are carried by sea at some time in the supply chain. Given how much we rely on the maritime, ports, and logistics sectors, any disruption in the supply chain can have far-reaching consequences. The blockage of the Suez Canal by the Ever Given, which held up to US$10 billion in goods per day, is a good example. While the cause was a physical blockage and weather-related, it illustrates the consequences and fragility of supply chain disruption.  

Chain reactions

In the event of a cyber incident the vast and interconnected nature of global supply chains means that options are available to allow a shift to non-impacted entities. For instance, geolocation and telematics can give organizations real-time visibility if their goods are impacted by an event, including where they are diverted and relocated to, while temperature sensors can monitor the conditions of fuels and refrigerants throughout a journey.

Ultimately, technologies can take organizations from reactive to proactive, enabling supply chain entities to make timely and effective risk management and operational decisions. However there is a risk of contagion with cyber events and for affected entities; recovering vendors and customers wary of contagion can take time. In a 2019 Safety at Sea and BIMCO maritime cyber survey, 77% of respondents said they would cancel a contract, and 26% said they would recommend not doing business with a third-party supplier over concerns with poor cybersecurity practices.

Learning from past cyberattacks, congested ports during the COVID-19 pandemic, and the Suez Canal blockage, national governments have reworked critical national infrastructure protocols to include governmental cyber warfare defense entities in planning to mitigate effects on the supply chain.

Supply chain and cyber insurance strategies are evolving

In a number of ways, the insurance industry is also responding to digitalization. For example, with data, generally insurers are able to react more swiftly to a vessel or a truck on the move, and adapt prices according to any disruption. Some insurers deploy capacity largely based on movement data, which is allowing cargo insurance to shift to logistics providers in some circumstances.

Legal liability is also being reconsidered, particularly as sites and transportation become increasingly automated. For example, in the US – where “nuclear verdicts” have been awarded in civil cases – insurers are wary of damages being set in alignment to the insurance coverage purchased by a freight company.

In terms of coverage provided for cyber, insurers have had several varying reactions. If a cyber event brings a risk of contagion, insurers consider aggregation, while for stoppages their focus is on business interruption and accumulation risk of cargoes. It could affect owners, movers of cargo, and insurers with more value trapped than the original policy limits contemplated. 

There are two fundamentals of insurance claims: frequency and severity. Aggregation is severity. It can affect underwriting profit and reserves and, consequently, most insurer regulators are wary. 

In the past, many insurance contracts failed to consider cyber risk adequately and in softer markets, it was not excluded. This became known as “silent cyber” by the insurance industry. Regulators are now trying to provide enhanced clarity on the intention of coverage, resulting in insurers to have clear language that specifically excludes cyber risk on policies not intended to provide coverage. This is leading to companies considering specific-to-cause (peril) cyber policies. 

The other fundamental of insurance, frequency, also comes into play. In the same survey in 2019, 31% of respondents reported they had experienced a cyberattack in the prior 12 months. Similar patterns occurred globally in other industries as well. Cyber rates increased as demand grew. Concurrently insurers focused on the internal processes and procedures companies had in place to minimize the potential for, and impact of, a cyber incident; risk transfer cannot exist without risk management and mitigation.

Plan your cyber journey and your recovery

A secure digitalization strategy focuses on opportunities, and identifies risks and addresses vulnerabilities, to create a more resilient business that can withstand and recover from a cyberattack. 

Cyber is an enterprise-wide risk. Not dissimilar to the human nervous system that begins and ends in the brain, it is a boardroom consideration that touches every part of the logistics company’s “body” and functions. Although cyber risk can never be completely eliminated, the appropriate strategy, together with a robust cyber insurance program, can help mitigate risk, manage crises, and support faster recovery from an event, protecting products on the move.

Also, it can help protect and promote a company’s reputation as those that mange and recover from a crises well are generally looked upon favorably by customers and investors.

Establish a recognized baseline, improve from there, and work with insurers

A good starting point in an organization’s cyber risk journey is a cyber risk assessment, such as the Marsh cyber self-assessment. Following an assessment and establishment of a baseline, there are many potential steps that organizations can take to improve resilience, including using the assessment report as a roadmap to guide prioritization, risk improvement, and potential insurance purchase. 

These priorities could also include improved training for employees to prevent and manage cybersecurity risks. According to a study by Mercer, 62% of executives say the greatest threat to their organization’s cybersecurity is employees’ failure to comply with data security rules.

Other progressions could include: understanding how to reduce the interruptions to products on the move; investing in specialized cybersecurity personnel; better recognition of third-party risks; addressing systemic weaknesses; and keeping up with regulatory changes, which for supply chain companies can be over multiple jurisdictions.

Keeping products moving

The global supply chain is agile, but fragile. Disruptions in recent years have spurred innovation, enabling organizations’ processes to become more efficient, accurate, predictable, and dynamic. This is welcome news for the consumer, but at the same time, reliance on technology and interconnectedness can lead to increased risk of contagion.

Cybersecurity is a jigsaw of risk management and risk transfer. At a time of constrained insurance supply and elevated costs, firms can manage premiums by managing their risks and insurers effectively.

Logistics organizations should therefore prioritize cybersecurity in the boardroom in order to keep products moving. 

Our people

Placeholder Image

Jennie Page

Head of Marine, Marsh Specialty Pacific

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. LCPA 23/212