Cyber risk is a leading concern for manufacturing companies: In the Marsh Microsoft 2019 Global Cyber Risk Perception Survey, 76% of manufacturers ranked cyber threats as a top five risk. But only 27% of manufacturing respondents said they are highly confident in their cyber resilience capabilities.
Manufacturers must understand the connection between supply chains and cyber risk. But while manufacturers ranked supply chain disruption second among their risk concerns, only 30% said they perceived cyber risks posed by individual supply chain partners. And while they too can be the source of cyber threats to others, only 17% perceived risks they themselves may pose to supply chain partners.
The following four steps can help manufacturers improve their supply chain cyber integrity.
Manufacturers need to recognize that supply chain security is a collective responsibility. It’s no longer sufficient to “protect the castle”. Supply chain integrity requires that all involved parties embrace a sense of shared accountability. This means applying rigorous standards for cyber risk hygiene to all vendors with access to your data, systems, devices, and networks, and holding yourself to the same standards.
Some manufacturers experienced operational outages following 2017’s NotPetya attack because they had not appropriately patched their systems. While technology updates can mean system downtime, the operational disruptions caused by cyber incidents are often much longer and costlier. The best way to calculate that cost is to quantify losses from a range of potential cyber event scenarios. This allows decision-makers to measure not only the economic impact of a cyber incident, but also the return on investment from cyber risk management spending. Yet more than a third of manufacturers use no formal approach – quantitative or otherwise – to measure cyber risk.
Only 20% of manufacturing respondents expressed high confidence in their ability to manage risk from technology suppliers; that confidence fell to only 10% when it came to suppliers of outsourced business processes. To gain insight into vendors’ risk profiles, manufacturers should incorporate a cybersecurity framework in their vendor vetting process, and conduct regular vendor risk assessments. Vendor risk management programs should also include procedures to control access to IT and operational networks. And, in the spirit of shared accountability, manufacturers should apply these policies to themselves to minimize the risks they may pose to third parties.
Manufacturers have historically been less likely than others to purchase cyber insurance, mainly due to a lack of understanding about how insurance can help protect them from operational cyber risk. A comprehensive approach to cyber risk management incorporates both IT security solutions and cyber insurance. Additionally, cyber insurance can provide access to experts that can help to build pre-loss resiliency and post-loss protection.
Cyber risk will continue to evolve in complexity, especially as supply chains become increasingly digitized and interconnected. Manufacturers that employ a strategic approach to managing shared supply chain risks will be best equipped to successfully navigate these challenges.