We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

3 Questions for Better Supply Chain Cybersecurity

Posted by Reid Sawyer September 04, 2018

A lack of restrictions placed on servers of an engineering service provider led to the inadvertent exposure of at least 157 gigabytes of sensitive data from more than 100 auto manufacturers and parts companies. The vulnerability was disclosed in late July 2018; it remains unclear if any malicious users gained access to the data.

This is one of many third-party cyber breaches that have occurred in the past year, underlining the importance of implementing a vendor cybersecurity risk management system.

Your Supply Chain’s Cyber Vulnerabilities

The supply chain is an integral part of not just your company’s business model, but also your company’s cyber extended ecosystem. Vendors and suppliers can have direct connections to your company’s networks or systems (including ERP systems, ordering, and billing) or may have access to proprietary data. There are typically similar interconnections among vendors themselves along supply chains.

This dramatically increases your organization’s “attack surface” — the full range of opportunities for hackers to gain access to your data. The boundaries and exposures of this expanded attack surface are often not well understood. Sophisticated attacks are increasingly common, driving most companies to prioritize the protection of sensitive assets. However, organizations remain highly vulnerable through the data and systems they share with third parties.

Assessing Your Vendor Relationships

Companies concerned about cybersecurity risks within their supply chains should conduct deeper assessments of their current vendor relationships. Ask the following questions:

  1. Do I have a complete inventory of vendors and third parties with access to my data? The first step to protecting your data is knowing who has access to it. Identifying what information is being shared with which vendors enables you to understand how big, wide, and deep your relationships go.
  2. How do I expect these organizations to handle and protect my data? Once relationships have been identified, it’s essential to develop a policy that your vendors must adhere to in order to access and protect your data. Also determine what cyber insurance policies vendors have in place should an issue arise.
  3. How am I monitoring vendors to ensure they are meeting expectations? Real-time monitoring tools can flag problems experienced by particular vendors, such as active malware or bots coming from their networks. A formal review and assessment program should be put in place for ongoing or even continuous monitoring. Although this can be done annually as part of a standard compliance assessment, it is prudent to conduct these checks more frequently. Vendors that deal with more sensitive data, or for whom a large part of that relationship is based on data management, should likely be assessed quarterly.

Should an issue be identified during this monitoring, there needs to be a clearly defined recourse with the vendor. Your organization may also consider empowering your cybersecurity leader (for example, a chief information security officer or chief information officer) with the authority to suspend or even terminate vendors that are unable to demonstrate that they can adequately safeguard your organization’s data, supply chain, and successful operation.

Reid Sawyer

A nationally recognized expert, Reid is a Managing Director heading the Emerging Risks Group at Marsh and is the US Cyber Consulting Leader. Prior to Marsh, Reid joined JLT in 2015 as Senior Vice President after a 22-year career in the U.S. Army. Reid actively advises numerous senior government, industry leaders, and Boards with particular emphasis on cyber, geopolitical, and strategic risk advisory. The Emerging Risks Group deploys quantitative and qualitative methods to address our clients’ most complex risks, which enable decisions at the executive and Board levels.