Defining and uncovering cyber risks in your digital supply chain

Are cyberattacks against supply chains inevitable? The bad news: Yes. The good news: While it may not be possible to prevent all supply chain cyberattacks, the risk and impact can be potentially managed and minimized.

Why Are Attackers Targeting Supply Chains?

A supply chain attack is when an attacker gains access to your data through one of your vendors or partners. These types of attacks present cyberattackers with enormous opportunities for exploitation. A successful attack against even a single vendor or supplier can yield sensitive data across multiple organizations.

What Is a Digital Supply Chain?

A digital supply chain can be defined as:

  1. The digital aspects of a physical supply chain or a traditional supply chain powered by digital technology.
  2. The chain of technology companies involved in the delivery of digital products.

These two definitions overlap, as almost all supply chains can be considered digital — and third-party technology vendors may supply the technology used in the digital supply chain.

It’s thus important to understand your vendor ecosystem and how they support your digital supply chain. Do you know who provides the digital products and services on which your company relies? Or any critical products/services, for that matter?

As you look deeper into your digital supply chain, consider potential risks from:

  • Third-party vendor/suppliers, which include any entities that provide products or services to your organization to maintain daily operations, and/or provide products or services on behalf of your organization (for example, technology vendors and critical component/product suppliers). These third parties can pose a risk to all organizations, especially those that have technology connectivity or access to data.
  • Fourth-party vendor/suppliers, which are the suppliers of your suppliers. Every company outsources parts of its operations to multiple vendors and suppliers. Those suppliers, in turn, outsource parts of their operations to other suppliers.

The larger your ecosystem is, the bigger your attack surface and potential vulnerabilities are.

Many organizations struggle to understand their complex digital supply chains and the myriad vendor relationships that support their operations — especially those that have access to IT systems and/or data. Regardless of how it’s defined, the expansion of a company’s digital supply chain brings increased cyber risk.

How Does This Play Out?

Consider the digital supply chain risks in the following scenarios, where an organization:

What Can You Do?

As we see more attacks on critical technology vendors and organizations’ digital supply chains, it’s more important than ever to define what is meant by digital supply chain, how the term is understood within your organization, and what types of cyber risks manifest from your critical third-party vendors and digital supply chain.

While supply chain cyberattacks can’t all be prevented, they can be identified and managed to reduce impact. Supply chain resilience can be achieved through identification and understanding of the risks and their potential impact, planning for when an attack happens, and finding the right balance between risk mitigation and risk transfer.

Marsh Cyber Can Help

  • Marsh’s robust suite of cyber supply chain offerings includes:
  • Third party-vendor risk management framework development.
  • Vendor risk monitoring.
  • Quantification of digital supply chain cyber risk.
  • Incident response and business continuity planning in support of incidents caused by vendors.
  • Cyber incident management services, including claims support and proof of loss for digital supply chain cyber incidents.
  • Insurance brokerage services designed to address losses caused by vendors and to digital supply chains.

Marsh has helped organizations around the world better understand and manage their supply chain risk. Contact us to learn more.