Global supply chains are a way of life for modern businesses, but in the constant search for affordable labor and services, new challenges and risks continue to emerge.
The 2011 Tohoku, Japan earthquake and tsunami drove home the realization that a single point of failure at a single link can halt the flow of goods across an entire supply chain. To meet these challenges, businesses are finding new ways to increase communication and coordination across their supply chains, using technology to integrate systems and create contingency plans should a supplier be taken offline for any reason.
|Supply chain risk
The evolution of supply chain development has brought with it an evolution of risks. Potential risks come from many directions and are not limited to physical production but include dependency on vendors for payroll, social services and benefits and causes include, for example, natural catastrophes, political risk and machine failure. Beyond the flow of goods, the quality of products can be compromised at any point along a supply chain, from the raw materials to the semi-finished product.
|Cyber is a business risk
Some supply chain trends play into the hands of those who perpetrate cyber attacks. For example, efforts to integrate supply chains by connecting systems and getting them to talk to one another create opportunities for cyber criminals to infiltrate systems throughout the chain by penetrating the weakest link.
The good news is that awareness among businesses is increasing and companies are taking the threat more seriously than ever. Whereas cyber may have been seen as an IT risk historically, it is now generally recognized as an enterprise risk management (ERM) challenge, with the conversation about how to address it elevated to include a company's board and executive team. In other words, it is becoming clear that cyber risk is a significant business risk.
|Cyber liability
For a business, recognizing cyber risk within its four walls is one thing, but organizations must also understand this risk in the context of their supply chains. An attack may not be limited to a supplier's systems. A more recent trend shows cyber attacks can cause physical damage at facilities. Supply chains are becoming more integrated and connected, which carries both benefits and risks: a more integrated supply chain can enable real time communication and efficiencies but can also entail greater vulnerability.
The liability landscape is being reshaped by supply chains; increasingly, a company could be liable for a defect that originated at one of its suppliers. This is just as relevant for data as it is for products and services. The company initially entrusted with customers' data is generally seen as the data owner for purposes of liability and legal duty. This means that while the data may have been passed on to and compromised at a supplier, the initial holder, with some exceptions, will have to respond to the breach.
Companies should stick to consistent principles and identify processes, protocols, and systems to manage weak links. (Image: Shutterstock)
|Preparedness and protection
Protecting and preparing an organization is challenging enough and so thinking about the potential vulnerabilities along an entire supply chain can seem daunting. There are steps organizations can take, at the very least, to begin to understand what they do not know, particularly with respect to sensitive data within the organization and across its supply chain:
- Know the business: Know where the data is, where it is duplicated, who has access internally and externally (i.e. where the data sits, moves, and resides).
- Protect the company: While insurance will not prevent a cyber attack, it will help a company recover more quickly in the event of a data breach or network security failure. The key is for companies to consider their insurance needs, i.e. they must know what they have before they know what to protect. Insurance can cover costs associated with responding to a breach, including investigation, notification, and legal costs. When considering supply chain risk in general, companies should also ask about coverages, such as contingent business interruption, which covers costs associated with a property loss at a supplier's location.
- Identify the supply chain: Businesses should understand that their vendors and suppliers may use subcontractors. A good proactive first step towards managing cyber risk in a supply chain is properly identifying the vendors and suppliers within it and knowing who exactly is handling data and how.
- Set standards and manage network access: Businesses should consider creating cyber security standards for partners within the supply chain that will be handling data. Are suppliers at least the company's equal when it comes to security? Sometimes a company may discover a supplier has more stringent standards than its own. Some cloud providers, for example, are as successful as they are because they are more secure and robust than the companies that use their services.
- Negotiate contracts: To the extent possible, a company should negotiate favourable terms in its contracts with vendors and suppliers, including the ability to undertake audits. Beyond the actual coverage protections, the underwriting process is usually thorough and sophisticated, and can act almost as a second audit beyond the company's own due diligence when vetting that vendor.
In summary, companies should stick to consistent principles and identify processes, protocols, and systems to manage weak links. The goal is for a company to understand what rights it has, and to establish clear expectations about obligations in the event of a breach at a vendor.
|Threat intelligence and information sharing
When it comes to data security and breach response, there is a wealth of available information on specific threats that companies can leverage. Obtaining the data, however, is only an effective strategy if a company is able to properly interpret and leverage it. Information and actionable intelligence are different and companies must be able to identify the few pieces of information that will actually improve outcomes. Companies should make smart decisions about what security operations they can in-source and what they should out-source, keeping in mind how they can bake security into their outsourcing decisions.
Once a company understands and can leverage threat intelligence, it may consider sharing relevant information among its suppliers and vendors. The challenge is sharing meaningful and actionable intelligence rather than all information that passes through systems.
The company should consider when and how to appropriately share information, bearing in mind that it is not a managed security provider for its vendors. Hiring vendors that have effective security capabilities is ideal, but for a subset of vendors with useful services but limited security resources, periodically sending an email advising them about a threat to look out for may be an information sharing strategy companies could employ.
|Realistic approach
It's not possible to eliminate cyber risk entirely throughout a global supply chain. Taking steps to limit risk should not be misinterpreted as an airtight defense against threats. But understanding the organization's operations, its supply chain, and its vulnerabilities can lead to the next best thing: resilience, or avoiding the potential for a single point of failure to disrupt the entire supply chain.
The first step, if not already taken, is to understand the operation and supply chain. Key personnel within the organization should be assembled to identify how much and what kind of data is held and where it sits. The supply chain should be audited, in as far as it is feasible, and protection implemented as thoroughly as possible through contracts with suppliers and vendors. An insurance professional can then advise about the proper coverages to help protect against cyber threats and other supply chain risks. The goal is to recognize the threats, limit exposure, and ensure supply chain redundancy.
This piece was originally published on Aspen Insurance's website. The Aspen White Paper “Cyber Risk and the Evolution of Supply Chains” discusses protection strategies against this constantly changing threat.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.