Managing supply chain cyber risks
There are a number of factors fueling the rise in supply chain attacks, such as victims being more willing to pay ransoms, escalating international tensions, larger and more interconnected networks, and the ease of anonymous payments through cryptocurrency.
Supply chain attacks have become more frequent in recent years, with a growing number of ransomware attacks being reported globally. These attacks have become more sophisticated, targeting the shipping and transport industry, seaports, food networks, water supplies, fuel distribution systems, hospitals and city governments. Smaller organizations that lack the resources to implement robust cybersecurity measures are particularly vulnerable to these forms of attacks. There are a number of factors fueling the rise in supply chain attacks, such as victims being more willing to pay ransoms, escalating international tensions, larger and more interconnected networks, and the ease of anonymous payments through cryptocurrency.
Cautionary tale: Maersk breach
The Maersk cyberattack in 2017 offers a cautionary tale on the consequences of supply chain vulnerability. About 90% of global trade is transported by sea vessels. So, when Maersk, the world’s largest container shipping line and port operator, was attacked with the NotPetya malware and its IT systems and operations worldwide disrupted, widespread disruption, delays, and financial losses ensued. Suppliers that relied on Maersk’s shipping services to transport their goods faced major disruptions in their supply chains. Some suppliers had their shipments delayed or cancelled, while others incurred increased costs due to the need to find alternative shipping services.
The incident highlights the vulnerability of organizations in the supply chain, especially when it comes to their reliance on technology and interconnected systems. One attack can have far-reaching impacts, affecting multiple companies, operations and supply chains globally.
Risk assessment and mitigation
To mitigate the risk of such incidents, companies in the supply chain must be proactive in managing their cyber risk and consider the indirect impact of cyberattacks on their supply chain. This may include loss of business, reputational damage, and financial penalties due to noncompliance with regulatory requirements. Organizations must also have a clear understanding of their legal obligations, including data protection laws, and implement measures to reduce their legal risks.
Organizations should first undertake a risk assessment to understand their own vulnerabilities to cyber threats. The next critical step is to implement robust cybersecurity measures to mitigate these risks. This can include implementing firewalls, regularly updating antivirus software, monitoring and controlling access to confidential information, and utilizing encryption technology. Effective password management practices also play a significant role in enhancing an organization’s cybersecurity. Simple measures such as promoting strong passwords, mandating regular password changes, utilizing two-factor authentication, prohibiting password reuse, and requiring password-protected screensavers can significantly reduce the risk of cyberattacks. By making it harder for cybercriminals to breach the organization’s security, organizations can prevent or minimize the impact of potential cyber incidents.
Regularly reviewing these measures can prevent a cyberattack and limit damage, but they cannot be fully eliminated. Even the most robust security measures may fail to prevent a direct attack. Supply chain participants can also be indirectly impacted by successful attacks on other participants. Disruptions can occur at any level of the supply chain. The components of a supply chain are only as strong and secure as the weakest link.
Contractual obligations
Organizations should review their agreements to understand their obligations for instituting cybersecurity measures for preventing cyberattacks, data breaches and security breaches. They should also review their agreements to evaluate the impact cyberattacks may have on the organization’s rights, obligations, and liabilities under the contracts.
Supply chain disruptions can impede a vendor’s ability to fulfill their contractual obligations. For instance, cyberattacks on ports or shipping can hamper a vendor’s ability to deliver goods.
Vendors should review their contracts for a force majeure clause and determine if cyberattacks qualify as a force majeure event. To minimize risks, it is best practice for vendors to have a force majeure clause that specifically and expressly includes cyberattacks. If such language is absent, whether a cyberattack qualifies as a force majeure event may depend on the specific circumstances of the attack. For example, an Iranian-led cyber-attack may be considered an act of terrorism or war, while a ransomware attack by private actors may not. Force majeure clauses also customarily excuse nonperformance attributable to events outside the reasonable control of the defaulting party. Whether a cyberattack is beyond the reasonable control of a vendor depends on the particular circumstances. Relevant factors may include the nature and quality of the cybersecurity measures adopted by the vendor, the scope and scale of the attack, and whether the vendor was the direct victim of the attack or collateral damage. Vendors may also be held liable for damages caused by cyber-attacks, data breaches, and security breaches. To limit their liability, vendors should review and negotiate limitation of liability clauses in applicable agreements.
Vendor considerations
Customers can reduce the risk of supply chain disruptions caused by cyberattacks by requiring their vendors to implement adequate cybersecurity measures. This strengthens the links in the supply chain and decreases the likelihood of cyber incidents. To further minimize risks, customers should aim to restrict vendors’ dependence on the force majeure clause for cyberattacks that are beyond the vendor’s reasonable control and could not have been prevented through proper cybersecurity measures. Customers should also evaluate notification requirements in contracts to guarantee timely and comprehensive notification in the event of an attack, as well as its potential impact on both customer and vendor obligations.
Insurance options
Insurance may also provide an additional level of protection, with some customers requiring vendors to hold cybersecurity insurance (and technology errors and omissions insurance for technology vendors) to provide financial protection and minimize the risk associated with cyber incidents. There are several types of insurance policies that provide coverage for indirect losses resulting from a cyberattack, as well as losses resulting from cyberattacks on suppliers or other members of the supply chain. Insurance policies for cyber risks often include coverage for indirect losses such as lost profits or business interruption resulting from a wide range of cyber risks, including data breaches, cyber extortion, and losses resulting from cyberattacks on suppliers or other members of the supply chain. However, the coverage may be subject to limitations, such as a cap on the amount of coverage available, a waiting period before coverage kicks in, or specific exclusions for certain types of losses.
Certain business interruption and supply chain insurance policies may provide coverage for losses attributable to business interruption resulting from a cyberattack. The coverage provided by these policies can vary widely depending on the specific policy and the insurance company. Some insurance policies may not cover indirect losses caused by a cyberattack, such as lost profits or business interruption, while others may not cover losses resulting from cyber extortion, such as from ransomware attacks. Companies should thoroughly review the coverage and limitations of their insurance policies to understand any gaps in their coverage and consider purchasing additional coverage if necessary to ensure that they have adequate protection against the risks of loss from cyberattacks.
Companies may not be able to eliminate all exposure to cyber risks, but effective cybersecurity measures, suitably drafted agreements, and a dose of insurance will go a long way to manage that exposure.
Michael Orenstein is of counsel at Thompson LLP in New York City. He counsels clients on a range of securities, corporate finance, governance, transactional and compliance matters. He can be reached at morenstein@thomplegal.com.