Navigating cyber risk in the supply chain

Roland Heinesch, Cyber Risk Underwriter at Liberty Specialty Markets, delves into the complex web of supply chain and cyber risk, offering valuable insights into the risk landscape and best practices business should adopt to safeguard their operations.

In today's digital landscape, the complexity of modern supply chains cannot be overstated. With businesses relying on an increasing number of suppliers, vendors and partners to provide services to their customers on a global scale, the interconnectivity of these chains has reached unprecedented levels. 

While these expansive networks have undoubtedly facilitated global trade and seamless business operations, they have also rendered supply chains more susceptible to potential interruptions, making them enticing targets for cyber criminals. Last year, supply chain-related disruptions led to an average $82 million in annual losses per company in key industries, underscoring the scale of the issue.

More than ever before, it is crucial to recognise that supply chain vulnerabilities are now intricately woven into the fabric of cyber threats, marking a significant shift in how insurers and clients alike approach the security of our interconnected business networks.

Understanding the Digital Landscape

Automated inventory systems, cloud-based collaboration platforms and Internet of Things (IoT) devices, for example, are deeply embedded into business portfolios. While they have optimised operations and created efficiencies, they have also introduced new risks and vulnerabilities. Each component, no matter how seemingly insignificant, can become a potential weak point that cybercriminals exploit. The distributed nature of supply chains further complicates efficient monitoring, making it challenging to identify vulnerabilities and threats promptly.

Against this backdrop, cyber threats, ranging from phishing attacks to industrial espionage, loom large, posing risks to data confidentiality, availability, and integrity. While the precise nature of cyber threat can vary across the supply chain, data breaches and ransomware are becoming increasingly common, preventing suppliers from fulfilling requirements and stifling business operations. In turn, security breaches with suppliers can expose vulnerabilities within your own systems, which can then provide opportunities for direct attacks on your own data.

Even for large companies that are otherwise well-equipped to safeguard against cyber threats, today’s most comprehensive risk management strategies must extend far beyond an organisation’s digital walls. Often, hackers will exploit the weakest link in the supply chain, targeting smaller entities with indirect access to networks and relying on backdoor strategies that exploit the inherent complexity of the supply chain network. From outsourced payroll providers to business consultants and other vendors that maintain access to clients’ most sensitive data, a single breach can create a domino effect, causing widespread disruption. Likewise, a supplier might provide a business-critical product or service; if it fails to operate, it can bring the organisation dependent on it to a standstill.

A widely known example of an advanced threat actor breaching a targeted software supply chain attack, is the Solorigate event. In 2020, the actor used a compromised software to establish a backdoor to targeted systems. While a vulnerability in Orion software represented a single point of failure, allowing the attack to become a widespread systemic event impacting nearly 20,000 organizations, it did not culminate in severe losses for the insurance market because the motivation behind the attack was espionage rather than destruction. There have been several key takeaways from the incident for the market, including the far-reaching impact of supply chain attacks, the critical consideration of threat actors’ motivations, and the enduring and evolving threat of sophisticated software supply chain attacks. 

The Solorigate event offers invaluable lessons for the cybersecurity landscape, highlighting the multifaceted challenges and evolving nature of cyber threats. Events like this change the ways in which insurers model losses, by integrating technology-dependency data and external network scanning techniques to identify vulnerabilities in companies' networks and anticipate potential targets for supply chain exploits.

Mitigating Risk

As outlined by Solorigate, the first step in mitigating against cyber risk involves prevention, and experience in identifying gaps in their current cybersecurity maturity. Although complete protection is difficult to guarantee, there are proven preventative measures, such as a robust Identity & Access Management strategy that can foster greater resilience and security. Likewise, formalising a Cyber Supply Chain Risk Management (C-SCRM) plan is a fundamental strategy, facilitating governance, procedures, policies, tools, and processes essential for safeguarding the supply chain.

Being prepared for an incident is equally critical. Companies must assume that an incident will occur; the question is not if, but when. Business Continuity Plans play a central role in incident recovery, emphasising the need for frequent testing, and aligning these plans with insurance programs is essential. Some insurers provide flexibility in vendor choices, underscoring the importance of proactive preparation rather than reactive response. 

Recognising the critical role of suppliers and vendors is vital. Understanding their roles, assessing their access to sensitive data, and engaging them in cyber resilience, incident response, and disaster recovery activities form the bedrock of a robust strategy. Ongoing monitoring and assessment, coupled with transparent communication channels, ensure that the controls used by suppliers align with the organisation's security requirements. Incorporating cybersecurity considerations into every phase of the supply chain, from vendor selection to product delivery, establishes a proactive stance against potential threats.

Beyond these proactive measures, businesses must remain vigilant within the broader landscape. The complexity of interconnections, globalisation, and regulatory pressures necessitates a constant evaluation of security practices.