Navigating cyber risk in the supply chain

Roland Heinesch, cyber risk underwriter at Liberty Specialty Markets, examines the complex web of supply chain and cyber risk, as well as putting forward best practices business should adopt to safeguard their operations.

In today’s digital landscape, the complexity of modern supply chains cannot be overstated. With businesses relying on an increasing number of suppliers, vendors and partners to provide services to their customers on a global scale, the interconnectivity of these chains has reached unprecedented levels.

While these expansive networks have undoubtedly facilitated global trade and seamless business operations, they have also rendered supply chains more susceptible to potential interruptions, making them enticing targets for cyber criminals.

Last year, supply chain-related disruptions led to an average $82mn in annual losses per company in key industries, underscoring the scale of the issue.

More than ever before, it is crucial to recognise that supply chain vulnerabilities are now intricately woven into the fabric of cyber threats, marking a significant shift in how insurers and clients alike approach the security of our interconnected business networks.

Understanding the digital landscape

Automated inventory systems, cloud-based collaboration platforms and Internet of Things devices, for example, are deeply embedded into business portfolios. While they have optimised operations and created efficiencies, they have also introduced new risks and vulnerabilities. Each component, no matter how seemingly insignificant, can become a potential weak point that cybercriminals exploit.

The distributed nature of supply chains further complicates efficient monitoring, making it challenging to identify vulnerabilities and threats promptly.

Against this backdrop, cyber threats, ranging from phishing attacks to industrial espionage, loom large, posing risks to data confidentiality, availability and integrity. While the precise nature of a cyber threat can vary across the supply chain, data breaches and ransomware are becoming increasingly common, preventing suppliers from fulfilling requirements and stifling business operations.

In turn, security breaches with suppliers can expose vulnerabilities within your own systems, which can then provide opportunities for direct attacks on your own data.

Even for large companies that are otherwise well-equipped to safeguard against cyber threats, today’s most comprehensive risk management strategies must extend far beyond an organisation’s digital walls. Often, hackers will exploit the weakest link in the supply chain, targeting smaller entities with indirect access to networks and relying on backdoor strategies that exploit the inherent complexity of the supply chain network.

From outsourced payroll providers to business consultants and other vendors that maintain access to clients’ most sensitive data, a single breach can create a domino effect, causing widespread disruption. Likewise, a supplier might provide a business-critical product or service; if it fails to operate, it can bring the organisation dependent on it to a standstill.

Mitigating risk

The first step in mitigating against cyber risk involves prevention, and experience in identifying gaps in cybersecurity maturity. Although complete protection is difficult to guarantee, there are proven preventative measures, such as a robust identity and access management strategy that can foster greater resilience and security.

Likewise, formalising a cyber supply chain risk management plan is a fundamental strategy, facilitating governance, procedures, policies, tools and processes essential for safeguarding the supply chain.

Being prepared for an incident is equally critical. Companies must assume that an incident will occur; the question is not if, but when. Business continuity plans play a central role in incident recovery, emphasising the need for frequent testing, and aligning these plans with insurance programs is essential. Some insurers provide flexibility in vendor choices, underscoring the importance of proactive preparation rather than reactive response.

Beyond these proactive measures, businesses must remain vigilant within the broader landscape. The complexity of interconnections, globalisation and regulatory pressures necessitates a constant evaluation of security practices.

Ultimately, cyber risk within supply chains demands a multifaceted approach. Insurers, leveraging their global expertise and claims data, play a vital role in helping clients protect themselves.

By sharing valuable insights and continuously improving their service offerings, insurers enable businesses to better understand and mitigate cyber risks. Benchmarking similar risks across industries provides invaluable insights for clients, enhancing their cybersecurity strategies.

In this ever-evolving landscape, where risks may be hidden behind a vendor's firewall or within a single line of code, proactive vigilance, collaboration and a commitment to continuous improvement serve as the cornerstones of resilience.