Navigating cyber risk in the supply chain

The opportunities created by technology to provide goods and services on a global scale are growing in exciting ways, with an interconnectedness among business partners the world has not seen before. These expansive digital networks facilitate trade and streamline operations — but they also render supply chains more susceptible to interference.

As supply chains grow more complex, they present a growing number of cyber vulnerabilities, leaving businesses — along with their suppliers, vendors, and other external partners — at greater risk. The interwoven relationship of supply chains and cyber threats signals a major shift in the way insurers and clients alike must view and address supply chain security.

For example, last year, supply chain-related disruptions averaged $82 million^[1] in annual losses per company in key industries. The impact is substantial, to say the least, and the rate of cyber threats is only getting bigger.

Organizations of all sizes can now leverage automated inventory systems, cloud-based collaboration platforms, and Internet of Things (IoT) devices that streamline business processes and optimize operations.

This modern structure makes securing and monitoring business systems more complicated.  The process of threat identification becomes more challenging and is only magnified by the distributed nature of these systems.

It’s not surprising, then, that within this complex environment, cyber threats have flourished. From phishing attacks to industrial espionage, threat actors are exploiting vulnerabilities in the confidentiality, availability, and integrity of business data. The exact tactic may vary, but the frequency of ransomware and data theft continues to grow, dragging down business operations with each successful attack.

It’s even more concerning within the framework of interconnectivity mentioned above; as supply chains become more interdependent, so does data. As the security gaps of our suppliers or vendors are exposed, they can highlight vulnerabilities — and entry points — into our own business systems. Even large organizations, typically well-armed against cyber threats, have found a need to re-up their risk-management strategies to account for hacks that happen outside their own business.

Consider this scenario: a smaller vendor may have less robust online security, making it more vulnerable to cybercriminals. When a security breach happens within the vendor’s system, this, in turn, facilitates backdoor access into your otherwise secure digital environment — allowing criminals to access sensitive data or even create widespread business disruption.

Meanwhile, the vendor that was originally hacked may have its business disrupted as well. A key vendor’s shutdown, even temporary, can cause chaos for larger organizations that depend on its services.

One example of supply chain exploitation being used to attack a larger entity is the SolarWinds or Solorigate event. In 2020, cybercriminals injected malicious code into an online systems platform from SolarWinds called Orion. As Orion was used by some of the world’s largest organizations, the compromised platform allowed cybercriminals to establish a back door into the systems of SolarWinds’ many high-profile clients.

A single point of failure within one vendor’s software system allowed a widespread cyberattack that spread to nearly 20,000 organizations. The potential for damage was astronomical — yet the primary factor that limited potential losses to insurers was the cybercriminals’ intent: espionage, rather than destruction.

We can learn several lessons from this event. First, we cannot underestimate the far-reaching implications of supply chain attacks. Second, the motivation of threat actors can make a significant difference in outcomes. And third, the threat of sophisticated supply chain attacks will endure and evolve.

Solorigate, and similar events since then, also fundamentally changed the way insurers assess and model loss. By leveraging data related to technology dependency and integrating external network monitoring techniques, insurers are better able to identify vulnerabilities and predict the likelihood of a supply chain attack.

The first step any organization should take to protect its supply chain from cyber risk is to assess the maturity of its current cybersecurity program. It’s worth noting that no business is a fortress. That is, given the need to balance functionality with security, complete protection of online systems is difficult — if not impossible.

This necessary tension between security and functionality makes advance preparation even more critical. If it’s less a matter of if a cyberattack will occur, and more a matter of when, then preparation is truly the key to success.

This is where a business continuity plan comes into play. A well-designed plan allows for faster, more efficient recovery after a supply chain attack, with a focus on proactive preparation rather than reactive response. It emphasizes the need for regular stress-testing of an organization’s systems, and integrates a trusted insurance provider’s recommendations for coverage and resources for risk management.

A business continuity plan also helps organizations create a roadmap for implementing more robust protective measures, such as those related to identity and access management. It also can include a formal cyber supply chain risk-management (C-SCRM) plan — a fundamental strategy for governance, procedures, policies, tools, and processes to help safeguard an existing supply chain.

Understanding the roles of vendors is a key component of supply chain security. To address risk adequately, we must understand their access to our data, then engage with them to ensure their own cybersecurity and incident response practices minimize upstream risk. Ongoing monitoring and assessment, as well as wide-open communication channels, allow large businesses to protect themselves better by encouraging business partners to do the same.

It’s a proactive approach: one that incorporates cybersecurity considerations into every phase of the supply chain and establishes an active defense against potential threats.

Beyond these proactive measures, businesses must remain vigilant within the broader risk landscape. The best way to do this is by working with an experienced, trusted insurance provider. Cyber risk will remain a significant threat to businesses and modern, distributed supply chains. However, by leveraging a global carrier’s industry-specific cyber expertise, those risks can be identified and mitigated more easily.

An experienced insurer will be able to leverage claims data, sharing the resulting insights with clients to improve coverage offerings continuously and empower businesses to build resilience through enhanced cybersecurity strategies.

As new threats continue to appear on the horizon, creating a more secure supply chain can seem like a moving target. Risks may be hiding in unexpected places, even within a single line of website code. To respond effectively, choose an insurance partner with the agility and strength to protect against the threats you see today — and those on the way — with coverages and risk-management resources tailored to your business.

To learn more about how Liberty helps protect supply chains from cyber risk, visit our cyber liability site.

[1] https://www.interos.ai/press/interos-annual-supply-chain-report-unveils-37m-benefit-to-organizations-taking-swift-action-on-supply-chain-disruption/