Staying ahead of cyber risk in the supply chain

Ninety percent of respondents to the World Economic Forum’s Global Cybersecurity Outlook Report 2023 are concerned about the cyber resilience of third parties that have direct connections to their network, or process their data. This is no surprise, as almost every business relies on a complex web of suppliers, vendors, and partners to provide services to their customers. One of the biggest growth areas of supplier engagement has been in technology, with organisations increasingly outsourcing more of their technology services. Within these growing and intricate networks, the potential for cyber security risks to filter in is heightened. Cyber criminals will explore any open door that they can to access critical, sensitive, or valuable data. Therefore, supply chain leaders need to understand this risk environment and its complexities, and initiate strong risk prevention steps.

The nature of cyber threats across the supply chain varies, but ransomware and data breaches are increasingly common. These pose significant risks as they can disrupt your suppliers, preventing them from fulfilling your requirements, and therefore meeting your customer demands. In turn, security breaches with suppliers could expose vulnerabilities within your own systems, which then provide opportunities for direct attacks on your own data.

It can be quite complex to understand and assess this new risk environment. To begin, the sheer complexity of today’s supply chains and their reach across the globe can make it difficult to identify and assess all potential vulnerabilities and threats. Secondly, there can be a lack of visibility and control over the security practices and policies of suppliers and partners. The governance standards of other organisations may be poor and fail to meet your requirements.

Another issue is that there are not only legal and regulatory implications if a data breach of your own information occurs – but potentially also if you are connected to a third-party breach. These issues may result in fines, penalties, or lawsuits for your organisation – whether you expect it, or not.

Once you recognise risks to your environment, it is vital to take steps to predict and prevent disruptive and costly cyber incidents across the supply chain. There are at least five critical actions to take to achieve this. These are:

1. Build a holistic view of all your suppliers and the services they provide. Segment suppliers by the level of risk they represent to you, for example, the type and volume of data they have access to, and the criticality of their services to your ability to operate. Consider concentration risk[1] [HE2]  (reliance on a supplier), and ask if your suppliers rely on other suppliers (your fourth- and fifth-party risk) to deliver services.
2. Conduct due diligence and risk assessments. Undertake these on your current and prospective suppliers and partners, verifying their security credentials as part of that process.
3. Establish clear and enforceable contracts and agreements with your third parties. Be sure to specify your security requirements and expectations, and define roles and responsibilities in the event of an incident.
4. Monitor and assess the performance and security posture of your third parties. Do this on a regular basis and address any security issues or gaps promptly. Organisations that are maturing in this space are looking at how to utilise technology to support this, in the form of artificial intelligence and continuous assessment monitoring.
5. Implement a robust incident response plan. This plan should cover your supply chain and maintain effective communication and coordination mechanisms with your third parties in case of an emergency.

At KPMG, we have extensive experience working with organisations on supply chain risk mitigation. We can help you understand your supply chain cyber risk environment and build the right strategies for cyber risk prevention. Among many other steps, we can:

• Help you to conduct a review of your supplier risk management processes to enhance your operating model and efficiency.
• Assess the security standards of your suppliers, using either our standards-aligned assessment method, or your own preferred method.
• Test your own, and your suppliers’, incident response processes.
• Help you look at how technology can support your efforts to maintain ongoing oversight of your supply chain risk environment.

To find out more about how we can help build resilience into your supply chain, please get in touch. 

Outsourcing and third party risk management - KPMG United Kingdom

Third-Party Risk Management Outlook 2022 (kpmg.com)