A company's supply chain is an integral and sometimes complicated part of its business.
As companies optimize their supply chains using interconnected technology, the cyber risk of disruption and lost business multiplies. Where a third-party supplier is connected to a company's systems, a compromise at the supplier can disrupt the company's business or allow a direct attack on the company.
Recent cyber incidents in 2013 at Target and 2014 at Home Depot demonstrated how a compromise at a smaller third-party vendor allowed thieves to steal millions of customer's data, including payment cards. While those events involved theft of data, the risk to physical assets is growing.
Discussed below are more practical means of risk assessment; evaluating a company's ability to respond to a disruption in its supply chain. In other words, evaluate its robustness and responsiveness.
ID & evaluate risks accurately
Current underwriting practices are unlikely to identify and evaluate risks to a company's supply chain accurately as they rely on a company's knowledge of its connectivity, location and access to data and vendor protocols and its efforts to secure its business activities.
Current risk assessment practices can develop an overall snapshot, including identifying a company's most important vendors in its supply chain, how reliant a company's income generation is on vendor operations and how much access a vendor has to the company's cyber-physical system. Entities, such as the National Institute of Standards and Technology (NIST), identify additional checklist items for interconnected relationships, including the extent of:
• Vendor access to a company's cyber-physical system;
• Network segmentation, so that a breach cannot expand to critical assets or processes;
• Vendor selection, guidelines, standards and controls, including contract language requiring reports, audits and validation of performance;
• Password and monitoring safeguards, policies and practices;
• Insider threat training, including both intentional and unintentional insider threat; and
• Audit programs to monitor security protocols within the company and at supply chain vendors.
Spot complacency and lax security practices
Research demonstrates that a lack of successful cyber intrusions leads to complacency and lax security practices. A culture of "it worked before" or "it hasn't happened" typically leads to an under-appreciation or a biased assessment of risk. For example, a company employee is contacted by a long-standing vendor to "troubleshoot" communications.
The employee may interact with that contact without first verifying that it is in fact the vendor, that there is in fact a communications issue and that the employee is authorized to give out company information. Or, more commonly, an employee accesses social media at work and, having opened photos, ads or "click-bait" many times before, introduces malware into a company's system.
Focus on responding thoroughly & quickly
When addressing this issue, the emphasis needs to be on how quickly and thoroughly a company can react. Risk assessment that focuses on a company's ability to respond to a cyber event impacting its supply chain provides more practical and accurate information. It tracks the supply chain functions necessary for a company's profitability and measures its plans to maintain these functions where one of its vendors is disrupted. Rather than gamble on "if" or "when" a disruption will occur, by examining robustness, i.e., alternative or distributed systems and responsiveness, i.e., agility to switch systems or vendors, one can assess the extent of damage such a disruption may cause. This will translate into the knowledge needed to put better systems in place.
Soules Insurance Agency
For more information on cyber insurance, please contact us today!
We welcome your questions and look forward to providing you with answers.
Source: Company cyberinsurance — the supply chain dilemma | PropertyCasualty360. June 12, 2017, Nicholas A. Pasciullo