Simon Viney is a director of Security Science at Stroz Friedberg, an investigations, intelligence and risk management company.
Supply chains remain a weak link in the cyber defences of firms throughout the financial services industry, so a survey showing a marked decrease in background checks on suppliers’ staff is a worrying indication that many still lack a coherent strategy for tackling such risks. This year’s ClubCISO Information Security Maturity Report found that while overall security awareness training has improved and senior executives are more engaged, security checks on staff hired by suppliers had almost halved in the last twelve months.
Yet supply chains, in particular, remain a potential weak link which businesses must tackle or face being exploited by hackers – with potentially dire reputational as well as financial consequences. The Allianz Risk Barometer identified both supply chain and cyber risk as top five business risks for 2015, and cyber supply chain risk intersects both of these: suppliers can be disrupted as a result of cyber attack or be a vector in a direct attack.
There are 20 key questions to ask when developing a strategy for cyber supply chain risk management:
- Are your critical business processes dependent on any particular participants?
- Do your resilience plans make assumptions about the operational capabilities of other players in the market?
- Do you place high levels of trust in the staff or IT of any particular participants?
- Do any of the participants in your supply chain have a heightened threat profile?
- Do your suppliers’ risk governance processes provide similar levels of assurance as your own?
- Have your suppliers identified their key cyber threats and do they have robust plans in place to manage them? What control definitions or standards do they use?
- Do your suppliers have the key controls you believe will mitigate your risks? Are they designed appropriately and operated effectively?
- Do you measure the external cyber hygiene indicators of your key suppliers? Do you provide clear and actionable feedback on this to them on a regular basis?
- Have you built trust relationships with key suppliers? Do you use regular forums and communications in a manner similar to your customer relationship management?
- Do you share your threat assessments and your risk profile with your suppliers? Have you made it clear you expect them to digest it and provide similar content in return?
- Do your contracts include your ‘red-line’ risks and controls that you expect to be closely managed?
- Can you use your purchasing power and the size of your supply chain to obtain discounts from controls vendors on behalf of your supply chain? Can you drive or contribute to community CERTs for your supply chain?
- Have you reviewed the available controls across your supply chain and considered if your own implementations are better and suitable for extending to your suppliers?
- Have you considered combining capability sharing with a cyber insurance policy you purchase on behalf of the supply chain, to provide an incentive for suppliers to take advantage of the offer?
- Have you assessed your suppliers in context of your own challenges in staffing and sustaining security functions?
- Have you encouraged your Chief Information Security Officer (CISO) and the wider security team to establish consultative relationships with your suppliers?
- Have you ensured that contractual sanctions exist as a fall-back for a failure in the relationship with suppliers?
- Would your management enforce cyber supply chain risk management contractual requirements?
- Have you ensured executive management are briefed on the current state of supplier cyber risks and on the potential requirement to enact sanctions or even terminate relationships?
- Have you ‘war-gamed’ a major cyber attack on or via your supply chain with your executive management team?
For an effective and appropriate cyber supply chain risk management strategy you should be able to answer these questions positively – or have a plan for how these will be addressed.
Financial services supply chains are complex, layered, globally-distributed, constantly changing and hyper-connected. And they are being targeted by criminals using increasingly sophisticated tactics. There is not a single solution or standard that effectively solves this problem. Instead there is a set of tools and approaches that work, depending on your risk appetite, your threat landscape, your budget and your own cyber defence capabilities.
A suitable strategy for cyber supply chain risk management should be built around five key operating principles:
- Risk-based prioritisation of suppliers with a focus on the sources of threat
- Building and maintaining trusted relationships with suppliers
- Commitment to providing clarity of requirement to suppliers
- Ongoing management and measurement of supplier cyber risks, as part of wider ‘business as usual’ supplier risk management processes
- Pro-active regular and open feedback to suppliers
Cyber supply chain risk is not new and some institutions already have programmes for third-party cyber security assurance in place. However, with the increase in sophistication and automation of cyber-attacks, and the continuing scale and complexity of supply chains to be addressed, doubts are emerging whether some mature risk management programmes are capable of withstanding certain attacks.
It is, therefore, necessary to review and update these programmes on a regular basis, addressing both to the key questions aimed at ensuring a strategy is in place, as well as the operating principles of the strategy itself. Even the best strategy cannot guarantee that a cyber attack will not breach an organisation’s defences, or those of its suppliers, but it can minimise and mitigate the risk, ensuring that an adequate response is ready and that damage is kept to a minimum. Ultimately, that is the standard to which CISOs and other executives should be held.