Supply chain cyber-attacks are becoming more common and more sophisticated. More than half now use ‘island hopping’, where attackers target an organisation by exploiting all those in its supply chain. The SolarWinds hack shows how damaging this can be – an attack on a single supplier had serious ramifications for governments and businesses around the world.
In financial institutions today, managing the cyber risks in supply chains tends to come down to assuring the cyber resilience of suppliers before awarding contracts. Many also now insist on their suppliers having accreditations, such as ISO 27001 and Cyber Essentials, and complying with PCI DSS. And some verify that the scope of the accreditation is applicable to their contract with the supplier.
Such checks are point in time activities, and many organisations simply file away assessment paperwork, never to revisit it. Without continuous assessment of suppliers, there’s no way to know whether accreditations are still valid.
At the same time, the analysis of direct suppliers doesn’t capture information flows through the layers of the supply chain. There’s no visibility of aggregated risk, but an exploit of a supplier deep in the chain can have consequences.
Lessons in cyber risk management from the Ministry of Defence
The financial services industry can learn from the UK’s Ministry of Defence (MOD), which is working with industry partners to improve supply chain cyber resilience through the Defence Cyber Protection Partnership (DCPP) programme.
The DCPP has created a cyber security model (CSM) that applies risked-based controls to the information the MOD and supply chain share. The process starts with the MOD performing a risk assessment on the information it would share with the supplier, resulting in a risk profile. Suppliers must then demonstrate widely recognised proportionate controls to meet the risk profile by submitting a supplier assurance questionnaire (SAQ). Suppliers that don’t meet the requirements can submit an improvement plan that outlines when they can comply.
The process repeats through the tiers of the supply chain, flowing down as higher tier suppliers assess lower tier suppliers until the only information shared isn’t sensitive. An online tool stores all the risk assessments and SAQs, giving the MOD and its suppliers an aggregated risk view of the supply chain. The result is that the MOD can make an informed decision on which supplier would be able to protect its information.
Financial organisations could follow a similar approach to understand the cybersecurity posture of their supply chain, with flow-down clauses in contracts ensuring there’s information on the full depth of the supply chain. An automated online system would provide a rich and up-to-date view of supply chain cyber risk without significant manual effort and improve continuous monitoring.
Many financial services organisations already use security ratings services, where specialist firms rate suppliers’ cyber posture based on compromised systems, diligence, user behaviours and public disclosures. By integrating the rating services into the online risk management tool, organisations can have a simple but reliable view of the risks within the supply chain, regardless of how deep they run.
Firms can then complement this robust risk view with specific requirements for individual contracts. For example, contracts that require high levels of assurance, such as those that share intellectual property or personally identifiable information, would demand accreditations like Cyber Essentials Plus or ISO 27001. The online risk management tool could then ensure the supplier maintains the validity of the accreditation for the duration of the contract.
Supply chains are becoming a growing cyber risk for financial services organisations as sophisticated ‘island hopping’ attacks become more prevalent. But by taking a partnership approach to assessing risks and digitising the process, firms can build a comprehensive view of risks and ensure suppliers at every level of their chain can act to minimise vulnerabilities.