20 questions on cyber-supply chain risk management

I recently wrote an article for Banking Technology that has been generally well received, I’ve decided to include it here on the blog for future reference. I’ve enjoyed working with Banking Technology and thoroughly recommend the editor David Bannister who has clearly been around the block enough times and has a wealth of experience in the field.

Managing cyber supply chain risk is an unsolved problem that has increasingly drawn my attention as I discover new risks and new failures of risk management in this area. The OECD found that 73% of services traded in OECD countries are ‘intermediate’ services or services that are intermediate inputs into a final service or product that is consumed. That statistic lies behind some of my concerns regarding aggregation and correlation of risk within and between different sector supply chains that are not immediately obvious.

This also highlights the complexity of supply chains in the modern economy. I believe that supply chain cyber security in the age of industrialised and targeted cyber-attacks is a wicked problem [PDF] and that many of our current approaches to manage these risks do not address the nature of the underlying risks and instead focus on a fairly superficial view of the technological controls operated by ‘key’ suppliers. There are more innovative approaches being developed such as Red teaming suppliers or actively monitoring supplier cyber hygiene but I am not seeing these regularly being built into coherent cyber supply chain risk management strategies yet. I hope the high level article below goes some way to encouraging this.

The original text is presented below and was published here.

20 questions you should ask to ensure you’re doing enough on cyber-supply chain risk management

With reports suggesting hackers have siphoned off up to $1 billion from 100 banks across 30 countries as part of a targeted attack, there are heightened concerns over the cyber-threat facing the banking sector.

Supply chains are a potential weak link and banks have been stepping up their pressure on vendors and suppliers to do more to protect themselves from online intrusion. However, many are still not doing enough to combat such risks. There are 20 key questions banks should ask themselves when developing a strategy for cyber-supply chain risk management, writes Phil Huggins.

The recently published Allianz Risk Barometer identifies both supply chain and cyber-risk as top five business risks for 2015, and cyber-supply chain risk intersects both of these: suppliers can be disrupted as a result of cyber-attack or be a vector in a direct attack. Supply chains are complex, layered, globally-distributed, constantly changing and hyper-connected, targeted by criminals using increasingly sophisticated tactics.

There is not a single solution or standard that effectively solves this problem. Instead there is a set of tools and approaches that work, depending on your risk appetite, your threat landscape, your budget and your own cyber-defence capabilities. You need a well-considered strategy for cyber-supply chain risk management, based on five key operating principles:

• Risk-based prioritisation of suppliers with a focus on the sources of threat
• Building and maintaining trusted relationships with suppliers
• Commitment to providing clarity of requirement to suppliers
• Pragmatic measurement of suppliers
• Pro-active regular and open feedback to suppliers

Cyber supply chain risk is not new and some institutions have long-running programs for third-party cyber-security assurance already in place. However there are laggards, while the increase in sophistication and automation of cyber-attacks also throws doubt on the validity of many mature risk management programs. When developing the cyber-supply chain risk management strategy, therefore, it is important to ask:

1. Are your critical business processes dependent on any particular participants?

2. Do your resilience plans make assumptions about the operational capabilities of other players in the market?

3. Do you place high levels of trust in the staff or IT of any particular participants?

4. Do any of the participants in your supply chain have a heightened threat profile?

5. Do your suppliers’ risk governance processes provide similar levels of assurance as your own?

6. Have your suppliers identified their key cyber-threats and do they have robust plans in place to manage them? What control definitions or standards do they use?

7. Do your suppliers have the key controls you believe will mitigate your risks? Are they designed appropriately and operated effectively?

8. Do you measure the external cyber-hygiene indicators of your key suppliers? Do you provide clear and actionable feedback on this to them on a regular basis?

9. Have you built trust relationships with key suppliers? Do you use regular forums and communications in a manner similar to your customer relationship management?

10. Do you share your threat assessments and your risk profile with your suppliers? Have you made it clear you expect them to digest it and provide similar content in return?

11. Do your contracts include your ‘red-line’ risks and controls that you expect to be closely managed?

12. Can you use your purchasing power and the size of your supply chain to obtain discounts from controls vendors on behalf of your supply chain? Can you drive or contribute to community CERTs for your supply chain?

13. Have you reviewed the available controls across your supply chain and considered if your own implementations are better and suitable for extending to your suppliers?

14. Have you considered combining capability sharing with a cyber-insurance policy you purchase on behalf of the supply chain, to provide an incentive for suppliers to take advantage of the offer?

15. Have you assessed your suppliers in context of your own challenges in staffing and sustaining security functions?

16. Have you encouraged your chief information security officer and the wider security team to establish consultative relationships with your suppliers?

17. Have you ensured that contractual sanctions exist as a fall-back for a failure in the relationship with suppliers?

18. Would your management enforce cyber-supply chain risk management contractual requirements?

19. Have you ensured executive management are briefed on the current state of supplier cyber-risks and on the potential requirement to enact sanctions or even terminate relationships?

20. Have you ‘war-gamed’ a major cyber-attack on or via your supply chain with your executive management team?

For an effective and appropriate cyber-supply chain risk management strategy you should be able to answer these questions positively – or have a plan for how these will be addressed.

I wrote a similar article highlighting the need for collaboration and sharing across supply chains for Managing Partner magazine in April that can be downloaded here [PDF] I also wrote a short summary article for RISKUK that can be read on the web here.

As a counterpoint to the Allianz study quoted in the article the recently released Aon 2015 global Risk Management Report [PDF] identifies Cyber as a top 10 risk and Supply Chain failure as ‘only’ a top 20 risk.