This week I’ve been attending the third cybersecurity roundtable hosted by the Institute of International Finance (IIF) at their 2018 IIF G20 Conference. The roundtable itself included a good discussion with regulators and firms as well as a summary of the IIF paper on cyber regulatory fragmentation. This paper is not yet published but will be available here.
Some of the side meetings I have had with regulators and other firms have highlighted some interesting issues; the Deutsche Bundesbank described some work they had undertaken from a macro-financial stability perspective on modelling cyber risk across the German financial services sector. What was interesting was that they had started to extend their view beyond the financial services firms to include the ‘cyber network’ of suppliers and outsourcers that underpin the sector.
The value of supply chains in cybersecurity risk management is something I have written about before. In my opinion, the third party assurance ‘industry’ that we have all created doesn’t wash its face regarding risk management outcomes versus the cost and effort required to send and complete all these interminable questionnaires. One of my concerns was that we are hugely exposed to aggregation of cyber risk in the supply chain, and this crystalised when the APT 10 / Cloud Hopper campaign was identified in 2017.
One of my employers reviewed a supply chain of over 400,000 participants. There was no way to analyse the risk without prioritisation, and unfortunately, prioritisation in supply chain cyber risk management tends to focus effort on the more significant participants of the supply chain who are often the most capable of protecting themselves. At the top of the supply chain are firms that have similar governance, similar resources and similar threat profiles who we can generally assume are operating at a similar level to ourselves, below these are the smaller firms that have some resources but may need more oversight to ensure they meet our stated requirements. However, I am increasingly concerned that many of the suppliers or partners beyond this point are below the ‘security poverty line‘ and don’t get much attention, oversight or help. This is the ‘long tail‘ of suppliers. They are in fact incapable of delivering our requirements even if they had the skills to understand and implement them.
I was recently reminded of a post from Wade Baker early last year describing his thesis on modelling cyber risk in supply chains. This is a great post and well worth reading with a couple of important takeaways:
- Firms participating in highly co-dependent supply chains should assess – and perhaps treat – information risk corporately rather than individually.
- Threat intelligence operations should be centralised – or at least aggregated – for the supply chain.
- Security leaders should consider incentivising, mandating, and/or paying for Security laggards.
My opinion is that contractual negotiation and strong requirements do not help when the supplier is below the security poverty line. We need to look to solutions with better outcomes. When I first considered this, I saw the skills and capabilities in the firms at the top of the supply chain and immediately thought why don’t the larger firms just provide these skills and capabilities as services to those below the security poverty line. There are some real issues with sovereignty and liability but ultimately these are addressable and may be worth the effort if the outcome is reduced cyber risk in the supply chain. There are significant difficulties in selling this new model of supplier engagement including what happens when a supplier is intermittently engaged or when a supplier no longer works for you.
Following discussions with individual regulators and other firms, I am starting to believe there is an alternative and much more practical option. It should be possible to develop a cyber insurance product for smaller firms that includes several components:
- insurance for customers of the firm should a breach occur;
- protective requirements such as cyber essentials;
- basic security monitoring by a managed security services provider;
- incident response support at a reasonable rate;
- and access to advice from skilled practitioners or ‘vCISOs’.
Several suppliers could be certified to provide such packages on behalf of high-risk industry sectors such as financial services or energy.
Such a package wouldn’t be cheap on its own but could be subsidised by the larger firms providing centralised funding through the product certification body to the insurance providers. The payback to the larger firms is that now there would be a standardised cyber risk management product they could require their smaller suppliers to have, the quality of that product could be assured to higher level than the individual firms efforts, and, possibly more importantly, would provide aggregation points for generating threat intelligence across the supply chain to provide early warning of attacks from that route back to the larger firms.
Facilitating the development, certification and funding of such standard ‘SME security packages’ is something that will require some enlightened firms to take the lead and likely a regulator or two to bless.
I’d love to hear your thoughts on this.