Sarah Reynolds, global head of cyber risks at Global Risk Solutions, warns that firms need to have a real time view of the security position of their supply chain in order to protect far more than simply their reputation. Failure to do so can have far reaching implications in terms business continuity and regulatory reporting. She adds companies have to ensure any risk transfer to a cyber insurance policy or bond is not compromised.
The recent headline case of Kaseya VSA a high profile software company infiltrated by hackers to push out malicious payloads to up to 60 Managed Service Providers (MSP’s) for IT support services, culminating in the IT networks of 1,500 businesses who had outsourced their IT support functions to a third party, is being described as the largest supply chain cyber attack to date.
However, the modus operandi here is nothing new – NotPetya and SolarWinds fell victim to the same attack vector points and lateral movements and unless business are prepared to forgo the economies of outsourcing provided by cloud computing support functions, the supply chain cyber exposure for any business is here to stay.
When considering the (cyber) supply chain exposure for a business it is not just the threat of the supplier being hacked but also the possibility that their infrastructure suffers a systems failure. Both will leave a business with the direct costs of cleansing machines, systems down time, restoring connectivity and consequential losses i.e. business interruption, increased leakage and drop in utilisation. Regulatory reporting will also take its toll on legal fees and reputation.
A business needs to be aware of the process and timescales for rolling back their own infrastructure and endpoints to set expectation to their own stakeholders and clients. But equally they need to have transparency of the root cause and scope of the vulnerability or systems failure on their supplier’s network not only to protect their own operations but to ensure that they have all the information required by their cyber insurers to respond to undertakings given at the proposal stage around network security. The security position and incident response capacity confirmed at policy inception and renewal will often have a sub section relevant to critical vendors. Risk Managers need to be aware of this and revisit the security position of critical vendors as well as their own organisations at subsequent renewals to ensure that these comply with the Underwriters requirements in such areas as privilege criteria and access management, lead time for patching, as these are key vulnerabilities seized upon by hackers.
Underwriters are increasingly aware of the cyber threat that supply chains pose and as such they have strengthened the wordings in their proposals forms around what steps insureds are taking to ensure the security of their systems and data from attacks on their supply chain. Insureds are being asked to confirm they have systems in place to ensure that the cyber security across the supply chain. Those assurances will include a programme of regular communications and monitoring of third party performance.
In event of a claim those assurances will be tested and a failure to deliver on the promises made may result in issues with indemnity and with its claims payment.
What has become apparent is that continued outsourcing and ever lengthening supply chains can create cyber risks and your cyber security remain only as good as the weakest link in your chain.