Businesses' growing concerns over supply chain exposures and cyber risks have begun to converge in a recognition of the potentially serious risks of cyber attacks along their supply chains.
The exposures can result in supply chain disruptions, theft of customer data or proprietary company information or, in some industries, the introduction of components tainted with malware.
“Cyber risks are a major threat to supply chains today,” said Stephen DeAngelis, president and CEO of Enterra Solutions L.L.C. in Newtown, Pa., a cognitive computing and analytics firm that works with big data to help clients better understand systems such as supply chains and the related risks.
“Oftentimes a bad actor will use a supply chain as a means of entry into the broader company,” Mr. DeAngelis said. Cyber attackers may find they can reach the target company through some of its lower tier suppliers, he said.
“What a bad actor is going to do is look for the weakest link in the chain,” he said.
A particularly damaging event might be an attack through a vendor that supplies companies across a variety of industries, Mr. DeAngelis said, such as a maker of wire that supplies auto manufacturers, consumer electronics companies and high-tech firms. “If that particular vendor is corrupted unknowingly by an organized bad guy they can use that vendor to penetrate a range of companies,” he said.
Thomas Srail, senior vice president, FINEX North America at Willis North America Inc. in Cleveland, said the effect of a cyber risk event on a supply chain can vary by industry. For some, a disruption that affects logistics and the ability to deliver or receive critical components can be serious.
Meanwhile, data that is corrupted or deleted along the supply chain can disrupt processes, he said. “Obviously hackers and intruders can also affect the availability of a system, and that can come from any angle,” Mr. Srail said.
Linda Conrad, director of strategic business risk for Zurich Global Corporate at Zurich Insurance Group Ltd. in New York, said the effect from attackers getting access to companies' data along their supply chains can take the form of the loss of the data itself, reputation damage, regulatory issues and fines.
“Not only have you lost the ability to produce and sell your product ... you've potentially exposed customer records and intellectual property,” she said.
Ms. Conrad said Zurich's disruption database shows that 52% of supply chain disruptions in the past year resulted from information technology or communications outages between buyer and supplier.
“You think about the many places that IT is used” along the supply chain, Ms. Conrad said. “There are electronics at every single point in the process.”
And, she said, “It doesn't just have to be some malicious cyber attack. It can be something as basic as poor IT infrastructure” that prompts a supply chain disruption.
As the economy improves, supply chain risks are likely to increase because companies aren't fully prepared to meet increased demand, Ms. Conrad said, adding that related cyber risks also can be expected to increase.
The intersection of supply chain and cyber risks is an example of a “blended exposure,” Mr. Srail said, and consequently requires a broad view to manage adequately.
“We all know this is no longer an IT problem and it deserves more than an IT fix or an insurance fix,” he said. “You can't buy one big insurance policy and solve all your supply chain problems.”
He suggested companies take a step back and look at the exposure more on an enterprise basis while drilling down into the supply chain and cyber aspects of it.
“That's what a lot of organizations are doing now,” Mr. Srail said. “We end up integrating the supply chain and cyber risk assessments that we do very much into companies' enterprise risk management.”
Mr. DeAngelis said it's necessary that as they deal with suppliers, companies establish “trusted nodes on the supply chain.”
“Minimally, critical nodes on that supply chain have to be trusted,” he said. “What you have to have is a means of dynamically sensing, thinking, acting and learning,” he said, requiring a process through which companies can determine vulnerabilities, take action to address the vulnerabilities and learn from what they've found. “It needs to be a dynamic functionality, minimally in the critical aspects of your supply chain, ideally in all of your supply chain.”
Oliver Brew, vice president of technology and privacy risk at Liberty International Underwriters, a unit of Liberty Mutual Holding Co. Inc., New York, said companies whose suppliers are handling critical data can help protect themselves through supplier audits and due diligence. “Vendor management is a critical piece of all cyber threats,” he said. Any company working with suppliers that handle its sensitive data should ensure contracts spell out the suppliers' responsibility for handling that data securely, he said.
Rather than simply saying, “I'm worried about hackers,” companies looking to address cyber exposures along their supply chains have to identify the specific risks that concern them, Mr. Srail said. “That's an important part of managing the risk.”