Supply chain cyber-risks management strategies were discussed by two security leaders during a session on the final day of the RSA Conference 2022.
Kicking off the session, Justin Henkel, head of OneTrust’s Security Center of Excellence, observed that technological advancements have enabled the expansion of the supply chain, making businesses more efficient and scalable. However, “as part of that process, we’ve added additional risk through our third parties by not having visibility. As we’ve seen in the past, third parties tend to be an area that attackers focus on.”
To illustrate this, Henkel highlighted a OneTrust survey, which found that 22% of companies work with more than 250 third parties.
The starting point of an effective supply chain security strategy is understanding the different relationships your organization has with third-party vendors, said Adam Topkis, enterprise and operational risk program leader at PayPal. He noted that many vendor relationships, such as buying office supplies, are not inherently risky. However, others that involve areas like the supply of critical tooling or sharing customer data carry significantly higher risk. These core suppliers should be the focus of a supply chain management strategy. “Identify your critical third parties,” emphasized Topkis.
Understanding this normally requires “the business people interacting with those vendors giving you the basics around the relationships.”
Unfortunately, “we can’t see a lot of what’s going on” regarding how third parties are protecting themselves, stated Topkis. He added that third parties can only share limited information on their cybersecurity approaches because of the security risks of publicizing some of this data. While there are products that give you some visibility, these only “sniff around the edges” and “none give you perfect visibility.”
The speakers then detailed the most significant impacts of third-party breaches. Henkel pointed out that usually, the customer will suffer the most direct harm from such incidents, with reputation damage the biggest damage to suppliers. “If I don’t feel comfortable with that vendor’s response, I’m not going to trust them in the future.”
He added that transparency and communication among internal teams is essential following an incident. At a certain level, this will include the legal, corporate communications and social media teams “to help us out on messaging this to our customers and vendors.” Forward planning is critical so this is not done in an ad hoc fashion. Hinkel advised the use of tabletop exercises to ensure “the communication pathways are established.”
Topkis concurred, noting that in cases where a customer’s data has been breached, “that’s a relationship that’s hard to get back.”
Therefore, being transparent with customers following an incident is crucial. The timeframe for this should be set out in contracts and service-level agreements (SLAs), said Henkel. This can be a “push and pull” area in the view of Topkis. The customers can “set the expectation” of being informed by suppliers when a breach occurs. Additionally, some tools can scan for information about breach disclosures, enabling them to contact a vendor to check if they have been affected. “You should be looking out there to see what information is available to ask questions of your supplier,” he commented.
Topkis also emphasized that “you can outsource a function, but you cannot outsource risk,” and you cannot absolve yourself of an incident that has occurred through a third-party breach.
The discussion then turned to the evolution of supply chain risk assessments. Topkis observed that a decade ago it was mainly “questionnaire-based.” Questionnaires remain in use, but he believes it is no longer the prominent method, with continuous monitoring growing in prominence. “I think the regulators, over time, will see the value in that focus,” said Topkis.