20 questions you should ask to ensure you’re doing enough on cyber-supply chain risk management
With reports suggesting hackers have siphoned off up to $1 billion from 100 banks across 30 countries as part of a targeted attack, there are heightened concerns over the cyber-threat facing the banking sector.
Supply chains are a potential weak link and banks have been stepping up their pressure on vendors and suppliers to do more to protect themselves from online intrusion. However, many are still not doing enough to combat such risks. There are 20 key questions banks should ask themselves when developing a strategy for cyber-supply chain risk management, writes Phil Huggins.
The recently published Allianz Risk Barometer identifies both supply chain and cyber-risk as top five business risks for 2015, and cyber-supply chain risk intersects both of these: suppliers can be disrupted as a result of cyber-attack or be a vector in a direct attack. Supply chains are complex, layered, globally-distributed, constantly changing and hyper-connected, targeted by criminals using increasingly sophisticated tactics.
There is not a single solution or standard that effectively solves this problem. Instead there is a set of tools and approaches that work, depending on your risk appetite, your threat landscape, your budget and your own cyber-defence capabilities. You need a well-considered strategy for cyber-supply chain risk management, based on five key operating principles:
- Risk-based prioritisation of suppliers with a focus on the sources of threat
- Building and maintaining trusted relationships with suppliers
- Commitment to providing clarity of requirement to suppliers
- Pragmatic measurement of suppliers
- Pro-active regular and open feedback to suppliers
Cyber supply chain risk is not new and some institutions have long-running programs for third-party cyber-security assurance already in place. However there are laggards, while the increase in sophistication and automation of cyber-attacks also throws doubt on the validity of many mature risk management programs. When developing the cyber-supply chain risk management strategy, therefore, it is important to ask:
1. Are your critical business processes dependent on any particular participants?
2. Do your resilience plans make assumptions about the operational capabilities of other players in the market?
3. Do you place high levels of trust in the staff or IT of any particular participants?
4. Do any of the participants in your supply chain have a heightened threat profile?
5. Do your suppliers’ risk governance processes provide similar levels of assurance as your own?
6. Have your suppliers identified their key cyber-threats and do they have robust plans in place to manage them? What control definitions or standards do they use?
7. Do your suppliers have the key controls you believe will mitigate your risks? Are they designed appropriately and operated effectively?
8. Do you measure the external cyber-hygiene indicators of your key suppliers? Do you provide clear and actionable feedback on this to them on a regular basis?
9. Have you built trust relationships with key suppliers? Do you use regular forums and communications in a manner similar to your customer relationship management?
10. Do you share your threat assessments and your risk profile with your suppliers? Have you made it clear you expect them to digest it and provide similar content in return?
11. Do your contracts include your ‘red-line’ risks and controls that you expect to be closely managed?
12. Can you use your purchasing power and the size of your supply chain to obtain discounts from controls vendors on behalf of your supply chain? Can you drive or contribute to community CERTs for your supply chain?
13. Have you reviewed the available controls across your supply chain and considered if your own implementations are better and suitable for extending to your suppliers?
14. Have you considered combining capability sharing with a cyber-insurance policy you purchase on behalf of the supply chain, to provide an incentive for suppliers to take advantage of the offer?
15. Have you assessed your suppliers in context of your own challenges in staffing and sustaining security functions?
16. Have you encouraged your chief information security officer and the wider security team to establish consultative relationships with your suppliers?
17. Have you ensured that contractual sanctions exist as a fall-back for a failure in the relationship with suppliers?
18. Would your management enforce cyber-supply chain risk management contractual requirements?
19. Have you ensured executive management are briefed on the current state of supplier cyber-risks and on the potential requirement to enact sanctions or even terminate relationships?
20. Have you ‘war-gamed’ a major cyber-attack on or via your supply chain with your executive management team?
For an effective and appropriate cyber-supply chain risk management strategy you should be able to answer these questions positively – or have a plan for how these will be addressed.
Phil Huggins is vice president of security science at Stroz Friedberg, an investigations, intelligence and risk management company. He will be taking part in the Banking Technology Forum on 23 June.