February 9, 2021 Managing Risks in the Digital Supply Chain

Companies need to be aware of the growing challenges the digital supply chain presents to avoid the risk of a costly disruption in operations.

In the world of supply chain risk management, the chaos of 2020 has accentuated the necessity of fully digitizing global supply chain operations. The past year demonstrated that increasing connectivity and data sharing across supply chain entities through the widespread use of sensors and networks prepares supply chains to withstand future disruptions.

However, the growing connectivity of a supply chain also opens the door to increased cyber and data privacy risks. These risks arise because increasing interconnection means a ballooning attack surface and additional vulnerabilities that adverse actors can exploit. As a result, companies carefully tending to their own cyber security maturity is no longer sufficient. Companies and their shareholders must increasingly monitor the cyber hygiene of their supply chain partners as well.

To strengthen resiliency against data privacy and cyber security challenges, establish controls to identify risk in your supply chain.

The digital supply chain

Many firms responded to the pandemic’s supply chain disruptions with accelerated adoption of “Supply Chain 4.0,” the digital supply chain. A digital supply chain refers to leveraging advanced technologies and capabilities, such as sensors, robotics, automation and predictive analytics, to improve transparency and communications throughout the supply chain. This interconnectivity among multiple tiers of supply chain partners typically improves the efficiency and resiliency of the flow of products, information and capital across the end-to-end supply chain. The digital supply chain has been a welcome solution to 2020’s challenges, but like so many quickly implemented responses, it has also added layers of new risks.

The risks of increasing digital interconnectivity

There are several ways that a digital supply chain increases risk.

• Exposure of proprietary data, such as intellectual property, trade secrets, government-owned information or other sensitive business information about a firm or its partner’s operations
• Exposure of sensitive personal information, such as employee or customer personally identifiable information, protected health information or credit card information
• Spillover cyber incidents, in which a cyberattack against a supply chain partner spreads to a company’s interconnected information technology or operational technology networks
• Cyber shutdown of a supplier, such as when a malware or other ransomware incident suddenly knocks out a key vendor, leaving a missing link in the supply chain

Experiencing any of these risks could result in a combination of costly fines and legal fees, lost revenue and stock value, and even long-term reputational damage. The cost of a data breach averages around $3.8 million[1] in the U.S. and includes the cost of business interruption, forensics and credit monitoring for customers that regulations increasingly require.

The current large-scale remote work environment exacerbates these risks. While remote access to enterprise networks helped maintain productivity, it has also opened new avenues for attackers, especially since many firms were unprepared for the sudden shift to remote work.

Minimizing exposure to a supply chain cyber incident

Data privacy and cyber security challenges for the digital supply chain are significant but not insurmountable. Firms can strengthen their resiliency to these risks with the digital application of the traditional supply chain risk management process: identify, analyze, remediate and monitor.

• Identify. Start by asking the critical questions, “What data needs to be protected? Who has access to that data across a supply chain?” A robust data governance program makes answering these questions relatively straightforward. If a company lacks or has an outdated data governance program, however, the company can approximate one by reviewing contracts and interviewing internal stakeholders to identify data flows.
• Analyze. Once a firm establishes a picture of who across its supply chain has access to sensitive data, it needs to shift its focus to understanding their cyber security posture. This can be accomplished several ways. The most inobtrusive method is to leverage “outside-in” tools that discreetly measure cyber security risk exposure from public sources such as the supplier’s website and other resources. More obtrusive, but more revealing, is an “inside-out” assessment that engages suppliers with a cyber security assessment questionnaire. This type of questionnaire seeks to understand how the supplier approaches cyber risk. Finally, penetration testing (where a cyberattack is simulated) or in-person assessments can be utilized for the most critical suppliers to ensure the greatest clarity regarding cyber risk.
• Remediate. In the remediation process, it is crucial to prioritize the gaps that need closing. Afterall, every control gap is not an equal risk. Instead, prioritize the supplier against the level of sensitivity associated with the data or access being shared.
• Monitor. Once a remediation plan has been established, monitoring is necessary to ensure the supplier delivers on its promises. Regular updates regarding progress on a mutually agreeable schedule are best practice. During monitoring, communication with all suppliers on cyber security is key. A low risk supplier can quickly turn into a high risk if organizational needs change, or there is a change in the cyber security environment.

The digital supply chain is an evolving extension of an organization’s supply chain. Much like 2020 highlighted that a supply chain’s physical health is critical, it also revealed that the supply chain’s digital health can be just as important.

Daniel Hartnett

Daniel Hartnett, CPIM, is an associate managing director at Kroll, a division of Duff & Phelps. He is currently leading the firm’s enterprise-wide efforts to address clients’ supply chain risks. He can be reached at daniel.hartnett@kroll.com

Ryan Spelman

Ryan Spelman is a senior manager at Kroll, part of the CyberClarity360 team, where he advises clients on third party cyber risk. He can be reached at ryan.spelman@duffandphelps.com

¹ https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/

Subscribe to Industry Today