Cyber risks and the supply chain

Supply chain risk is a growing problem for companies, but one area that can sometimes be overlooked is the issue of supply chain cyber risk. Multinationals are increasingly reliant on third-party service providers and if any of these suffer disruption or a cyber attack, it could have significant financial repercussions, or result in a loss of customers.

But where a supplier is connected in some way to the company’s systems, or is a technology provider, there is the added threat of a cyber attack via that supplier. There are unfortunately many examples of companies’ supply chain being hacked via a third-party supplier or business partner. As a result, companies need to take a much closer look at who they are connecting to on the data side, as the potential ramifications could be huge.

The cyber threat
There are many types of cyber threat that can disrupt the supply chain. For example, hardware tampering can occur when someone accesses the chip and pin devices between the manufacturer and the target, usually a retailer, and that person modifies the devices to include extra hardware to allow data to be stolen. Another example is malware advertising, which occurs when a third-party ad server is hacked and malware is added to website ads, as happened with Spotify last year. And there is the communication chain hijack, at web level or even email, where individuals take over the communication chain, stealing credentials, changing payment details on invoices, capturing passwords and so on.

To combat these threats, companies need to look at their business supply chain and vendors, try to identify where the weak links are, and where the possibilities are for them to have disruption. To assist, there are ratings firms, such as AIG’s partners BitSight, that take publicly available data and rate not only the client but also all their business partners or people that use their technology. So a company can identify potentially weak partners within its infrastructure.

Dealing with human error
Ultimately, a lot of incidents are due to human error rather than technological issues, so this is where mitigation and prevention efforts need to be focused. Too often, companies simply throw the latest security offerings at the problem, such as the latest firewall or intrusion detection system. They are very focused on the technology rather than having people with the right skills doing the work and training the end user, for example, on being wary of clicking on links or opening documents.

In the end, it is largely about companies making sure their employees follow best practices. When people are handling credit card information, particularly retailers, hoteliers and travel agents, we recommend using point-to-point encryption between the card reader and the card processor, which means there is no credit card data stored that could be stolen. Criminals are after data, such as financial records, card information or intellectual property, so it is about protecting these ‘crown jewels’.

Companies should be asking: where is the data, how is it protected and what technology or procedures do we have? There will always be people in an organisation that are resistant to training on these issues and do not see security as part of their responsibility. They will click on everything because they tend to treat the security tools as an ‘authorisation’ tool. That is entirely the wrong mentality, since everybody is part of the security checks; if they are not part of the defences, they may become part of the problem.

Cyber insurance policies
Cyber risk insurance policies are beginning to expand and provide higher limits for third-party exposure. Typically, the underwriters look at the technology providers or the extension of the client’s computer system, but there can be very specific types of enhancements for particular industries. For example, the airline industry may have concerns that a cyber attack could impact fuelling operations, or baggage operation. These impacts are not directly related to the provision of computer services, but these extensions can provide coverage in the event that cyber is the peril causing the loss.

When companies engage with a supplier or vendor, they typically have requirements for the type of insurance they would need – whether it is general liability or professional indemnity – and cyber is likely to be the next insurance cover that will be required. AIG is seeing more submissions and applications where the main reason the company is interested in or even aware of the availability of cyber insurance is because they are required by contract to carry certain cyber limits.

Currently, when people think of cyber policies, they think about financial losses, fines and penalties, liabilities and loss of income; but looking ahead, there are likely to be other ramifications as well, such as property damage or bodily injury arising from cyber. As everything becomes more interconnected, that is where companies and their insurers need to focus their attention.

The content contained herein is intended for general informational purposes only. Companies and individuals should not solely rely on the information or suggestions provided in this article for the prevention or mitigation of the risks discussed herein.