Global supply chains are a way of life for modern businesses,but in the constant search for affordable labor and services, newchallenges and risks continue to emerge.

The 2011 Tohoku, Japan earthquake and tsunami drove home therealization that a single point of failure at a single link canhalt the flow of goods across an entire supply chain. To meet thesechallenges, businesses are finding new ways to increasecommunication and coordination across their supply chains, usingtechnology to integrate systems and create contingency plans shoulda supplier be taken offline for any reason.

Supply chain risk

The evolution of supply chain development has brought with it anevolution of risks. Potential risks come from many directions andare not limited to physical production but include dependency onvendors for payroll, social services and benefits and causesinclude, for example, natural catastrophes, political risk andmachine failure. Beyond the flow of goods, the quality of productscan be compromised at any point along a supply chain, from the rawmaterials to the semi-finished product.

Cyber is a business risk

Some supply chain trends play into the hands of those whoperpetrate cyber attacks. For example, efforts to integrate supplychains by connecting systems and getting them to talk to oneanother create opportunities for cyber criminals to infiltratesystems throughout the chain by penetrating the weakest link.

The good news is that awareness among businesses is increasingand companies are taking the threat more seriously than ever.Whereas cyber may have been seen as an IT risk historically, it isnow generally recognized as an enterprise risk management (ERM)challenge, with the conversation about how to address it elevatedto include a company's board and executive team. In other words, itis becoming clear that cyber risk is a significant business risk.

Cyber liability

For a business, recognizing cyber risk within its four walls is one thing,but organizations must also understand this risk in the context oftheir supply chains. An attack may not be limited to a supplier'ssystems. A more recent trend shows cyber attacks can cause physicaldamage at facilities. Supply chains are becoming more integratedand connected, which carries both benefits and risks: a moreintegrated supply chain can enable real time communication andefficiencies but can also entail greater vulnerability.

The liability landscape is being reshaped by supply chains;increasingly, a company could be liable for a defect thatoriginated at one of its suppliers. This is just as relevant fordata as it is for products and services. The company initiallyentrusted with customers' data is generally seen as the data ownerfor purposes of liability and legal duty. This means that while thedata may have been passed on to and compromised at a supplier, theinitial holder, with some exceptions, will have to respond to thebreach.

Companies should stick to consistent principles and identifyprocesses, protocols, and systems to manage weaklinks. (Image: Shutterstock)

Preparedness and protection

Protecting and preparing an organization is challenging enoughand so thinking about the potential vulnerabilities along an entiresupply chain can seem daunting. There are steps organizations cantake, at the very least, to begin to understand what they do notknow, particularly with respect to sensitive data within theorganization and across its supply chain:

• Know the business: Know where the data is,where it is duplicated, who has access internally and externally(i.e. where the data sits, moves, and resides).
• Protect the company: While insurance will notprevent a cyber attack, it will help a company recover more quicklyin the event of a data breach or network security failure. The keyis for companies to consider their insurance needs, i.e. they mustknow what they have before they know what to protect. Insurance cancover costs associated with responding to a breach, includinginvestigation, notification, and legal costs. When consideringsupply chain risk in general, companies should also ask aboutcoverages, such as contingent business interruption, which coverscosts associated with a property loss at a supplier'slocation.
• Identify the supply chain: Businesses shouldunderstand that their vendors and suppliers may use subcontractors.A good proactive first step towards managing cyber risk in a supplychain is properly identifying the vendors and suppliers within itand knowing who exactly is handling data and how.
• Set standards and manage networkaccess: Businesses should consider creating cybersecurity standards for partners within the supply chain that willbe handling data. Are suppliers at least the company's equal whenit comes to security? Sometimes a company may discover a supplierhas more stringent standards than its own. Some cloud providers,for example, are as successful as they are because they are moresecure and robust than the companies that use their services.
• Negotiate contracts: To the extentpossible, a company should negotiate favourable terms in itscontracts with vendors and suppliers, including the ability toundertake audits. Beyond the actual coverage protections, theunderwriting process is usually thorough and sophisticated, and canact almost as a second audit beyond the company's own due diligencewhen vetting that vendor.

In summary, companies should stick to consistent principles andidentify processes, protocols, and systems to manage weak links.The goal is for a company to understand what rights it has, and toestablish clear expectations about obligations in the event of abreach at a vendor.

Threat intelligence and informationsharing

When it comes to data security and breach response, there is awealth of available information on specific threats that companiescan leverage. Obtaining the data, however, is only an effectivestrategy if a company is able to properly interpret and leverageit. Information and actionable intelligence are different andcompanies must be able to identify the few pieces of informationthat will actually improve outcomes. Companies should make smartdecisions about what security operations they can in-source andwhat they should out-source, keeping in mind how they can bakesecurity into their outsourcing decisions.

Once a company understands and can leverage threat intelligence,it may consider sharing relevant information among its suppliersand vendors. The challenge is sharing meaningful and actionableintelligence rather than all information that passes throughsystems.

The company should consider when and how to appropriately shareinformation, bearing in mind that it is not a managed securityprovider for its vendors. Hiring vendors that have effectivesecurity capabilities is ideal, but for a subset of vendors withuseful services but limited security resources, periodicallysending an email advising them about a threat to look out for maybe an information sharing strategy companies could employ.

Realistic approach

It's not possible to eliminate cyber risk entirely throughout aglobal supply chain. Taking steps to limit risk should not bemisinterpreted as an airtight defense against threats. Butunderstanding the organization's operations, its supply chain, andits vulnerabilities can lead to the next best thing: resilience, oravoiding the potential for a single point of failure to disrupt theentire supply chain.

The first step, if not already taken, is to understand theoperation and supply chain. Key personnel within the organizationshould be assembled to identify how much and what kind of data isheld and where it sits. The supply chain should be audited, in asfar as it is feasible, and protection implemented as thoroughly aspossible through contracts with suppliers and vendors. An insuranceprofessional can then advise about the proper coverages to helpprotect against cyber threats and other supply chain risks. Thegoal is to recognize the threats, limit exposure, and ensure supplychain redundancy.

Related: How industrial companies can manage cyberthreats

This piece was originally published on Aspen Insurance's website. The Aspen White Paper“Cyber Risk and the Evolution of Supply Chains” discussesprotection strategies against this constantly changingthreat.