By Mark Camillo, Head of Cyber and Professional Indemnity, EMEA, and Martin Overton, Cyber Risk Technical Specialist
Companies recognize that supply chain risk is a growing problem, and today, cyber risks and supply chain risks are increasingly linked. For multinationals, cyber risks in the supply chain may be even more significant, as many multinationals rely on third parties to provide services. If any of these third parties suffers a cyberattack, the disruption may result in financial repercussions, or even a loss of customers, for the multinational.
If a third-party supplier provides technology to the company or is connected to the company’s systems, then the company faces an additional risk: cyberattacks can strike the company via that supplier. In fact, there are many examples of companies’ supply chains being hacked via a third-party supplier or a business partner. As a result, companies need to take a closer look at who they are connecting to on the data side.
Read on to see which cyber threats could disrupt your company’s supply chain and discover best practices to help you combat these risks.
These 3 Cyber Risks Could Disrupt Your Company’s Supply Chain
- Hardware tampering: adding extra hardware to chip and pin devices to steal data from the target. Hardware tampering occurs at a point between the manufacturer and the target—usually at a retailer.
- Malware advertising: hacking a third-party ad server to add malware to the ads on a company’s website. A high-profile case affected Spotify last year.
- Communication chain hijack: taking over a communication chain to steal credentials, capture passwords, change payment details on invoices, etc. This can happen on the web or over email.
3 Steps to Help Beat Cyber Risks in Your Supply Chain
To combat these threats, your company should follow this action plan:
- Examine your business supply chain and your vendors
- Identify the weakest links
- Pinpoint where your supply chain and your vendors have potential to experience disruption
Working with a ratings firm, such as our partner BitSight, can help your company identify potentially weak partners within your infrastructure. These firms use publically available data to rate not only the client company, but also all of the company’s business partners and entities that use its technology.
When Human Error is the Problem
Ultimately, many cyber incidents arise from human error rather than from technological weak points. Human error is a major area where your company should focus your mitigation and prevention efforts.
All too often, companies try to stop human error using the latest security offerings, such as the newest firewall or intrusion detection system. In fact, preventing human error is largely about making sure that employees follow best practices for cybersecurity. We recommend these three strategies for your company:
- At every step in the supply chain, ask: Where is the data, how is it protected, and what technology procedures do we have? Criminals are after data, such as financial records, card information, or intellectual property.
- Wherever people, such as retailers, hoteliers, and travel agents, handle credit card information, use point-to-point encryption (P2Pe) between the card reader and the card processor. This means there is no credit card data stored that could be stolen.
- Train all employees in best practices for cybersecurity. Every member of your organization must be part of the security checks. Untrained employees may inadvertently become part of the problem.
Cyber Insurance is Changing to Help Safeguard the Supply Chain
Cyber risk insurance coverage is expanding to offer higher limits for third-party exposures. These new policies can cover more than your company’s computer system and technology, and extensions can be specific to your industry. For example, if an airline is concerned that a cyberattack could prevent them from fuelling planes or delivering baggage, cyber insurance policy extensions can provide coverage.
Today cyber insurance is becoming part of companies’ engagements with suppliers and vendors. At AIG, we’ve observed an increase in submissions and applications for cyber insurance due to new contract requirements. In the past, vendors and suppliers typically needed to have general liability or professional indemnity insurance. Now cyber is likely to be the next form of insurance required.
Currently, when people think of cyber risks, they think about financial losses, fines, and penalties, but looking ahead, cyber risks are likely to cause other losses as well, including property damage or bodily injury. As technology evolves and systems become increasingly interconnected, companies and insurers are planning to help reduce these emerging risks.
The content contained herein is intended for general informational purposes only. Companies and individuals should not solely rely on the information or suggestions provided in this article for the prevention or mitigation of the risks discussed herein.