Managing Third-Party Supply Chain Cyber Risk: Key Takeaways from the Recent Webinar

In the ever-evolving landscape of cybersecurity, managing third-party supply chain risks has become a critical concern for organizations of all sizes. A recent webinar on "Managing Third Party Supply Chain Cyber Risk" with the Insurance Institute of London on the 3rd of July 2024 moderated by Charlotte Peniston, ACII from WTW, shed light on this pressing issue, discussing regulatory frameworks, industry statistics, and best practices for mitigating cyber threats. Here are the key points discussed during the session.

Setting the Scene: Regulatory Frameworks

Andrea Garcia Beltran Head of Cyber Europe at Nirvana one of the key speakers, provided an in-depth overview of the regulatory frameworks that govern third-party supply chain cybersecurity. Highlighting NIS 2 and DORA, she emphasized the importance of compliance with these regulations to avoid severe penalties and enhance digital defences.

1. NIS 2 EU Directive: This directive broadens the scope of entities covered, including critical supply chain players. It mandates compliance with certain cybersecurity standards, with penalties for non-compliance including monetary fines and potential business closures. The directive covers companies with more than 50 employees and an annual revenue exceeding €10 million.
2. DORA (Digital Operational Resilience Act): Focused on financial services, DORA requires companies to maintain a register of information on third-party suppliers providing ICT services. It mandates regular assessments of suppliers' cybersecurity environments and detailed reporting to regulatory authorities whenever there are changes in suppliers.

Statistics and the Evolution of Third-Party Risk

The webinar highlighted alarming statistics from recent reports, such as those by the World Economic Forum (WEF 2024) , ONE TRUST and Marsh. These reports indicate that 41% to 73% of companies surveyed have experienced third-party cyber incidents. Small and medium-sized suppliers are increasingly targeted, often as a means to access larger organizations' systems.

Key statistics and developments include:

• 73% of organizations reported that third parties now have more access to their data assets than three years ago.
• 60% of organizations work with more than 1,000 third parties.
• The cost of software supply chain attacks is projected to rise from US$46 billion in 2023 to US$60 billion in 2025 (Juniper Research).
• The Rise of Gen AI is affecting Third Parties/Vendors: While ransomware and systemic risks dominate the cyber threat landscape, the explosion of Gen AI is a major new development. Four emerging conclusions are clear:

1. Sophisticated, state-backed threat actors will use Gen AI to sharpen their tactics, techniques, and procedures.
2. Gen AI will increase the potential aggregation, severity, and frequency of claims by enhancing the capabilities of commercial hackers.
3. Aggregation and Severity of Claims
4. New Attack Vectors, Gen AI is being used to identify and exploit vulnerabilities in supply chains. This includes targeting smaller suppliers to gain access to larger organizations, amplifying the potential damage and Gen AI can automate and scale attacks, making it easier for threat actors to launch large-scale campaigns that can disrupt supply chains and cause significant financial losses.

Despite these challenges, Andrea and Charlotte also mentioned that holds promise for strengthening defenses against cyber threats and will improve the underwriting process.

Key Trends in Claims

Cameron Carr Partner at Mullen Coughlin LLC and Neil Hare-Brown Neil Hare-Brown CEO and Founder of Storm Guidance key experts on this field, provided a good summary of the key trends on notifications into the Insurance Industry as well as a review of public knowledge incidents that have been in the press in the last couple of weeks.

1. Supply Chain Ransomware Activity: Ransomware continues to dominate the cyber loss environment. Companies with strong cyber resilience are better positioned to handle these threats. Ransomware attacks increasingly involve the theft of sensitive data for extortion, raising the complexity and reputational risk of incidents. Investments in risk controls and crisis management are making companies less likely to pay ransoms, even as double and triple extortion attempts become more common. Cyber insurance remains crucial, incentivizing better cyber hygiene and resilience while indemnifying losses.
2. Impact on Smaller Suppliers

• Targeting SMEs: Small and medium-sized enterprises (SMEs) are increasingly targeted by ?attackers as a means to infiltrate larger supply chains. These smaller suppliers often lack the robust cybersecurity measures of their larger counterparts, making them easier targets and weak links in the supply chain.
• Financial Devastation: For many SMEs, cyber-attacks can be financially devastating, potentially leading to business closure. The ripple effects of these attacks can disrupt larger organizations that depend on these suppliers, amplifying the overall impact.

3. Economic and Reputational Damage

• Widespread Disruption: Supply chain attacks can halt production, delay shipments, and disrupt services, leading to significant economic losses. The cascading effects can impact multiple industries and sectors, highlighting the interconnected nature of modern supply chains.
• Reputational Harm: Beyond financial loss, companies face severe reputational damage. Customers and partners lose trust in organizations that fall victim to ransomware, especially if sensitive data is leaked. The long-term impact on brand reputation can be profound and difficult to recover from.

Importance of Security Enterprise Risk Management

The panel highlighted the value that could be realised through?improved contract management. Neil Hare-Brown, identified that substantial time and cost savings could be achieved if organisations mandated a?degree of forensic preparedness from their suppliers.

Cameron Carr described some of the?challenges that arise in multi-party post-breach communications.? Organisations and legal teams can find themselves swamped by wide-ranging notification obligations, which themselves drive ongoing reporting and engagement with concerned parties.? This can drain away capacity (especially at Legal and CISO level) from other crucial action.?

A significant point of discussion was the challenge posed by parties in the supply chain lacking adequate cyber preparedness. Such an approach has cascading effects throughout the supply chain, potentially leaving larger organizations exposed to significant, unrecoverable losses from their suppliers.

Cyber Insurance as part of a robust resilience strategy was covered by Andrea Garcia; from an underwriting perspective, understanding the implications of third-party cyber incidents on insurance coverage is crucial. Companies must review their cyber insurance policies to ensure they cover attacks originating from third parties. Additionally, ensuring that third parties have adequate cyber insurance can mitigate potential risks.

Coverage and Future Developments

Andrea and Charlotte discussed how insurers' appetites and perceptions around cyber coverage are evolving. The increasing frequency of ransomware attacks on third-party suppliers has influenced the sales of cyber policies. The webinar also addressed the need for insurers and government bodies to collaborate more effectively to manage catastrophic cyber risks and ensure market sustainability.

Key Points on Insurability and Market Capacity

1. Insurability Challenges and Market Sustainability: Addressing the insurability of complex cyber risks is essential for long-term market sustainability.
2. Market Development and Global Demand: Meeting the growing global demand for cyber insurance requires adequate capacity from both insurance and alternative capital markets.
3. Cyber War Exclusions: Modernizing cyber war exclusions to support market initiatives and meet local legal requirements might be a request in the near future.
4. Risk-Bearing Capacity: The insurance industry has its limits in risk-bearing capacity, especially concerning catastrophic systemic events.
5. Government Role: Governments must play a role in managing catastrophic cyber risks, given their high macroeconomic impact. Neil made the case for increased government intervention in the cybersecurity space. Drawing?parallels with the evolution of health and safety regulations, he proposed that cybersecurity might need benefit from also being the subject of a single overarching?legal framework, akin to the Health and Safety Act. Andrea suggested that Governments should seek to partner with the insurance industry and support it to take on risk-transfer for systemic events,?so as to address the need for cover for supply chain cyber losses, which sadly seems set to increase significantly in the coming years.
6. Future Exposures: As risk modelling improves, more exposures may need to be excluded from private sector coverage, highlighting the need for close cooperation with government bodies.

Mitigation Strategies and Best Practices

The session emphasized the importance of comprehensive risk management and strategic corporate approaches. Key recommendations included:

1. Readiness Assessment: Companies should conduct readiness assessments to comply with new regulations and create compliance maps.
2. Comprehensive Risk Management: Implementing an enterprise-wide analysis of ICT/OT supply chain cybersecurity risks is crucial.
3. Thorough Risk Assessments: Using ISO 31000:2018, ENISA and ISO 28000 - 2022 guidelines to assess supply chain risks.
4. Risk Treatment and Monitoring: Applying controls recommended in international standards like ISO/IEC 27001 or ISO 9001 and monitoring supply chain risks continuously.
5. Lifecycle Management: Managing the lifecycle of supplier relationships.
6. Incident Handling Obligations: Establishing clear incident handling obligations with suppliers.
7. Awareness Training: Providing training for both the organization’s and suppliers’ personnel on cybersecurity practices.
8. Audit and Security Requirements: Ensuring audit rights and defining security requirements for ICT/OT products and services.
9. Look out for Best practices: like DORA requirements.

The CyberSeven Strategies: Insights from STORM GUIDANCE

Neil, introduced the CyberSeven strategies, developed from years of assessing organizational shortcomings in cyber risk management. These strategies serve as a foundational review to help organizations manage cyber risk effectively. They are designed to engage executives using business language, making them accessible and actionable.

CyberSeven Key Review Areas:

1. Responsibilities: Clearly defined roles for reporting cybersecurity to key executives ensure that risks are properly overseen.
2. Asset Awareness: Maintaining a register of data assets helps in defining the organization's cybersecurity approach and understanding the impact of intangible assets.
3. IT Budget: Adequate funding for IT and cybersecurity is crucial to prevent vulnerabilities.
4. Payment Controls: Segregating payment duties and auditing automated payments helps in preventing fraud.
5. IT Staff Count Ratio: Ensuring sufficient resourcing for IT and security responsibilities is essential for effective management.
6. Cyber Skills and Awareness: Continuous training and awareness programs keep employees vigilant against cyber threats.
7. Technology Versions: Keeping technologies up to date ensures that the organization remains a hard target for cybercriminals.

Neil emphasized that these strategies form the foundation needed to support all other cyber risk management and security controls. When implemented and monitored, they lead to robust cybersecurity practices.

In conclusion, the webinar provided valuable insights into managing third-party supply chain cyber risks, emphasizing the importance of regulatory compliance, comprehensive risk management, and the evolving landscape of cyber insurance. These insights are crucial for organizations aiming to strengthen their cybersecurity posture and protect their digital assets from evolving threats.

?

?