You Don't Have to be Hacked-Just Your Data

Cyber Chiefs Take Aim at Supply Chains?

Security executives beef up oversight of suppliers in wake of extensive attacks

BY JAMES RUNDLE

Companies are ramping up oversight of suppliers after major supply-chain cyberattacks have affected thousands of businesses and breached data on millions of customers.

Previously content with periodic questionnaires about supplier controls, corporate s e c u r i t y chiefs are demanding stricter contractual terms around when and how their suppliers must notify them that they have experienced a cyberattack. Many now require third-party providers to adhere more closely to best practices from the U.S. Commerce Department’s National Institute of Standards and Technology, and others.

“The way in which third-party dependencies are managed is probably insufficient for today’s market, given the threat outlook and the sophistication of the actors that are engaged in either social engineering tactics or in ransom-ware operations,” said Pat Opet, global chief information security officer at banking giant?JPMorgan Chase.

High-profile breaches show how quickly a hack of one widely used software tool or service provider can spread. After?Change Healthcare,?a medical-technology company that operates the largest U.S. clearinghouse for insurance billing and payment, shut down its services following a cyberattack on Feb. 21, the outage threw the healthcare sector into crisis. Many medical providers, which have been unable to bill their insurance providers, haven’t been able to collect revenue for weeks. Some have furloughed staff and considered closing.

In May 2023, hackers exploited a vulnerability in?Progress Software’s?MoveIt file-transfer tool, resulting in the compromise of more than 2,600 companies, government agencies and other organizations.

Other recent significant supply-chain attacks include the compromise of software developed by?SolarWinds ,?disclosed in late 2020, and a breach of technology services provider Kaseya in June 2021.

“Every organization should be looking where their sensitive data is, if third and fourth parties have access to that data, and if those organizations have a good data classification policy,” said Stacy Hughes, CISO at investment management firm?Voya Financial.

Some companies are creating?strict guidelines for their suppliers to follow around data and cybersecurity. JP-Morgan, for instance, has a detailed process by which it expects suppliers to inform it of attacks, including impact assessments on the bank and its data. The company expects its suppliers to follow a specific sequence of steps when they suffer a cyberattack, and its incident-response plans.

New rules from regulators in the state of New York oblige financial institutions to exercise oversight on their third-party suppliers, given the potential for attacks on one supplier to spread quickly to customers. Cybersecurity rules from the Securities and Exchange Commission, which went into effect in December, require companies to disclose how they keep an eye on their?providers.

Stock-exchange operator Nasdaq said in its latest regulatory filing that it regularly reviews its suppliers’ compliance with industry security standards such as the Service Organization Control Type 2 framework, or SOC2, developed by the American Institute of Certified Public Accountants to govern how client data is stored. Chip maker?Nvidiaalso assesses its suppliers’ compliance with best-practice controls, and physical security requirements, it said.

For CISOs who want to hold suppliers more accountable, strict contract provisions can be hard to win.

A company may have its own template ready but so do suppliers, said Meg Anderson, CISO at insurance and investment?management firm?Principal Financial.

“While we might start out with, ‘We want to be notified within 48 hours,’ for example, they may strike that and say that’s too soon,” Anderson said.

Nemi George, CISO at?Pacific Dental Services,?said the best time to request data-breach requirements is at the start of a partnership. “If you don’t get these things in early, chances are you’re not going to get them,” he said.

At the University of Pittsburgh Medical Center, CISO Chris Carmody holds prospective vendors to protocols including Hitrust, a framework that incorporates federal security standards. If doctors or nurses want to use a product from a company that isn’t Hitrust-certified, Carmody negotiates a timetable for it?to get the credential.

“We push hard on vendors to demonstrate to us that they take cybersecurity seriously,” he said.

Under the federal Health Insurance Portability and Accountability Act, the business partners of healthcare organizations must disclose data breaches to the care provider “without unreasonable delay” or within 60 days. UPMC requests notification as soon as possible. The medical center can potentially head off disruptions to patient care and Carmody’s team can help the partner recover, he said.

“Even if they have an inkling of something going on, we want to be informed,” he said.

JPMorgan goes further, applying the same threat intelligence that it uses for its own defense to its critical suppliers, and informs them if it becomes aware they are at risk.

“That gives us more transparency in where we think risk is growing and an opportunity to hopefully tip off or prevent attacks before they start,” Opet said.

Cybersecurity agencies such as the U.S. Cybersecurity and Infrastructure Security Agency and the U.K.’s National Cyber Security Centre run similar programs, in which they scan for compromise indicators and inform companies if they are at risk of attack. But few private companies have the resources for such a program.

“That’s hard to scale, and hard for many organizations to do, but has been beneficial to us in general,” Opet said.?—Catherine Stupp and Kim S. Nash contributed to this article.