Global supply chains and secure technology are two of the pillars sustaining our fast-moving, interconnected world. As such, not only are they critical to global business operations, but they are also a high-value target for hacktivists and cyber criminals.
While cyber risk has been an area of focus for risk officers and general counsel for a long time, the scope is often limited to first-party exposure: attacks against a company’s IT infrastructure, malware and data breaches are all viewed through a first-person lens. Nevertheless, four of the most highly publicised cyberattacks and data breaches of the past years have been perpetrated by infiltrating a supplier’s network, and using it as a gateway to the target’s systems. Retailers Home Depot and Target have been subjected to major data breaches as a result of hacks into third party systems, as were the U.S. Office of Personnel Management and security vendor RSA. More recently, the software update mechanism of a popular accounting software used in Ukraine is claimed to be the source that enabled the “NotPetya” malware to spread to users of the accounting software.
These high-profile cases underline the importance of viewing cyber risk holistically, rather than as an isolated event, and of integrating supply chain exposures into the overall risk management strategy.
Regulation is evolving in response to the increasingly complex cyber risk landscape, with Australia recently modifying the Privacy Act to add a mandatory obligation to notify affected parties in respect of certain data breaches, including data breaches in third party suppliers. Starting on 22 February 2018, companies active in the Australian market will need to enhance their scrutiny of suppliers’ activities in order to mitigate the risk of cyberattacks and data breaches.
This is another reminder of the importance of managing supply chain risks smartly; similar legislation around the globe already addresses liability for acts of money laundering, terrorism financing, corruption and bribery and human rights abuse. Companies relying on complex, global supply chains should act sooner rather than later to manage cyber risk across their supply chain, and to thoroughly prepare for potential incidents and regulatory developments.