Supply Chain Cyberattacks Leverage Trust Relationships Between Companies

Samuel D. Goldstick from the Foley firm writes that a digitized supply chain increases the potential for supply chain cyberattacks. Trust relationships are inherent in installing vendors’ and suppliers’ software within a company’s network, and hackers target the weakest link in the chain of trust. These weak points can allow them to infiltrate multiple organizations through a single point of compromise.

The number of organizations hit by supply chain cyberattacks has grown exponentially since 2018. In 2023, more than 54 million companies were victimized by a supply chain-related disruption, with an average annual loss of $82 million per organization in key industries: financial services, aerospace, health care, and energy.

The Foley article suggests implementing a comprehensive risk management framework integrating Cyber Supply Chain Risk Management (C-SCRM) principles. C-SCRM, Goldstic explains, is a systematic process for managing exposure to cybersecurity risk throughout supply chains and developing appropriate response strategies, policies, processes, and procedures.

Vendor due diligence is the first line of defense. The list of cybersecurity components to check is long, but it pays off in mitigating the potential risks associated with third-party vendors. Ongoing security assessments and audits are necessary to ensure compliance with cybersecurity standards and other legal and contractual requirements throughout the supply chain lifecycle.

Every RFP and contract with supply chain providers must include robust cybersecurity requirements. These should, at a minimum, cover the resiliency of the providers’ systems, personnel training, prompt notice of a data breach, and other measures necessary for compliance with laws and industry standards.

Developing or updating incident response plans should include processes for responding to cyber incidents that involve or originate from important third-party supply chain providers. Develop disaster recovery plans and test them regularly to ensure that business operations continue in the event of a supply chain cyberattack.