In our hyperconnected digital world, transparency isn’t always a given. As we browse, conduct research, or shop online, we’re not always certain exactly where information is coming from and may not even be sure exactly where we are. Another foible of hyperconnectivity is the length and expanse of any given supply chain. How many suppliers contribute to the store we might be shopping in? Are we buying from a trusted source, or are we being taken to an unknown third party to procure what we need? Is every website secure, or are some more vulnerable to malware and hacking than others?
Investopedia defines supply chain as a network between a company and its suppliers to produce and distribute a specific product to the final buyer. The network includes different activities, people, entities, information, and resources.
A supply chain attack occurs when a hacker or other bad actor exploits a member of your supply chain (i.e., a vendor or supplier) who you have authorized to access your networks, systems, and data in order to provide the goods or services you require.
After attacking your supplier’s network, the hacker is then able to access your organization’s digital infrastructure and steal sensitive data. Software development tools, software upgrades, specialized code embedded in hardware and firmware, and smart devices such as phones, USBs, and medical equipment can all be compromised in this manner.
Ironically, the more popular a device or software app is and the greater the number of customers using it, the more damage a supply chain attack can inflict.
As businesses large and small continue to collaborate with and outsource to each other, more suppliers than ever before now have legitimate access to their clients’ networks, systems, and data. And while you may trust your own company’s cybersecurity, what degree of visibility do you have into your various suppliers’ security programs? Have they implemented a comprehensive cybersecurity framework, such as those developed by NIST, PCI, HITRUST, or ISO, for example? How much confidence do you have in any given supplier to effectively safeguard your data as they acquire, use, and store it? Do you even have enough information to answer these questions?
Recognizing the importance of securing not only regulated organizations but their supply chains as well, most security frameworks include provisions for TPRM. Many also require security risk assessments of vendors and suppliers.
One example is the Cybersecurity Maturity Model Certification (CMMC) program mandated by the U.S. Department of Defense. CMMC enforces the protection of sensitive information that is shared by the DoD with its contractors and subcontractors and ensures that they meet established cybersecurity requirements or are removed from the DoD supply chain.
Another example is the final third-party risk management guidance published in June 2023 by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and Treasury to promote consistency among regulated financial institutions in managing supply chain risk. The guidelines provide banking organizations with sound risk management principles for use in developing and implementing risk management practices across the entire life cycle of third-party relationships.
Collected from several widely adopted security frameworks, the following guidelines are a solid foundation upon which any organization can build a robust vendor risk management program.
In addressing the requirement for security risk assessments, some vendors may prefer to have their assessments performed by an external resource of their choosing and provide that report to you. Comprehensive security risk assessments conducted by qualified, experienced, independent assessors can effectively evaluate how well third parties are meeting the security responsibilities, controls, and reporting protocols mandated by applicable regulations or organizational policies.
The key to effective cybersecurity, both for your organization and for your supply chain, is to update security safeguards on a regular basis to keep pace with emerging threats and new regulatory requirements.
Managing security risk among vendors and suppliers presents a challenge for businesses who rely on others for goods and services—which is all businesses today. Despite our best intentions, supply chain security continues to be elusive.
Recognizing the importance of securing not only organizations but their supply chains as well, the leading security frameworks all include provisions for third-party risk management. Many require security risk assessments of vendors and suppliers. Guidelines for sound vendor risk management programs are readily available to assist organizations and their suppliers in safeguarding confidential data, intellectual property, and the personally identifiable information of employees, customers, and other stakeholders. Finally, experienced professional assistance is available to conduct security risk assessments of your vendors and suppliers.