Key themes in overseeing cyber supplier risk exposure
- 29 July 2021
In June 2021, we ran a research study with subscribers of our ORX Cyber service exploring how financial firms approach the oversight of supply chain cyber risk exposure. The results of the study highlighted 5 key themes, which are reviewed in detail in a report available to ORX Cyber subscribers. The full report offers in-depth analysis of the findings, best practices and challenges that need to be overcome for each area.
Subscribers to ORX Cyber can access the report on our member-only website. If you're not a subscriber, then read on for an overview of the 5 key themes identified in the study with some of the good practice and challenges identified. And, if you'd like to find out more about the study and subscribing to ORX Cyber to help you manage this critical and increasing risk, get in touch.
Key themes in the oversight of supply chain cyber risk exposure
Theme 1: Supplier criticality and the nature and sensitivity of services being offered
Supplier criticality is central to deciding how to approach supplier cyber risk management and influences the majority of decisions to be made throughout the process.
Good practice and challenges
Good practice in this area includes having assessment processes that are dynamically adjusted based on criticality to ensure assessment is proportionate to potential cyber risk exposure. In addition, firms should try to determine supplier criticality based on a range of weighted factors relating to the supplier and the nature of their services, rather than simple dollar amounts.
Some of the challenges identified included determining the depth of assessment required by differing suppliers based on criticality and the manual efforts needed to perform detailed assessments on critical suppliers.
Theme 2: Pre-contractual considerations
Overall, our survey results indicate that most firms’ 2nd line cyber teams are involved in pre-contractual activities to some degree and promote the advantages of early involvement.
However, from the outset of supplier relationships there is no one way of doing things that adequately assesses and manages the risk from all potential suppliers and their offerings. In practice, firms must remain agile and flexible when engaging cyber teams in pre-contractual activities.
Good practice and challenges
Good practice identified during the study included making sure cyber security is a key consideration early in the process and getting 2nd line cyber involved early in the supplier engagement process where necessary to ensure suppliers can meet cyber control requirements. The challenges noted by participants ranged from applying thresholds to factors driving the definition of “critical” to deciding when to engage cyber security teams.
Theme 3: Post-contractual activities
All of our survey respondents are satisfied that the time spent on their supplier cyber risk assessments delivers value, although 38% feel that there is room for improvement and many recognise that value could be optimised. Our study showed five key areas of practice to focus on:
- Setting priorities and objectives
- Performing assessments
- Content of assessments
- Frequency of assessments
- Impact of assessments
Good practice and challenges
While we identified a wide range of good practice in the study for each of these areas, two main challenges stood out. Firstly, ensuring the priorities and requirements of multiple teams are incorporated in the scope of supplier cyber risk assessments and secondly, implementing a balanced and scalable approach to assessments.
Theme 4: Oversight of complete supply chain
Good practice and challenges
The key challenge in this area is the lack of direct contact with, and oversight of, subcontracted entities leading to a lack of visibility of potential cyber exposure. This particularly relates to incident notification, as it is difficult to enforce sufficient early notification of incidents without a direct relationship with subcontracted suppliers.
On the other hand, best practice involves ensuring you have robust contractual clauses incorporating a range of requirements.
Theme 5: Impact of new technology on supplier cyber risk management practices
Overall, the results of our survey highlight a discrepancy between the role that new technologies play internally and their role within the supply chain. On the one hand, cloud and other technologies are changing how outsourced services are provided to institutions, with high levels of adoption along the supply chain driving adaptations in internal controls and processes.
However, despite the recognised benefits of new technologies in managing the increased vulnerabilities associated with digitisation, survey participants rarely use new technologies for internal supplier oversight purposes.
Good practice and challenges
One of the key challenges in this area is overcoming barriers to, and concerns around, the adoption of cloud and new technologies to support supplier oversight activities. Best practice includes increased automation enabled by cloud and new technology adoption allowing for increased focus on key controls and supplier oversight processes.
ORX Cyber: A guiding light for cyber risk management
ORX Cyber is available to members and non-members of ORX. It's a unique operational risk management service that combines loss data exchange with collaboration and research to provide second line practitioners with the insights and information they need to effectively manage and measure this key risk.