Here are the highlights:
- Cybersecurity within supply chains is crucial, as over a third of organisations surveyed reported being compromised by a third-party cyber incident in 2022.
- Small and medium-sized suppliers are increasingly being targeted by cybercriminals, who exploit their weaker cybersecurity measures to gain access to their clients’ systems.
- Effective supply chain security involves implementing third-party risk management procedures and standardising the risk management approach.
- Policymakers can assist by promoting the harmonisation of requirements across markets based on best business practices and international standards.
A report from the World Economic Forum revealed that 39% of organisations surveyed in 2022 fell prey to a third-party cyber incident. These incidents, which often involve small and medium-sized suppliers with less stringent cybersecurity practices, underscore the necessity for comprehensive security measures across all links of a supply chain.
Organisations can bolster the protection of their supply chains by carrying out a third-party risk management procedure when selecting suppliers. This process includes evaluating a supplier’s technical abilities, experience and the geographical location of their assets. Furthermore, it’s critical to standardise risk management and make cybersecurity a shared responsibility between the organisation and its suppliers.
Practically, this approach could be implemented by focusing on a concise list of security requirements based on assessed risk, diversifying supply chains, adopting zero trust policies, and incorporating emerging technologies like blockchain and artificial intelligence. Moreover, suppliers might be incentivised to adhere to international standards, such as ISO 27001, ISO 27701, and ISO 22301. Senior management also needs to be more involved in overseeing third-party cyber risks.
The widespread nature of supply chains in today’s interconnected global economy warrant the need for harmonised requirements that align with best business practices and international standards. Policymakers can play a vital role in ensuring such harmonisation.
EU’s Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, which is set to be enforced from January 2025, represents a significant step towards supply chain protection. The regulation sets out provisions for contracts, security standards, risk management, and other areas important to supply chain security.
To further enhance the resilience and competitiveness of supply chains, diversification is crucial. Restrictions on specific vendors should be proportional and fact-based to prevent unnecessary impact on the cost, service and market development.
In conclusion, a collaborative approach involving all stakeholders is the best way to improve the baseline cybersecurity standards, especially within the supply chain.