Supply Chain Cyber-Attacks
How vulnerable is your business?
With the latest release of Allianz’s 2020 Business Risk Barometer, it’s clear to see that Cyber has been catapulted to the no.1 position for business risk on a global scale.
“With businesses facing a number of challenges such as larger and costlier data breaches, more ransomware incidents and the increasing prospect of litigation after an event.”
There is also a worrying trend that data breaches are becoming larger and more expensive to deal with, and the greater the business interruption the higher the losses.
Data rich organisations beware!
With organisations gathering and processing greater volumes of personal data, this is resulting in larger and costlier data breaches – also known as mega data breaches (in excess of a million records being breached) which are now more commonplace.
For those companies that depend on data to provide their services, the consequences can be disastrous. Extortion demands are a big concern for these organisations but business interruption results in the heaviest losses from ransomware attacks, with the real target being the theft of their personal data.
“A mega breach now costs an average of $42mn, according to the Ponemon Institute, an increase of nearly 8% over 2018. For breaches in excess of 50 million records, the cost is estimated to be $388mn (11% higher than in 2018).”
Operational Resilience is now a key focus for regulatory authorities, with Sam Woods, CEO of the Prudential Regulation Authority (PRA) stating: “Operational resilience is a vital part of firms’ safety and soundness, and has become an important priority for the PRA. This consultation marks the next stage of integrating operational resilience into our regulatory framework. Alongside this, our proposals on outsourcing and the cloud will steer firms to be resilient in their adoption of new technologies.”
Jon Cunliffe, Deputy Governor for Financial Stability said “…Financial Market Infrastructures need to consider not only what steps they need to take to minimise operational disruption, but also how quickly they can recover from any operational disruption.”
Find out more about operational resilience on our IT, Cyber and Compliance guidance for Insurers and FCA regulated organisations.
Your organisation may be well protected but the same can’t always be said for your suppliers or acquisitions, especially if they possess a weak approach to cyber-security or if they already have vulnerabilities. You, as the acquiring firm could find yourselves liable for any damage from breaches or attacks pre-dating the merger. That’s why auditing new acquisitions and suppliers must be seen as a priority and a vital part of your due diligence. The Marriott hotel group learnt the hard way, with its breach in 2018 being traced to a 2014 intrusion on the Starwood hotel group they later acquired in 2016.
When a firm has an outsourcing arrangement with a company in the same group, including cross-boarder outsourcing to parent or sibling companies outside the UK. The FCA states that intra-group outsourcing requires the same rules as outsourcing to an external third party. The risk shouldn’t be perceived as being any less nor subject to outsourcing requirements. Risks must be identified and managed effectively whether it be a third party or intra-group outsource.
Growing regulatory actions and legal costs
Large data breaches are resulting in regulatory actions and most significantly large fines. They can also trigger affected consumers, business partners and investors to pursue legal action; all contributing to eye watering costs. The Marriott in 2018 and credit score agency Equifax in 2017 were both reported to have had mega data breaches of personal data of over 300 million and 140 million customers correspondingly. Both have had several lawsuits and regulatory actions brought against them, in which the Marriott intend to receive a fine of £100 million from the UK’s data protection regulator.
The best approach to managing Cyber Risk and improving Cyber Resilience
- Cyber risk is part of our overall enterprise risk management and is viewed as a key business risk
- Monitor and measure security and availability of systems through continuous vulnerability and risk assessments, remediation and sharing intelligence around cyber threats
- Regular staff information security training, awareness and anti-phishing campaigns
Our top tips for supplier management
- 1. Due diligence is a priority. Find out what the potential risk profile is of the supplier and how their actions could impact you if they were compromised?
- 2. Verify your suppliers’ certifications. It’s wise to check out claims and certifications. It’s possible they have a PCI report on compliance, or an ISO27001 certified ISMS that only covers a small section of the requirement, meaning the supplier is not certified.
- 3. Continually check your suppliers. You may have vetted them 5 years ago and they were deemed to be low risk but for good supplier management, it’s important to implement a continuous auditing programme.
- 4. Get an independent, unbiased view. There’s a lot of value in bringing in an independent auditor to provide a balanced view on your suppliers, especially if information security auditing isn’t a part of your normal job function.
We’re helping an increasing number of organisations, by providing independent supplier security reviews and ongoing supplier management using our proven framework.
Call us on 01242 505470 or fill out our Cyber consultancy contact form and we’ll be happy to discuss your individual supplier audit requirements with you.