Supply Chains Are Going Digital. Is Your Cyber Risk Management Program Up to the Challenge?

By: | March 3, 2021

John Farley is Managing Director of Gallagher’s US Cyber Practice and works closely with other Gallagher global cyber practices. He assists clients across all industries in navigating the dynamic cyber insurance markets as a means to cyber risk transfer, while providing guidance on emerging regulatory risk, cyberattack techniques, cyber risk prevention and data breach cost mitigation strategies. He can be found at [email protected].

As risk managers navigate what has become a tumultuous and daunting cyber insurance marketplace, they’re finding it necessary to address cyber risk from multiple angles.

Underwriters are closely examining the cyber risk management processes and controls organizations have put in place to protect their enterprises from a people, processes and technology perspective, which is forcing some difficult conversations during the cyber insurance application and renewal process.

Those organizations that fall short of underwriters’ expectations are likely to face rate increases, coverage limitations or perhaps even a non-renewal notice from their incumbent cyber insurance carrier.

But having the proper controls in place within an organization is only the initial step toward implementing an effective cyber risk management program.

Today’s most comprehensive enterprise risk management programs extend far beyond an organization’s four digital walls. The best cyber risk managers are those who are also keenly focused on the cyber threats that can manifest themselves at any point within the organizational supply chain.

The Ins and Outs of Vendor Risk Management 

Outsourced IT service and software providers, human resources consultants, payroll companies and other vendors can also maintain, or provide access to, their clients’ most sensitive data. Or a supplier may provide a critical product or service that, when not functioning, can bring the enterprises that rely on it to a screeching halt.

So when a vendor, sub-vendor or anyone else in the supply chain gets hacked or shut down due to a cyber-incident, the crisis itself can’t be outsourced. The risk manager will own it.

Vendor risk management is no easy task. It requires not only the constant monitoring of primary vendors, but a deep understanding of any sub-vendor relationships that could increase an organization’s cyber exposure. Tough questions must be answered:

  •  Am I satisfied that my primary vendors – and those in the supply chain that I may have no control over – are cyber secure?
  •  Where exactly is my most sensitive data flowing?
  •  Who within the supply chain ecosystem – if impacted by a cyber attack or system failure – could cause harm to my organization?

Risk managers should therefore focus on a variety of controls when forming a vendor risk management program. They will need to:

  •  Identify all the players in their supply chain.
  •  Obtain proof of cyber risk assessments from as many of these vendors as possible.
  • Determine any red flags, and rank their vendors and sub-vendors from best to worst.
  • Establish an escalation process in seeking vendor improvements and consider replacing any vendors that fail to respond to remediation requests.
  • Maintain and document a continual monitoring and auditing system.
  • Review all contractual clauses that address vendor data security controls, expected actions in the vendor’s data breach response, and hold harmless clauses
  • Require vendors to provide proof of insurance, such as a Technology Errors & Omissions policy, that may respond to a network security event.

Cyber Insurance Nuances

Cyber insurance policies are one of the critical tools that can help organizations transfer cyber risk in the supply chain. Many cyber carriers offer contingent business interruption coverage which, if worded properly, can respond to a risk manager’s business interruption losses that occur due to cyber attacks, and network security cyber incidents that impact vendors in the supply chain.

Be mindful, however, of potential exclusionary language within these cyber policies. Some will pay for incidents impacting only specifically identified vendors, while others will exclude certain vendors, such as individual IT service providers and vendors providing critical infrastructure services.

There may also be coverage implications depending on the type of event – such as a “security event” versus a “system outage.” Finally, most policies require a specific waiting period, usually ranging from 8 to 12 hours, before contingent business interruption coverage can commence.

Today’s risk managers must recognize that cyber risk and supply chain risk have become forever intertwined.

Although an organization may not have been directly targeted by a hacker, the impacts on their target – who may be way down the supply chain – could lead to subsequent business interruption and legal liability for everyone along that supply chain.

For these reasons, vendor management programs should be a top priority for any enterprise risk management program. &

More from Risk & Insurance

More from Risk & Insurance