When supply chain professionals are asked about supply risks, they often cite issues like capacity constraints, component shortages, and quality problems.  It is not typical for them to list ransomware and cyberattacks since those are normally considered IT related risks.  But in today’s interconnected and system dependent world, any problem that affects the core system infrastructure is going to affect supply.

According to the State of Email Security 2020 report from Mimecast, 51% of the organizations assessed have been impacted by ransomware in the last 12 months, while 58% saw an increase in phishing attacks, and 82% experienced downtime from an attack.  It does not take much of an imagination to see how these attacks could become a major disruption to your supply chain.  From a continuity of supply perspective, this is no different than a broken tool, a material shortage, or some type of natural disaster that prevents the flow of products out of your supplier’s factory.  In addition, if you think of a cyberattack beyond the context of a supply disruption, you soon realize that it can expose your intellectual property and confidential information that is residing on your supplier’s servers.  We are aware of two specific instances at our own clients within the past year where a ransomware attack on their supplier created a major disruption that in each case, lasted nearly four weeks before it was rectified.

Given the ever-increasing risks in cyberspace, we believe that supply chain professionals should be considering these issues when discussing risks with suppliers.  We understand that you cannot verify that every supplier has mitigated this risk.  However, in the case of your high complexity, sole source, or critical suppliers, doing nothing and hoping for the best is also not a reasonable option.  Given our years of experience in solving both supply chain and IT problems for clients, here are a few steps you can take to address this risk:

  • Segment your suppliers. We have stated many times in prior newsletters that not all suppliers are equally critical.  When it comes to standard off-the-shelf components that you purchase from a distributor or multiple sources of supply, you can easily pivot to a new supplier when there are shortages.  Also, these suppliers tend to have more limited access to your IP and confidential information which means you have more limited risks.  But for those small and medium size suppliers of sole-source, high complexity components where the switching costs are high, a different approach is warranted.
  • Ask them to self-assess their readiness. Asking a supplier to self-assess their capabilities in this space is not a perfect process but it is a good start.  In our experience, we have found that most suppliers are honest and transparent in answering specific questions.  We recommend asking them to self-assess their capabilities with a brief set of questions that uncovers major gaps and establishes a platform for dialogue and understanding.  A supplier that self-assesses itself poorly on basic, high level questions (e.g. do you have information security policies and procedures in place, do you train your employees, etc.) should be cause for concern.  It will be important for you to require action from these suppliers as a condition of doing business and to manage – even micro-manage – remedial efforts until you are satisfied.
  • Take no risks with your crown jewels. As you go through the process of segmentation and self-assessment, you may run into certain critical suppliers that either (a) do not respond to your satisfaction, (b) do not mitigate these risks adequately, or (c) are critical enough to where you need to do your own due diligence.  In these cases, it is prudent for you to use your own resources (internal or outside) to conduct an assessment rather than relying on the supplier’s self-assessment.  The benefit of doing this is that you have domain experts in the information security space who will ask probing and open-ended questions, assessing the health of your supplier in a clear and consistent fashion.
  • Include cybersecurity language in your contracts. Nothing gets the attention of a supplier more than actionable contractual language. While your supply agreements are normally focused on deliveries, quality, pricing, warranties, inventory, flexibility, and various other commercial and legal provisions, establishing a minimum set of requirements to protect your IP and confidential information, and mitigating supply disruptions due to a cyberattack are important steps for you to take.  Negotiating a contract with information security provisions will give your request visibility at the most senior levels of your supplier and help you gauge how serious and committed they are to addressing this important issue.

While cybersecurity risks are not on the top of the list for most supply chain professionals, it is time to view them through a different lens.  With more people working from home and accessing information remotely, the risks are amplified.  Most medium and large manufacturers have adequate measures to address information security risks within their own four walls or with their cloud computing suppliers, but few have a good understanding of the risks at their component suppliers and their contract manufacturers, particularly those that are small and medium size.

Given that Symphony has a unique blend of expertise in both supply chain and IT (including information security), we have developed the right tools that can (a) help your suppliers self-assess, or (b) help you assess yourself and/or your suppliers based on a simple, consistent, and uniform methodology.  If this is an area that you would like to further explore, please contact us at info@symphonyconsult.com.