Ready for a new approach to Supply Chain cyber-risk?

Today’s CEOs are well aware of the growing threat of cyberattacks on their company and its supply chain. According to “The Cyber-Resilient CEO” report, more than half of CEOs believe supply chain disruptions have altered the cybersecurity threat landscape, resulting in heightened business risks. CEOs also recognize that with all of the opportunity digital innovation offers, it also brings great responsibility in terms of managing, responding to, and recovering from potential risk. For example, two-thirds singled out generative AI, which CEOs fear bad actors could use to create new cyberattacks. Fortunately, CEOs and supply chain leaders can also leverage these digital capabilities to manage cybersecurity risk in new ways—and protect their supply chains without stifling innovation.

Most of the cybersecurity risk within supply chain networks lies in the supplier base. In fact, 41% of the organizations that suffered a material incident in the past 12 months say that a third party caused it, as it is detailed in the Global Cybersecurity Outlook 2024 report published by World Economic Forum in collaboration with Accenture. Unfortunately, the current process for assessing and managing risk among their suppliers is both time-consuming and, in many cases, inaccurate.

Some companies have large risk management organizations that spend most of their time sending questionnaires to suppliers asking how they deal with their vulnerabilities, then manually collecting and collating responses. Other, more mature, companies may conduct “outside-in” scans of the internet to inform them of their suppliers’ potential risk exposure, but even that doesn’t enable a company to accurately attribute risk—i.e., which supplier is exposed to what. Given the increasingly complex landscape of n-tier supplier networks today, these traditional methods of assessment prove ineffective in conveying a true sense of a company’s risk.

However, intelligent technologies and new ways of working can help companies more effectively manage risk exposure from third parties and companies can take several steps today to get started.

• Expand from one-time assessments to 24/7 continuous monitoring to get more concrete risk intelligence, rather than answers to a questionnaire, to proactively identify and prevent breaches.
  
  
• Collaborate extensively with suppliers on joint risk identification and incident response, as opposed to just preparing for an incident in a company’s own organization.
  
  
• Ensure the company has adequate cyber insurance policies, which in our experience, most companies don’t have.
  
  
• Build risk intelligence programs that include the most critical third parties that might not be able to afford such programs.
  
  
• Set expectations that strategic partnerships make supply chains cyber resilient.

As companies consider their vulnerabilities to cyber risk, they must move beyond outdated and ineffective risk management activities to new strategies that reflect and evolve with today’s ever-changing digital environment. In particular, they should explore how technologies—especially generative AI—could help automate many risk management activities, ease the burden of the risk team, and provide greater, more accurate, insights into where they’re vulnerable. A wide range of sophisticated digital tools can help companies match the increasingly sophisticated attacks bad actors are launching, against both companies and their suppliers, and build greater resilience and help strengthen their defenses across their supply chain networks.

Thank you to my Accenture colleagues Valerie Abend, Senior Managing Director- Global Cyber Strategy Lead and Martin Metz, Managing Director-Global Supply Chain Security Lead, who collaborated with me on this article.