Managing Your Supply Chain Cyber Risk

To fully understand the problem, I recently sat down with Devon Ackerman, the global head of digital forensics and incident response at Cybereason. He has extensive experience in the investigation and remediation of cyber-related threats and incidents from his years with the Federal Bureau of Investigation, as well as in the private sector. He is also the author of the bestselling book Diving In: An Incident Responder's Journey, which serves as a guide for executives, lawyers, and others interested in understanding incident response. 

We discussed these risks and how organizations can manage them. Here are highlights from our conversation, edited for length and clarity. You can also watch the full on-demand webinar here. 

What Is Third-Party Supply Chain Cyber Risk? 

Devon Ackerman: Third-party cyber risk refers to the exposure an organization assumes by relying on outside entities. It involves vulnerabilities and threats that arise from an organization's external vendors, suppliers, or other partners in its supply chain. These risks can lead to data breaches, operational disruptions, reputational damage, and even financial losses.  

What has evolved over time—especially since COVID-19—is reliance on infrastructure outside of an organization's physical control. These include systems, data, networks, third-party platforms, and Software as a Service (SaaS) products. In the world of business enterprise, we now have this supply chain capability that extends far beyond the four corners of a business. Now, there are third-party products for which we do not control the security. 

The risk an organization has with production and delivery may stem from software to services to infrastructure. In the cybersecurity context, supply chain attacks now usually involve threat actors finding ways to attack the pipeline—the business-to-business relationships—because the four corners of a business are usually fairly secure. 

Third-party risk covers the operational and access risks from those external partners. Supply chain risk arises out of that, requiring us to focus on those embedded compromises that are outside of the normal type of inventory management processes. 

How Does a Supply Chain Attack Manifest? 

Devon Ackerman: A supply chain cyberattack may occur when a cybercriminal exploits vulnerabilities within a company's supply chain to infiltrate their systems and networks. This can be done through various methods, including compromised software, malicious code injections, or attacks on third-party vendors. The goal is often to gain access to sensitive data, disrupt operations, or steal intellectual property.  For example, let's say Company A buys a software product from Company B. These are two physically separate companies or entities. For them to share information, there's an upstream and downstream sharing of data.

Threat actors know the downstream potential of a compromise on B doesn't just affect A. It affects everyone else who buys, licenses, or leases the product from B. So, the initial attack can trigger an exponential downstream reaction.  

Another common attack pattern is through a company's managed service provider (MSP or MSSP). Many companies use the services of MSPs or MSSPs, which provide remote access, trusted credentials, service accounts, etc. If that MSP is attacked, think of all the shared access they have downstream. 

Bridget Quinn Choi: One of the biggest supply chain cyberattacks we witnessed in 2024 was the attack on Change Healthcare. As a medical clearinghouse, Change Healthcare processes information, makes payments, and tracks billing for healthcare institutions of all sizes. Change experienced a large-scale ransomware attack, which led to significant disruptions to the organization and downstream to its customers. 

After the attack, many healthcare companies, big and small, couldn't operate because they were unable to process payments, which impacted patient access and operational workflows. That's an example of how a supply chain attack can have a devastating impact. And attacks seem to be more frequent. 

Are Cybercriminals Targeting Supply Chain Connections? 

Devon Ackerman: Yes, cybercriminals are actively and increasingly targeting supply chain connections. Information technology is much different today than it was 20 years ago, and so are the threat actors. They've gotten better.  

Organized crime groups have learned, watched, and adapted. Attackers are increasingly focused on supply chains because they offer wide access. A single compromise can lead to multiple victims.

The rise in supply chain attacks doesn't necessarily mean the victim organizations have poor cyber hygiene. Rather, it shows that cybercriminals have grown in tactics, size, and sophistication. We must adjust our defenses. 

The rise in third-party cyberattacks demonstrates that organizations need to shift their mindset about cybersecurity—from a perspective of keeping the attackers out to assuming compromise and building a response. This is not an “all is lost” mindset. It means organizations must figure out how to detect cybercriminals and slow them down once they get in. What we saw in the large scale was that the scenario became worse because business continuity planning did not necessarily account for such a critical vendor failure. 

What Are Some of the Challenges in Managing Risk? 

Devon Ackerman: One of the main challenges in managing cyber supply chain risk is the limited visibility into the supply chain. Many organizations do not fully know which vendors have access to what systems or data. There's sometimes a disconnect within certain businesses between legal, operations, and IT or information security.

Another issue is access control. Vendors often hold privileged credentials and administrative rights they may not need, or maybe they need some of them only for a limited time. 

A third problem is inconsistent security practices. Every vendor has their own view of security  based on experience, training, and education. Although we have standards like NIST or ISO, we don't view certain standards and frameworks in the same way. If you've been through a major supply chain issue, you have a completely different perspective than you did before. 

Lastly, there is a lack of enforcement. Contracts may include language security, but there's often little follow-through to verify compliance.

It is important to understand if the third party shares the same security-minded type of philosophy. The key to performing risk-based evaluation and ranking of vendors is understanding that not all third parties pose the same risk.

Organizations should focus on those third parties that can access sensitive systems or data, and we need to limit those with proper access controls. Trust, but verify with the security practices that are in place. 

Who in an Organization Owns Third-Party Risk? 

Devon Ackerman: I would argue that cyber supply chain risk is not an IT problem. It's a business risk issue. Within the four corners of a business, the risk affects the entirety of the business. Third-party cyber risk management is handled by a team of specialists across an organization, primarily involving the chief information security officer (CISO), Risk & Compliance teams, Procurement teams, vendor risk managers, and IT security managers. These roles work together to evaluate and monitor third-party vendors, ensuring they adhere to security standards and align with business and regulatory requirements.  It is a collaborative effort involving various disciplines, with various departments responsible for overseeing and managing the risk. 

Sharing information, coordinating efforts, and ensuring visibility across departments are essential for identifying, assessing, and mitigating risks posed by third parties. Ultimately, senior management and the board of directors are responsible for ensuring the organization has an effective third-party risk management program in place. They also set the tone for risk management, allocate necessary resources, and hold individuals accountable for managing third-party risks. 

Bridget Quinn Choi: Some key elements to effective third-party risk management are:  

• Evaluate and rank third parties based on the risk they pose and impact on the organization.
• Scrutinize the data handling and access management practices of third parties. Ensure security is an integral part of the vendor onboarding. Use a combination of questionnaires, tooling, and compliance frameworks like a SOC 2 Type II report. This is a cybersecurity compliance framework that focuses on a service provider's internal controls and systems related to security, availability, processing integrity, confidentiality, and privacy of data.
• Contract controls should require notifications for incidents affecting data and outline security expectations and obligations. These security expectations and obligations should be tested throughout the life of the contract.
• The contract should also require a cyber insurance policy to be in effect for the life of the contract. The limits should be adequate to cover incident response, notification, and legal response for the data that the third party holds or accesses. Note: Cyber policies are issued on a claims-made basis, not an occurrence basis. It is important that the contract language reflects this. A cyber broker can help gain an understanding of the limits needed for the risk to data.  

What Is Fourth-Party Risk and How Can an Organization Manage It? 

Devon Ackerman: Fourth-party risk refers to vendors of your vendors. Let's say Company A contracts with Company B, and Company B uses Dropbox or Google Drive to hold Company A's data. 

Most companies do not have visibility into this fourth-party ecosystem. If the fourth party has a limitation of liability in their contracts,  an organizations legal team may help require better terms and care of its data or put limitations on who can transfer or access the data. However, it is an important reminder that organizations remain responsible for the stewardship of protected data in fourth-party risk scenarios as they are for third-party risk management. 

Organizations should require disclosure of key subcontractors and enforcement of security expectations. Security expectations should be built right into vendor onboarding. We can do a third-party vendor risk review assessment that includes requiring a written security policy, instant response capabilities, notification timelines, minimal encryption, and access controls. 

Building Financial Resilience with Insurance Coverage 

Bridget Quinn Choi: In the context of insurance for supply chain cyber risk, it is important to consider the quality and breadth of an organization's business interruption and contingent business interruption insurance coverage. 

Cyber business interruption insurance protects a company from financial losses if operations are temporarily disrupted, typically due to a covered incident like a data breach, cyberattack, or IT system failure. If a third party manages the insured organization's network and causes a disruption, coverage for the loss of revenue associated with that disruption should be contained within this coverage grant. We recommend stress testing how loss revenue calculation operates for the particular insured organization. We also recommend ensuring that the policy contemplates a broad definition of a computer system that includes data managed by a third party.  

Contingent business interruption (CBI) insurance covers an organization’s revenue loss when operations are disrupted due to a cyberattack on a third-party provider, such as a key supplier or cloud service. This type of coverage is an extension of traditional business interruption insurance, but it specifically addresses situations where the disruption originates outside the insured's own systems and is caused by a third party. Some insurers are expanding waiting periods, raising self-insured retentions, limiting the types of third-party providers covered, or reducing available limits. We recommend reviewing this with an experienced cyber broker.

For more insights, watch the entire webinar here.