Corporate TIPS Blog: Managing Cybersecurity Risk in Your Supply Chain
By Craig S. Horbus & Megan C. McClung on July 10, 2019
“By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of business relationships.” – Gartner Innovation Insight.
Globalization and an increasingly interconnected supply chain have broadened the third-party risk landscape to include the increasingly present cybersecurity threats. In fact, just last month, Quest Diagnostics, one of the largest blood testing providers in the nation, warned that nearly 12 million of its customers may have had their financial and medical information breached due to an issue with one of its vendors. With new liabilities on the horizon, organizations must focus on supply chain risk management.
Ascertaining a vendor’s security rigor and looking for indications of cyber risk in your supply chain network is no easy feat. Yet, without this insight, it’s impossible to address, quantify, and mitigate cyber risk.
Security ratings can be effective in identifying risky vendors and supply chain vulnerabilities. These ratings are the cybersecurity equivalent to a credit score, presented in an easy-to-understand manner and backed by data that correlates to potential security incidents and context. Like credit scores, security ratings are based on a scoring system (ranging from 250 to 900). The higher the score, the less risk the vendor poses. According to BitSight, a cybersecurity ratings company, organizations with a security rating of 500 or lower are five times more likely to be breached than those with a 700 or higher rating.
Where Tier 1 or 2 suppliers may balk at an end customer poking around in their supply chain networking looking for indications of cyber risk, security ratings can be especially useful to manage cyber risk in supply chain interactions where transparency has historically been lacking. These ratings rely on externally observable events or trends, so it becomes much easier to get around proprietary data restrictions that limit visibility into the security posture of each link in your supply chain.
Last year, 59% of breaches originated with third-party vendors. Implementing a third-party risk management program that utilizes security ratings can help you scale your monitoring of third-parties and mitigate cybersecurity risk in your supply chain.