Cyber risk and supply chains

New threats and more sophisticated cyber attacks will leave supply chains more vulnerable than ever, unless a comprehensive cyber risk management system is place

Global supply chains have benefited greatly from new technologies, which have led to greater efficiencies. Global supply chains and secure technologies are critical to global business operations, but they are also a high-value target for cyber criminals.

The traditional view of risk officers is through the first-party exposure: attacks against a company’s IT infrastructure, malware and data breaches. However, most recent publicised attacks have been perpetrated by infiltrating a supplier’s network, and using it as a gateway to the target’s systems. The logistics sector forms an integral part of those networks.

The highest threat is through shipping and, to a lesser extent, logistics companies being an unintended victim of an attack, as was the case when A.P. Moller-Maersk famously fell victim to NotPetya malware in June 2017, which caused widespread disruption to its shipping and port operations.

These high-profile cases underline the importance of viewing cyber risk holistically, rather than as an isolated event, and of integrating supply chain exposures into the overall risk management strategy.

Cyber incidents can occur at any point along the supply chain and have multi-layered consequences. Various risk scenarios can be applied to companies involved in the global supply chain. We will focus here on a scenario where a logistics service provider can be the weak link in the chain.

Many supply chains rely on a variety of suppliers of different sizes across the world. The logistics sector forms part of those many components. Should one of the key suppliers’ operations be compromised, due to a cyberattack on its systems rendering the supplier unable to perform its obligations (whether it is to supply components, or to provide logistic services), the delay caused by the breach and the ensuing business interruption would have a direct repercussion on the company’s ability to deliver its final product and to meet customer demand.

The main consequences of this type of attack are delay cost (which may manifest itself in liquidated damages payable to customers); loss of revenue and profit; and potential reputational damage caused by the inability to deliver in order to meet customer requirements.

In the case of prolonged disruption, downstream customers and distributors may also exercise their right to terminate their respective agreements with the company, and the ability of the company to recover from the incident may be called into question.

Strategies to help mitigate this type of scenario revolve around vendor management and establishing contingency plans for critical vendors, including delivery times and minimum outputs required on short notice.

Companies are increasingly applying the principle of redundancy when designing or adapting their supply chains in order to identify vendors who can easily replace preferred providers should a crisis prevent them from delivering their usual output.

It is essential for logistics service providers to appreciate their role in the global supply chain. If a company does not have a proper cyber risk management system in place, it could easily become a liability to its customers. Logistics companies should see cyber risk management as a significant value add for their customers.