Examining Cyber Risk in Supply Chains

Cyber exposure from third parties is often not an organization’s fault, but they must deal with the fallout. Understanding how technology poses a risk to your organization requires understanding how technology could comprise your organization through vendors and suppliers.

Cyber risk is one of seven dimensions of risk in Exiger’s risk-scoring model for third-party relationship management (TPRM) and supply chain risk management (SCRM).

Cyber Supply Chain Risk Management (C-SCRM) is a broad term that can encompass the cybersecurity of supply chains – in some cases, the supply chain is the vector of the attack, and in others, the supply chain itself is the target. Adversaries exploit the supply chain because it is efficient and effective in achieving their aims; these attacks will continue in volume, velocity, and variety.

Exiger offers systematic identification of cyber risks to and through the supply chain, helping you understand which of your third parties you can trust with sensitive data, where ransomware incidents and data breaches impact your supply chain, and how open-source software creates hidden risk. An effective risk management program depends on knowing the cyber risk that a critical third party presents to your organization’s systems.

When conducting third-party and supply chain cybersecurity risk assessments, you should look out for compromised software or hardware purchases, any history of data breaches, software security vulnerabilities, ties to politically exposed ownership or hostile nation states, and poor information security practices by lower-tier suppliers. Cyber risk indicators fall into several categories:

Security Posture
- Application Security
- Network Security
- Endpoint Security
- Product Security
- Software Security

Leading Indicators
- Stolen Credentials / Hack and Leak Postings
- Public and Non-Public Ransomware Incidents
- Data Breaches & Cybercrime Forum Discussion
- Sensitive Data Exposure

Resiliency Indicators
- Concentration Risk
- Single Point of Failure
- Time to Remediation
- Abandoned Code
- End of Life

Health & Hygiene
- DNS Health
- Patching Cadence
- CVE and EPSS Scoring
- IP Reputation
- Code Maintenance
- Technical Debt

Complex interdependencies make it nearly impossible to secure all components and contributors to fragility and vulnerability in the supply chain. To assess cyber supply chain risk, organizations need information from — and about — each link in the chain, which includes systems, data, networks, hardware, and software. There are myriad frameworks and standards that Exiger’s cyber offering maps to and supports:

NIST Cybersecurity Framework (CSF) 2.0: A voluntary framework developed by the National Institute of Standards and Technology (NIST) to help organizations manage and reduce cybersecurity risks. NIST recently released its first update in a decade, and a key element was the inclusion of supply chain risk management.

NIST Special Publication 800-161 (Supply Chain Risk Management): This publication provides guidance on identifying, assessing, and mitigating supply chain risks, including cybersecurity risks, throughout the acquisition and product lifecycle.

ISO 27001: An international standard that provides a framework for Information Security Management Systems (ISMS) to help organizations manage and protect their information assets. It includes controls for managing supply chain risks.

ISO 28000: An international standard for Supply Chain Security Management Systems, which helps organizations establish and maintain security management systems to protect their supply chains from various threats, including cyber threats.

GDPR (General Data Protection Regulation): A comprehensive data privacy regulation in the European Union that requires organizations to implement appropriate technical and organizational measures to protect the personal data of EU citizens, which includes managing supply chain risks.

CCPA (California Consumer Privacy Act): A data privacy regulation in California that grants consumers greater control over their personal information and requires businesses to implement reasonable security measures to protect personal data, including data shared with third parties in the supply chain.

HIPAA (Health Insurance Portability and Accountability Act): A U.S. regulation that requires healthcare organizations and their business associates to implement safeguards to protect the confidentiality, integrity, and availability of sensitive health information, including managing risks associated with third-party vendors.

DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012: A U.S. regulation that requires contractors and subcontractors of the Department of Defense to implement specific cybersecurity safeguards, including managing supply chain risks related to cyber threats.

FISMA (Federal Information Security Management Act): A U.S. law that requires federal agencies and their contractors to develop, document, and implement information security programs, including managing supply chain risks.

NYDFS Cybersecurity Regulation (23 NYCRR 500): A New York State regulation that requires financial services companies to establish and maintain a cybersecurity program, including managing third-party service provider risks.

Government and adjacent industrial bases, in defense and energy, for example, need to adhere to stringent interpretations of cyber supply chain risk management (C-SCRM). C-SCRM focuses on identifying suppliers, hardware, and software in an organization’s ecosystem, then assessing their dependencies, and mitigating the vulnerabilities among them.

Recent Government Guidance and Orders