Vendor and cyber BI risks undervalued

21 December 2017

A number of recent surveys have highlighted the need for companies to do more to assess the cyber security and insurance arrangements of their suppliers and business partners.

Many companies with robust cyber security controls have found themselves compromised by cybercriminals entering through a third party in the supply chain that have access to their systems. Perhaps the best known example is the 2013 Target cyber attack, in which the details of 70 million customers were compromised after a hacker gained access to the US retailer’s systems via an air-conditioning contractor.

According to a 2017 Ponemon Third Party Data Risk Survey, 56% of respondents said that their organization had experienced a data breach caused by one of its vendors, up 7% on the previous year.

However, companies lack visibility into the security practices of third parties, even though they continue to share data with them. For example, 57% do not have an inventory of all third parties with which they share sensitive information, and the same number do not know if third parties’ policies would prevent a data breach.

Unsurprisingly, Ponemon found that companies are less confident about managing cyber risk from third parties. Just 17% say they are highly effective at mitigating third-party risks, down from 22% in 2016. However, boards are taking third party risk more seriously - 15% more respondents said their boards are more involved in third-party risk management programs.

In its Vendor Risk Management study, Advisen noted that regulators increasingly now evaluate whether a board appropriately oversees the risks involved in its outsourced relationships. Yet, while supply chain risk management has moved to the top of the agenda for risk managers, boards have a noticeably lower level of engagement and understanding of cyber security risks to vendors than to their own business, it says.

OVERLOOKED

In another report from Advisen, its annual Information Security and Risk Management survey, the cyber intelligence firm says that the security controls of vendors and other business partners are still all too often overlooked.

The survey showed that vendor risk assessment is the least frequently conducted pre-breach service by both internal and external resources. It also found that just over half of respondents say that they include cyber security requirements in RFPs and contracts with vendors, while a similar proportion require adherence to standards.

Interestingly, around 55% of respondents say that their organizations include cyber insurance requirements in Requests for Proposals (RFPs) and contracts for relevant service providers and business partners. Around 30% also review their partners’ business continuity plans and 20% will consider their partners’ incident response plans.

The Advisen research tallies with CSO’s US State of Cybercrime Survey, which found that only 47% of companies surveyed are evaluating their supply chain vendors and partners to ensure approved security practices are in place before signing a contract.

This due diligence led 31% of the organizations surveyed to terminate contracts or relationships with partners. To ensure security practices are maintained, 58% of organizations with more than 1,000 employees require business partners to sign service-level agreements to specify cyber security standards, CSO found.

BUSINESS INTERRUPTION

Advisen’s Information Security and Risk Management survey also found that some companies may not be taking cyber-related business interruption exposures perhaps as seriously as they should.

The survey was conducted in the aftermath of a number of disruptive cyber incidents, including the WannaCry and NotPetya ransomware attacks. When asked if their organizations have made changes to cyber security controls following these attacks, only 53% said that they had.

Despite the recent global ransomware attacks, the survey also revealed that business interruption related to cyber is still viewed as the lesser risk when compared with data breaches. When asked to rate how their company views various risks, on average, 35% of the respondents rated data integrity risks as “high risk” compared with 22% for business continuity risks.

This suggests that businesses may not be keeping pace with cyber-related risks and the evolving threat landscape, which increasingly exposes their organizations to business continuity related losses.

RISING CONFIDENCE

A key finding of Advisen’s Information Security and Risk Management survey found growing confidence among the C-suite over cyber security, despite a perceived rise in the magnitude of cyber risk. However, it is worth noting that Advisen’s report is US facing, where companies are ahead in terms of cyber security awareness.

For the first time in seven years, there has been a decline in how seriously C-Suite executives view cyber risk. Just under two thirds (62%) of the risk professionals surveyed in Advisen’s Information Security and Cyber Risk Management report said boards of directors view cyber risk as a significant threat to their organization, down from 83% in 2016.

According to Advisen, this finding could indicate board members have become more comfortable in their understanding of cyber exposures. An increased enterprise-wide focus on cyber risk and better communication to company leadership may have eased concerns and increased confidence in cyber security controls, it says.

In contrast, a much higher proportion of risk managers and IT personnel viewed cyber as a significant threat to the organization - at 86% and 93% respectively.

For more information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.