Cyber Attacks on Supply Chains Are Causing a Widespread Impact

Digital transformation following the pandemic involved a process of digitization throughout the upstream and downstream supply chains of all organizations. The combination of microchip supply chain issues and the emergence of numerous pieces of malware appears to have created a perfect storm.1

Global supply chains across industries face the challenge of a dynamic and unpredictable environment.  Persistent geopolitical uncertainties, coupled with emerging international regulations and sanctions, heighten the risk of penalties and supply chain disruption.2 Cyber risk, most notably third- and fourth-party risk, dramatically adds to this complexity. While the visibility and reliability of supply chains are greatly empowered by digital connectivity, bad actors are also empowered by the resulting expanded attack surface.   One of the greatest challenges with managing cyber attacks across today’s supply chain is understanding the extended enterprise’s threat profile and base controls.

The impact of a supply chain attack can be widespread. With potentially thousands of suppliers, a supply chain event can result in varied outcomes beyond business interruption. People safety risks are a key concern. For example, the automotive original equipment manufacturer (OEM) that relies on other OEM devices might produce at-risk connected cars. Then there are the political risks introduced by vendors based in geopolitically volatile locations, or new risks introduced by vendors that operate within a more challenging regulatory framework. The complexities and potential impacts of these supply chain attacks underscore the need for effective risk management, making one thing undeniably clear—comprehensive oversight and understanding of third-party risks are crucial.

Aon’s CyQu findings provide an essential insight into this issue. Here’s what Aon clients reported.

Aon CyQu Findings: Aon Clients Report

Examining the CyQu findings, clients across industries reported only marginal improvement in third-party risk management, with a global average score of 2.2 in 2022. To put this in context, a score of 2.2 represents a low level of maturity in managing third-party risk, suggesting that most organizations are still in the early stages of establishing robust risk management practices. This is underscored by the fact that the third-party domain received the lowest CyQu score of all nine scored domains. Notably, no industry has yet achieved a mature, systematic approach to managing third-party risk. These findings highlight the significant challenges businesses face in managing supply chain risk and the urgent need for more comprehensive and effective risk management strategies. This result is unsurprising. Understanding the risk that all vendors introduce is a real struggle, and the deepening connection across a company’s technology stack exponentially increases third-party risk.

When taking an industry view, the construction and manufacturing industries improved their overall third-party risk profile from “initial” to “basic.” However, construction reported only “initial” risk maturity in third-party diligence, “basic” in contract management, and “managed” in third-party inventory management.

Professional services companies saw risk profile improvement in those same categories. The score in professional services (2.5) brought the industry in line with finance and insurance and information software and technology industries — historically the top performers in third-party risk partially due to the regulatory environment that shapes their security decisions.

According to Operational Technology Supplemental data, 54 percent of clients lacked multi-factor authentication (MFA) for third-party remote access to operational technology  thereby increasing the risk of network breaches.