2023 Cyber Resilience Report
This is article 3 of 17 in this Report.
August 01, 2023 / 3 min Read
Cyber Attacks on Supply Chains Are Causing a Widespread Impact
One of the greatest challenges with managing cyber attacks across today’s supply chain is understanding the extended enterprise's threat profile and base controls.
- Clients overall reported only marginal improvement in third-party risk management.
- No industry has yet achieved a mature, systematic approach to managing third-party risk.
- Only 46 percent of clients reported multi-factor authentication (MFA) for third-party remote access to operational technology.
Digital transformation following the pandemic involved a process of digitization throughout the upstream and downstream supply chains of all organizations. The combination of microchip supply chain issues and the emergence of numerous pieces of malware appears to have created a perfect storm.1
Global supply chains across industries face the challenge of a dynamic and unpredictable environment. Persistent geopolitical uncertainties, coupled with emerging international regulations and sanctions, heighten the risk of penalties and supply chain disruption.2 Cyber risk, most notably third- and fourth-party risk, dramatically adds to this complexity. While the visibility and reliability of supply chains are greatly empowered by digital connectivity, bad actors are also empowered by the resulting expanded attack surface. One of the greatest challenges with managing cyber attacks across today’s supply chain is understanding the extended enterprise’s threat profile and base controls.
The impact of a supply chain attack can be widespread. With potentially thousands of suppliers, a supply chain event can result in varied outcomes beyond business interruption. People safety risks are a key concern. For example, the automotive original equipment manufacturer (OEM) that relies on other OEM devices might produce at-risk connected cars. Then there are the political risks introduced by vendors based in geopolitically volatile locations, or new risks introduced by vendors that operate within a more challenging regulatory framework. The complexities and potential impacts of these supply chain attacks underscore the need for effective risk management, making one thing undeniably clear—comprehensive oversight and understanding of third-party risks are crucial.
Aon’s CyQu findings provide an essential insight into this issue. Here’s what Aon clients reported.
Aon CyQu Findings: Aon Clients Report
Examining the CyQu findings, clients across industries reported only marginal improvement in third-party risk management, with a global average score of 2.2 in 2022. To put this in context, a score of 2.2 represents a low level of maturity in managing third-party risk, suggesting that most organizations are still in the early stages of establishing robust risk management practices. This is underscored by the fact that the third-party domain received the lowest CyQu score of all nine scored domains. Notably, no industry has yet achieved a mature, systematic approach to managing third-party risk. These findings highlight the significant challenges businesses face in managing supply chain risk and the urgent need for more comprehensive and effective risk management strategies. This result is unsurprising. Understanding the risk that all vendors introduce is a real struggle, and the deepening connection across a company’s technology stack exponentially increases third-party risk.
When taking an industry view, the construction and manufacturing industries improved their overall third-party risk profile from “initial” to “basic.” However, construction reported only “initial” risk maturity in third-party diligence, “basic” in contract management, and “managed” in third-party inventory management.
Third Party Domain CyQu Risk Scores
|Information, Software and Technology||2.3||2.5||+0.2|
|Finance and Insurance||2.3||2.5||+0.2|
|Health Care and Social Assistance||2.1||2.3||+0.2|
|Professional, Scientific and Technical Services||2.1||2.5||+0.4|
|Transportation and Warehousing||1.8||1.9||+0.1|
|Real Estate, Rental and Leasing||2.1||2.3||+0.2|
CyQu Risk Maturity Scoring
Initial: 1.0 - 1.9
Basic: 2.0 - 2.5
Managed: 2.6 - 3.4
Advanced: 3.5 - 4.0
* ‘Other Industries’ category represents responses from clients in the following industries: Accommodation and Food Services, Agriculture, Arts, Entertainment and Recreation, Management of Companies and Enterprises, Public Administration, Utilities, Waste Management and Remediation Services, and Administration and Support, Wholesale Trade.
** ‘Other Services’ category is self-selected by the client.
Professional services companies saw risk profile improvement in those same categories. The score in professional services (2.5) brought the industry in line with finance and insurance and information software and technology industries — historically the top performers in third-party risk partially due to the regulatory environment that shapes their security decisions.
According to Operational Technology Supplemental data, 54 percent of clients lacked multi-factor authentication (MFA) for third-party remote access to operational technology thereby increasing the risk of network breaches.
1 “Conditions are Right for a Cyber Attack Like We Have Never Seen Before.” Aon. Article. October 2022. Conditions are Right for a Cyber Attack Like We Have Never Seen Before | Aon
2 “Three International Regulations that Will Impact US Supply Chains in 2023.” Lamba, John. Article. Forbes. March 9, 2023. Retrieved from https://www.forbes.com
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Managing cyber across six featured risk themes.
This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.
Steps to Minimize Cyber’s Impact on Systemic Risk
The task of managing systemic risk has catapulted to the top of the priority list for the insurance industry as significant cyber events rang the alarm bell that systemic risk is considerable, and can cause widespread impact.
Build a Plan to Address the Perils of Reputational Risk
Cyber attacks can be damaging to shareholder value. But not all companies lose value because of an attack. Research revealed 17 companies that realized an average value impact, over and above the market, of +18 percent post-event, or a total value impact of $445bn following an incident.
Take These Steps to Mitigate Operational Risks
Insurance carriers prioritized controls related to operational risk in 2022, and clients responded. While ransomware data breaches dipped down for short period, there was an uptick in Q1 2023 and phishing and spear phishing schemes present great risk.
Cyber Insider Threats are a Growing Business Risk
Malicious actors know that humans are fallible. In 2022, two in five companies reported a lack of security operations center (SOC) controls, intensifying insider risk.