Andrei Quinn-Barabanov shares practical ways to tackle three of the largest causes of cyber supply chain incidents that can negatively impact your company’s operations and performance
When Supply Chain leaders ponder the risks that pose a threat to their organization, the usual suspects will likely be top of mind – namely, financial, operational, and regulatory risk. But, what about cyber risk?
Certainly, this is of growing concern: a recent Hiscox survey found that 67% of firms have reported an increase in the number of cyberattacks during the past 12 months. And, 40% reported that a supply chain-related vendor breach was the most common form of cyberattack they had experienced during the same horizon.1
Cyberattacks are becoming increasingly common across the public sector, too. According to the U.S. General Services Administration (GSA), the increasing frequency and severity of cyber-related supply chain disruptions and incidents has directly led to numerous legislative and executive actions during the past decade – resulting in federal executive branch agencies now mandated to implement cybersecurity supply chain risk management (C-SCRM) practices.2 Such concern is understandable: a number of high-profile cases have involved sensitive internal systems being compromised as a result of successful cyberattacks on suppliers and IT service providers. The SolarWinds Orion hack, for example, allowed attackers to insert malware through software updates, to SolarWinds’ Orion, which was being used by more than 30,000 public and private organizations.3
And, yet, cyber resilience and preparedness has not kept pace with the growing prevalence of attacks: a third of business leaders (34%) do not feel that their organization is adequately prepared to handle cyberattacks due to lacking expertise in managing these risks.4 And, so, there is no better time to build a more robust approach to monitoring exposure to cyber risk across your supply chain.
Cybersecurity risks in the supply chain stem in large part from vulnerabilities in three areas:
These risks often arise in complex, multi-tiered supply chains where reliance on subcontractors and external vendors creates blind spots. Weak security controls, limited oversight, and lack of transparency further amplify these vulnerabilities. Global sourcing and reliance on external providers also heighten these risks, as organizations struggle to enforce consistent security practices across a diverse range of entities and geographies.
The consequences of a breach can be far-reaching – from operational disruptions and reduced service quality, to customer dissatisfaction, intellectual property or data theft, and the compromise of critical business functions.
So, how do suppliers’ weak cyber defenses leave your company vulnerable to disruption and losses? There are three main ways:
The first step to take is to tighten processes around access to internal systems. There is usually a limited number of service providers that need access to your information. These vendors should be considered high-risk and subject to significant vetting. Be mindful that there are many companies where HR or IT are responsible for these vendors. When they are not managed by the Supply Chain team, these service providers may fall between the cracks of supplier due diligence and monitoring. Whomever manages these suppliers should monitor them closely, preferably using Supply Chain’s standard vetting and monitoring processes.
The second step towards improved cybersecurity protocols is restricting information sharing with suppliers. While it may be challenging to do this consistently, evaluating the types of information shared, and whether only mission-critical information is available to a supplier, is crucial. One effective approach is to only share documents with suppliers in a secure environment – whether that be a secure cloud or via company-issued laptops for those suppliers who must receive information from you.
While steps 1-3 can often be done without external assistance, step four is where data providers, like Moody’s, can help.
For example, Moody’s Supply Chain Catalyst solution has integrated cyber risk ratings, which can measure suppliers’ likelihood of experiencing a cyber incident. Based on these supplier profiles, actions 5 and 6 can be taken internally in consultation with IT Security experts.
Of course, preparedness is always key. The final area of supply chain cyber improvements does not concern cyber preparedness. It’s about being prepared for any situation where a key supplier is disrupted.
While a supplier may be able to withstand the fallout from a cyberattack in isolation, performance issues are more likely to arise when a cyberattack coincides with and compounds other non-cyber risk factors – most commonly financial issues. Without the proper mitigants in place, a cyberattack in this scenario can lead to serious disruption. That’s why basic risk mitigation measures, such as stockpiling extra inventory, is an evergreen and prudent idea.
Powered by carefully curated data and sophisticated analytics, Moody’s helps organizations build a holistic view of their supply chain risk exposure so they can better anticipate disruption, enhance sourcing, procurement and logistics processes, as well as build resilience. For more information about how Moody’s can help you quantify and manage supply chain risk, please visit this page or complete this form to get in touch with the team – we would love to hear from you.
1https://www.hiscoxgroup.com/sites/group/files/documents/2024-10/HSX245%20%E2%80%93%20%202024%20CRR.pdf
2 https://www.gsa.gov/system/files?file=C-SCRM%20Acquisition%20Guide%20April%202025%20508reviewed.pdf#:~:text=The%20NIST%20guidance%20is%20the%20best%20source%20of,address%20cybersecurity%20risks%20arising%20from%20the%20supply%20chain
3https://www.gsa.gov/system/files?file=C-SCRM%20Acquisition%20Guide%20April%202025%20508reviewed.pdf#:~:text=The%20NIST%20guidance%20is%20the%20best%20source%20of,address%20cybersecurity%20risks%20arising%20from%20the%20supply%20chain
4 https://www.hiscoxgroup.com/sites/group/files/documents/2024-10/HSX245%20%E2%80%93%20%202024%20CRR.pdf