In recent years we have witnessed cyber-attacks on organizations through their supply chain. One of the more recently spoken of cyber-attacks was on Taiwan Semiconductor (Nasdaq: TSMC), Apple's main chip supplier. The resultant downtime interrupted the production and supply of chips to Apple, costing the company an estimated $250 million in damages. Although the attack was carried out on the company's supply chain, it also affected Apple’s customers, since TSMC is a link in a wider supply chain.
Businesses often work with different vendors to provide their product or service. All of these agreements make up what is referred to as the “supply chain”. Each supplier is expected to meet pre-defined conditions in order to ensure that he does not endanger his customer or create unmanaged exposures. Risks to customers may arise from the fact that the supplier provides a service that is at the core of the customer's business (such as TSMC for Apple), a service that exposes the customer to privacy and compliance (e.g., leakage of sensitive information by the supplier) or information and data security risks.
A supply chain security event is estimated to result in a $15 million loss on average. However, the potential damage is not limited to finances, but can affect corporate reputation, the ability to continue to provide the service / product in the long run and could have other indirect consequences. Since 2015 we have seen a 70% increase in attacks to corporations through the supply chain. Studies by VERIZON and others estimate that in the next three years we will experience "mega-cyber-attacks" to the supply chain.
It is therefore incumbent upon every company to assess risk associated with its supply chain and subsequently make risk-based decisions about the treatment strategy and level of security it expects from its suppliers. This process is called Supply Chain Risk Management. The security check is performed via a survey with parameters laid out by official agencies (The Cyber Network, NIST, the Privacy Protection Authority) and by the customer himself.
The proliferation of suppliers and frequent changes in technology make it difficult to effectively manage risk in the supply chain. Financial organizations, for example, conduct annual survey of approximately 40% of their significant suppliers, meaning that every supplier is thoroughly examined only once every two years. In this fast changing world, late or a lack of detection of critical defects (about 15 defects per supplier on the average) can result in serious damage to the supply chain to the point of disabling key company activities and presenting an existential threat to the organization.
Regulations and economic agreements on the subject require uniform language. The parameters that determine what a critical supplier is and what rules apply to it must be consistent among all the entities. The survey specifications and implementation methodology, as well as the set of skills required to conduct the surveys, should create a benchmark and transparency that will result in an organizations confidence to rely on prior vendor tests. The gap management program can give value both to customers and suppliers who suffer from repeated audits and wasted time and resources. Thus, the entire economy will be able to benefit from a uniform system of grades and a clear and comprehensive risk level for each supplier.
Company's senior management must channel resources to protect the soft underbelly - the supply chain - in order to prevent economic and reputational damage by applying the principles of quality risk management based on empirical data. Today, various authorities publish risk management recommendations in the supply chain and companies can choose whether to comply. In my opinion, the more regulators understand the nature of risk, the more regulation will be tightened, so it is desirable and necessary for companies to adopt today, both local and international standards as well as tools for effective and safe supply chain management.