Navigating Supply Chain Challenges in Audit, Risk and Governance

Given the increase in cyberattacks and risks surrounding supply chains in recent years, supply chain security has become increasingly top-of-mind for many organizations. Technological advancements have resulted in a significant increase in supply chain risks, and outsourcing to a third party substantially elevates the risk, including the potential for regulatory penalties related to supplier incidents.

Organizations are increasingly at risk of supply chain compromise, whether intentional or unintentional. The factors that allow for low-cost, interoperability, rapid innovation, various product features and other benefits also increase the risk of compromising the supply chain, which may result in organizational risks. Supply chain cyber risk management (SCCRM) requires ensuring the integrity, security and resilience of the supply chain, its products and services, and its quality. Cyber risks related to the supply chain may include insecure manufacturing and development practices, insertion of counterfeits, unauthorized production, tampering, theft and insertion of malicious software.

An attacker follows a strategic approach to target an organization through vulnerabilities in its supply chain. SolarWinds was one of the supply chain cyberattacks in September 2019, wherein threat actors gained unauthorized access to the SolarWinds network. On 13 December 2020, this highly sophisticated cyber intrusion that leveraged a commercial software application by SolarWinds was discovered. It was determined that advanced persistent threat (APT) actors infiltrated the supply chain of SolarWinds by inserting a backdoor into the product. As customers downloaded the Trojan Horse installation packages from SolarWinds, attackers could access the systems running the SolarWinds product(s).

To prevent cyberattacks similar to SolarWinds, organizations must ensure adequate security controls exist and operate effectively. A few security controls to maintain cybersecurity hygiene are SIEM and log management, DLP, penetration testing, vulnerability assessment and patch management. Other important considerations include supply chain audit, risk and governance.

Supply Chain Audit

Organizations must have a formal and established supply chain audit program to focus on the supply chain management process, including policies, organizational risks, process risks, cost-control and performance measures. Through this program, organizations can assess the cybersecurity posture of the suppliers leveraging a security questionnaire. Organizations should also ensure that the findings identified during this assessment are remedied per agreed-upon timelines to reduce risk to an acceptable level.

Supply Chain Risk

Supply chain risks include all the possible disruptions that could impact the products or services. Organizations must know all the suppliers who access, store or process their data or provide services. Some organizations either do not perform due diligence or do not take action on the risk(s) identified during the security assessment of the suppliers. This complacency could expose the organization to the external world, and bad actors could exploit these vulnerabilities, leading to a security breach.

Some risk categories that an organization should be aware of are:

• Reputational
• Geopolitical
• Cybersecurity
• Compliance
• Financial
• Operational

Compliance-Based vs. Risk-Based

Compliance-based and risk-based are the two types of approaches that organizations could leverage to select and implement security controls. Organizations remain protected from existing and emerging risks by leveraging a compliance-based approach in association with established industry regulations. The risk-based approach assists in protecting organizations from threats that could lead to non-compliance (regulatory or compliance risk). A risk-based approach begins with understanding business needs; the type of data and associated elements; who can access, store, or process that data; threats; and vulnerabilities. Qualitative, quantitative or both types of risk assessments could be performed to understand the risks related to the data and the security controls required to protect the data.

Supply Chain Governance

Governance is the accountable oversight that the leadership provides to manage and mitigate business risks related to the supply chain. The following are the vital components of governance:

1. Oversight committee: The organization should have a risk management oversight committee to monitor the organization’s risk environment and provide direction for the activities to mitigate the risk to an acceptable level.
2. Framework: To manage supply chain cyber risk, organizations should evaluate and adopt a risk and compliance framework to establish a formal SCCRM. Organizations can select the risk and compliance framework based on the type of data and associated data elements, where the data are hosted, and applicable laws. This framework is advantageous for measuring, monitoring and tracking supplier cyber risk.
3. Supplier risk management policy and standard: Organizations should have a formal, documented, approved and established policy and standard that can be leveraged by all workforce members (employees and non-employees).
4. Master services agreement (MSA) with security exhibit: The organization should ensure that all critical suppliers agree with the security exhibit before accessing, storing or processing data with regulatory or compliance implications. The organization will have the “right to audit” for at least the high-risk suppliers in this agreement.
5. Supplier risk tier model: The organization should assign a risk tier to all suppliers based on the type of data (regulatory and compliance implications), data elements, the volume of data and the ability to access, host and store data. The organization will assess these suppliers based on risk tier and ensure that identified issues are remedied in agreed-upon timelines to reduce risk to an acceptable level.
6. Supplier termination: The organization should have a formal, documented, approved and established supplier termination process that could be leveraged whenever the business owner wants to terminate the supplier. The organization will remove all logical and physical access and obtain a formal data destruction certificate during termination.

Supply chain security controls are essential in preventing cyberattacks and compromises. By establishing supply chain audit programs, identifying risks and acting to mitigate them, and ensuring the vital components of governance are properly in place, organizations can strengthen their protections against these kinds of attacks.