Skip to main content
QBE Canada

How to manage cyber security risks across digital supply chains

Digital supply chains are integral to almost every modern business. From ecommerce platforms to cloud hosting providers, the digital supply chain for even the smallest of businesses can be complex.

This article on supply chain cyber risk, though written with an Australian audience in mind, outlines challenges and mitigation strategies that resonate globally. The interconnected nature of today’s digital supply chains means that vulnerabilities in one part of the world can have impacts across borders. With additional links exploring cyber threats in mergers and acquisitions as well as insider risks, this piece offers a comprehensive view of the evolving cyber landscape - one that all organizations, regardless of location or sector, should be actively addressing.

  • IT service providers, along with their own network of providers they’re reliant on, form complex digital supply chains with many potential cyber security vulnerabilities.
  • Digital asset registers, regular audits, strong contracts, and supplier monitoring processes are essential to effectively managing this core cyber risk.
  • Business continuity plans, alternate supplier arrangements, and back-up contingencies can also help to build resilience in the event of a disruption.

While these digital connections can drive efficiency, they also introduce significant risks. Recent figures reveal that 85% of Australian businesses use information and communication technologies (ICTs), while 63% use cyber security software and 59% use cloud technology, underlining just how many businesses have a substantial digital supply chain footprint.1

“Allowing third-party access to your organization’s digital ecosystem opens potential vulnerabilities, with both data security and business continuity at stake if neglected or poorly managed,” said Ben Richardson, Cyber Product Lead for QBE Australia.

“Many ICT providers also rely on their own network of IT suppliers, further extending an organization’s risk exposure to fourth and fifth-party channels.”

The 2024 CrowdStrike outage, for example, disrupted global systems due to an update issue, underscoring how deeply businesses depend on stable, secure digital supply chains.2

In this landscape, businesses of all sizes need visibility and controls to manage digital supply chain risks. In Australia this is becoming increasingly regulated, with APRA’s CPS 230 now requiring financial institutions to strengthen operational risk management and resilience across APRA-regulated entities, highlighting the growing responsibility for all businesses to more closely manage their IT supply chain.

What are the main sources of digital supply chain risks?

Understanding the primary sources of your digital supply chain risks is essential part of your risk management strategy. These risks generally fall into three main areas:

1. Vulnerabilities in third-party systems

Weaknesses in your vendors’ or suppliers’ software, systems, and security protocols can expose your business to potential cyber-attacks. Ensuring that suppliers have robust cyber security measures and strong access controls in place can help minimize these risks.

2. Data breaches or system outages from interconnected systems

With each additional digital system connected through APIs, the risk of unauthorized access grows. APIs (Application Programming Interfaces) allow different software to communicate and share and store data, creating potential points of vulnerability that need to be carefully managed.

Mapping and understanding these connections in your systems is crucial to reducing the potential exposures from data handling via third party suppliers, or an unplanned outage due to a vendor’s systems being unavailable.

3. Risks from outdated or compromised software

Outdated or unpatched software can leave your systems vulnerable to cyber threats. Working with your vendors to ensure a consistent update and patching schedule is in place is essential for reducing the risk from known vulnerabilities.

Managing digital supply chain risks when onboarding new providers

When engaging a new digital provider, it’s important to do your due diligence and capture key information to validate and mitigate any potential threats.

Knowing your providers, their security posture, as well as getting visibility of their network of vendors, can help you understand any potential risks that could potentially impact your business.

“It’s not just enough to know what companies you’re contracting to; you also need to understand which vendors are most critical to your business. You can then start to build an ongoing and transparent vendor assessment framework to obtain greater visibility of your risk profile over time,” said Richardson.

When deploying any new IT solutions within the business, it’s important to ensure the default security settings of the application have been considered. Turning on multi-factor authentication (MFA) is one common example of this, however, there are often other security functions that can be enabled.

Questions to ask during the digital platform procurement process

Developing a standardized questionnaire for use during the procurement process can help you consistently assess the provider’s cyber security practices and identify potential risks. Some questions to consider include:

  • What cyber security and data protection regulations does the provider comply with, and how often are compliance audits conducted?
  • Where is data stored, and how is it encrypted?
  • How does the provider manage access to sensitive information, and what privacy and security practices are followed to protect it?
  • Are Incident Response Plans (IRP), Business Continuity Plans (BCP), and Disaster Recover Plans (DRP) in place for detecting, reporting, and responding to cyber breaches? And do these include notifying your organization of a suspected cyber incident that could impact your operations?
  • How does the provider assess and manage vulnerabilities, including regular patch updates?
  • Who are the provider’s key vendors for hosting and data processing, and what assessment protocols exist for these third parties?
  • How is data backed up, and what are the recovery procedures in case of data loss?
  • What security awareness training is required for staff?
  • Is remote access enabled? If so, how is it controlled? (i.e. how is MFA deployed for any remote access controls?)
  • What insurance policies do they hold for cyber security incidents, and are there any material limits on liability?
  • Does the business conduct any regular penetration testing or disaster tabletop exercises to continuously stress test their current cyber posture?

Managing contractual cyber security expectations with digital providers

Contracts are a critical part of the procurement phase, as they allow the organization purchasing the platform to set security standards and expectations.

“Some of the most common claims we see in the ICT liability segment result from contracts that weren’t well defined from the early stages,” Richardson explains.

“If you engage a provider to perform a service, and the contract terms are unclear or open to interpretation, it can create misalignment.

“For instance, if one party expects certain bespoke capabilities, yet that capability requires additional service levels or resources not agreed to via contract, this ambiguity in the contract can easily lead to disputes or cost escalations. Roles and responsibilities should be clear from the outset.”

However, the success of contract negotiations for an IT vendor engagement can also vary based on the size of the company selling the software, and the size of the company purchasing it.

“It is recommended that any terms regarding waiver of legal rights, transfer or limitation of liability, or notification when a suspected cyber incident occurs, are clearly understood and reviewed carefully,” said Richardson.

Managing digital supply chain risks with existing providers

For many businesses, digital relationships are already deeply entrenched, and retrospective action is needed to fully understand where weaknesses might lie.

A good starting point is to conduct a thorough inventory of all existing digital suppliers, especially in larger organizations where different teams may be using a variety of systems.

“Having a complete inventory of your suppliers and APIs throughout the business is essential. There are many great scanning tools available that can map every digital platform connected to your network, helping you identify existing APIs and suppliers with access and potentially detect any legacy security loopholes,” said Richardson.

An up-to-date inventory will help your organization track access points, uncover potential vulnerabilities, and apply the right measures to minimize risks and meet cyber security standards.

Establish cyber security monitoring and review processes

Cyber security requires ongoing attention, as threats evolve and new vulnerabilities can appear over time.

Implementing a regular review and testing process, both internally and with suppliers, can help businesses stay ahead of potential risks. This can include:

  • Continuous monitoring: Use monitoring tools to track data flows and detect unusual activity in real-time.
  • Regular reporting: Require suppliers to provide regular updates on their cyber security measures and report any incidents.
  • Incident response plans: Develop plans to outline how your business will respond to and manage vulnerabilities as they arise.
  • Supplier audits and reviews: Conduct periodic audits of suppliers’ cyber security protocols to ensure ongoing compliance.

Strengthening business continuity and disaster recovery

Effective risk management is essential across all areas of business, as despite best efforts, things can still go wrong.

“The recent CrowdStrike example shows how a simple deployment failure can impact even the most well-prepared systems, highlighting how important it is to prepare for the worst-case scenario,” said Richardson.

Preparing for disruptions is key to resilience. To enhance your business continuity and disaster recovery plans, you can consider:

  • Back-up environments: Set-up an alternate digital working environment to keep operations running if your primary network goes down.
  • Alternate suppliers: Identify back-up suppliers you can rely on if a primary supplier experiences downtime.
  • Cyber Insurance: Ensure both your business, and your providers, have adequate cyber insurance coverage.

The importance of cyber protection for your business

Businesses rely on their digital supply chains, and just like physical supply chains, they need to be managed and monitored carefully.

QBE’s cyber insurance policy QCyberProtect can provide critical support during a cyber event and can help protect against the financial and reputational impacts arising from digital threats. Talk to your broker today for more information about our offering.

 

This article first appeared on 10 January 2025 on QBE Insurance (Australia).

Useful resources:

1 Australian Bureau of Statistics, Characteristics of Australian Business, June 2023 (latest release)
2 ABC News, ‘CrowdStrike releases root cause analysis of the global Microsoft breakdown’