Today’s Complex Supply Chains Bring Security and Compliance Risks

In a global economy, businesses are highly dependent on goods and services moving through a complex supply chain of international participants. Bringing a product to market involves intricate relationships with hundreds or even thousands of “links” in the chain, including third-party vendors, producers, suppliers, subcontractors and distributors. One glitch along the way can create big trouble.

Cybersecurity and compliance risks are a growing problem. To achieve operational efficiencies, organizations are giving supply chain partners access to their systems, applications and data. If a partner does not maintain strong security, such access can lead to a security breach that has a cascading effect throughout the supply chain. In a recent Forrester study, 55 percent of cybersecurity professionals said their organization had experienced a security incident involving a supply chain partner in the preceding 12 months.

Despite the stakes, a new study by Refinitiv suggests that many companies are doing very little to reduce risk from their supply chain partners. The study found that multinational corporations have, on average, almost 10,000 third-party relationships, but almost half of those are not subject to any form of due diligence. The study also found that most companies don’t know if any of their third-party partners are outsourcing work to someone outside the supply chain.

Interested In Learning More?

Too Little Oversight

Perhaps the most well-known supply chain attack involved SolarWinds, a provider of software for enterprise IT monitoring. Hackers broke into the SolarWinds network and embedded malicious code in the company’s Orion software. The software was distributed to some 18,000 SolarWinds customers, leaving those organizations vulnerable to backdoor attacks.

The case illustrates why companies must exercise stringent oversight of supply chain partners. Without insight into all levels of their supply chains, companies cannot effectively conduct due diligence. That creates the potential for security failures that could disrupt the entire supply chain and threaten business operations.

Even more worrisome, most companies say they believe the current economic climate is encouraging third parties to cut corners on government and industry regulations in order to lower costs and win new business. Regulatory compliance violations by a supply chain partner can result in significant costs and reputation damage for an organization.

Meanwhile, a recent Gartner survey finds that legal and compliance leaders are concerned that the shift to work-from-home operations by third-party vendors and suppliers is increasing the risk of cybersecurity incidents and data breaches that could affect organizations. Vidhya Balasubramanian, managing vice president in the Gartner Legal and Compliance practice, said it is unlikely that every third-party organization or employee is following security best practices.

Managing Relationships

To mitigate risk, organizations need a supply chain manager who maintains contact with third-party partners to ensure they are meeting their security and compliance obligations. It’s also a good idea to regularly review existing contracts with providers and continually clarify your expectations.

A comprehensive third-party compliance review can also reduce your exposure. DeSeMa has the expertise to complete such reviews for our clients. We can assess the cybersecurity and compliance practices of your vendors, suppliers and other supply chain partners to determine if they have the appropriate controls in place.

We can also review a third party’s audits, financial records and compliance history to assess risk and identify areas for improvement. This enables you to make informed decisions when negotiating and renewing partnership agreements.

In a globally interconnected marketplace, a data breach in Dublin can seriously disrupt business in Brooklyn. All organizations must do their due diligence to ensure their supply chain isn’t creating security and compliance risks that could lead to financial and reputational damages. Give us a call to learn more about using our third-party reviews to mitigate risk.