One thing a risk manager with cyber in their captive can’t ignore: supplier risk.
Supply chain as an attack vector is a well-established priority for corporate security teams. It has been on the radar of C-suites as far back as the 2013 Target breach that resulted in the theft of over 70 million customer records. That breach was attributed to a vulnerability hackers exploited in the computer systems of Fazio Mechanical Services, an HVAC contractor Target used, which was using a free antimalware service that had limited security protocols in place. The event cost Target was somewhere between $300-$400 million (even with a reported $90 million insurance recovery).
SolarWinds impacted approximately 18,000 organizations, including some of the largest companies on the planet, and Kaseya in 2021 affected a reported 1500 organizations, illustrating the cascading impact these attacks can have.
This year, the Cencora and Snowflake data breaches impacting some of the largest world’s largest companies, though smaller in scale, represent the latest reminder of the risk posed by supply chain cyber risk. Just recently, the breach of billion dollar US security company ADT highlighted the twin issues of supply chain and controls circumvention when credentials were stolen from a third-party business partner that allowed hackers to breach ADT’s systems. A similar breach occurred at Rite Aid this year.
The jobs of the CISO, security team and risk managers with enterprise risk mandates are increasingly complex. On any day, the average Chief Information Officer (CIO) of a large enterprise manages around 200 software as a service (SaaS) application provided by third parties, and each of these SaaS tools comes with varying degrees of risk. The networks CISOs are protecting have become so large that the internet backbone needed to be expanded.
In our conversations with CISOs over the past six months, supply chain risk is consistently mentioned as a top priority.
Risk managers see the magnitude of the challenge
Most risk managers of large, complex organizations recognize the challenge they face. A recent Ferma survey identified increasing concerns they have about rising uninsurable risks. Fifty-three percent of respondents believe that key business activities will become uninsurable, up 12% since 2022. Two of the top three issues at the top of the ‘uninsurable list’ for risk managers are cyber and supply chain.
The coverage gap has grown in recent years in the face of a rising frequency of both data and ransomware-style attacks, the latter which spiked to the highest level in over one year in June this year. Despite this, rates have declined, down 7% as in Q224 in Europe, including at the primary and first excess layers for large companies.
But risk and insurance managers of large organizations are increasingly turning to captives to transfer the risk. Marsh’s 2023 benchmarking study on captives cited a 57% growth over the past two years in total captive premium for cyber. In 2023, Zurich’s cyber fronted book grew more than 50% as a result of growing demand in EMEA.
As the recent Zurich captives report points out, challenges do remain around:
- Fully understanding and quantifying the risk being put into the captive
- Ensuring the cyber captive program is sustainable over time
This gets more difficult when assuming supply chain cyber risk in the captive as well.
Building bridges, getting better visibility into supply chain risks
As more risk officers get more involved with supply chain risk from an enterprise risk management perspective, including putting cyber into the captive, a few things become more important.
Close collaboration with the CISO and security team is of critical importance. As attacks like TeamViewer and Snowflake remind us, companies can better manage supply chain risk only when the risk and security teams work together. To do this requires more than an ad hoc exchange of information between the two teams. A bridge must be built between the Risk Officer and CISO.
As Steve Collins, Group CISO of DS Smith, said in a recent Intangic customer case study, “The CISO needs to work closely with their risk teams on cyber insurance. Working with Tony (Tony Dimond, Group Risk Officer) and his team has led to better cover, often at lower costs, introducing different, and complementary, tooling: a win-win all round. In DS Smith’s view, this partnership is evolving and is now helping the risk team better analyse its supplier cyber risks, prioritise areas of vulnerability and help develop appropriate mitigation strategies.
Here are some specifics of what the risk team can do together with the CISO:
- Improved visibility of risks across supply chain: CISOs tell us that they need improved visibility of the risks across their supply chain on an ongoing basis. The CISO has responsibilities to defend the fortress around the clock, vetting the severity of thousands of incoming alerts while also looking after compliance and board reporting.
He or she and the security team need to know where the highest risks exist among third parties. Suppliers that are being attacked more than their respective peers are at higher risk of a large breach and thus post greater vulnerabilities to the companies they service. With the Intangic CyFi™ Platform, for the first time Risk Officers can help CISOs see this threat activity at scale across the supply chain on an ongoing basis.
- Enable a Preventative, Early Response:Risk managers are now able to provide CISOs and the information security team with the ability to prioritize preventative steps to fix problems contributing to any spike in risk levels and encourage their suppliers to do the same before the large breach occurs.
Every company’s supply chain will undoubtedly have vulnerabilities, placing a greater emphasis on more robust threat detection and preventative remediation across a company’s supply chain will strengthen the risk program and overall security.
Risk managers of large corporates say they are increasingly playing more strategic risk management roles. In response, FERMA President Charlotte Hedemark called for a need for better improving detection, prediction and mitigation across different perils.
The CyFi™ Platform is providing risk managers with a tool for doing so on supply chain and other dimensions of the risk. And it’s giving them a necessary bridge with the CISO to identify and manage the increasing number of risks across the supply chain.