By Mark Camillo, Head of Cyber and Professional Indemnity, EMEA, and Martin Overton, Cyber Risk Technical Specialist at AIG

Companies recognize that supply chain risk is a growing problem, and today, cyber risks and supply chain risks are increasingly linked. For multinationals, cyber risks in the supply chain may be even more significant, as many multinationals rely on third parties to provide services. If any of these third parties suffers a cyberattack, the disruption may result in financial repercussions, or even a loss of customers, for the multinational.
© 2017 American International Group, Inc.
Alle Rechte vorbehalten.

Cyber Risks and the Supply Chain
If a third-party supplier provides technology to the company or is connected to the company’s systems, then the company faces an additional risk: cyberattacks can strike the company via that supplier. In fact, there are many examples of companies’ supply chains being hacked via a third-party supplier or a business partner. As a result, companies need to take a closer look at who they are connecting to on the data side. 

Read on to see which cyber threats could disrupt company’s supply chain and discover best practices to help them combat these risks.

These 3 Cyber Risks Could Disrupt Companies Supply Chain
  • Hardware tampering: adding extra hardware to chip and pin devices to steal data from the target. Hardware tampering occurs at a point between the manufacturer and the target - usually at a retailer.
  • Malware advertising: hacking a third-party ad server to add malware to the ads on a company’s website. A high-profile case affected Spotify last year.
  • Communication chain hijack: taking over a communication chain to steal credentials, capture passwords, change payment details on invoices, etc. This can happen on the web or over email. 
3 Steps to Help Beat Cyber Risks in the Supply Chain

To combat these threats, companies should follow this action plan:
  1. Examine the business supply chain and the vendors
  2. Identify the weakest links
  3. Pinpoint where the supply chain and the vendors have potential to experience disruption

Working with a ratings firm, such as AIG’s partner BitSight, can help companies identify potentially weak partners within the infrastructure. BitSights uses publically available data to rate not only the client company, but also all of the company’s business partners and entities that use its technology.

When Human Error is the Problem 

Ultimately, many cyber incidents arise from human error rather than from technological weak points. Human error is a major area where companies should focus their mitigation and prevention efforts.

All too often, companies try to stop human error using the latest security offerings, such as the newest firewall or intrusion detection system. In fact, preventing human error is largely about making sure that employees follow best practices for cybersecurity. We recommend these three strategies for companies:

  • At every step in the supply chain, ask: Where is the data, how is it protected, and what technology procedures are used? Criminals are after data, such as financial records, card information, or intellectual property.
  • Wherever people, such as retailers, hoteliers, and travel agents, handle credit card information, use point-to-point encryption (P2Pe) between the card reader and the card processor. This means there is no credit card data stored that could be stolen.
  • Train all employees in best practices for cybersecurity. Every member of the  organization must be part of the security checks. Untrained employees may inadvertently become part of the problem.

Cyber Insurance is Changing to Help Safeguard the Supply Chain

AIG is expanding Cyber risk insurance coverage to offer higher limits for third-party exposures. These new policies can cover more than companyies computer system and technology, and extensions can be specific to their industry. For example, if an airline is concerned that a cyberattack could prevent them from fuelling planes or delivering baggage, cyber insurance policy extensions can provide coverage.

Today cyber insurance is becoming part of companies’ engagements with suppliers and vendors. At AIG, we’ve observed an increase in submissions and applications for cyber insurance due to new contract requirements. In the past, vendors and suppliers typically needed to have general liability or professional indemnity insurance. Now cyber is likely to be the next form of insurance required.

Currently, when people think of cyber risks, they think about financial losses, fines, and penalties, but looking ahead, cyber risks are likely to cause other losses as well, including property claims or bodily injury. As technology evolves and systems become increasingly interconnected, companies and insurers are planning to help reduce these emerging risks.

For more information, please do not hesitate to get in touch with your local contact person.