By Jeffrey Wheatman

We know from the avalanche of year-end reports, surveys, and predictions that supply chain risk is top of mind for Boards of Directors and senior business executives all over the world and in every industry.

A few examples:

  • The Chartered Institute of Internal Auditors (UK) in their ‘risk in focus, 2023’ report has  ‘cybersecurity and data security’ as the number one risk and ‘supply chain, outsourcing and ‘nth’ party risk’ as #8
  • Protiviti’s ‘Executive Perspectives on Top Risks 2023 & 2032’ report indicates ‘uncertainty surrounding core supply chain ecosystem’ as the #5 risk
  • Survey data out of my old stomping grounds, Gartner, tell us that 88% of board members now view cybersecurity as a business risk

We have also seen a huge uptick in regulatory oversight paying attention to third-party and supply chain risk:

  • In the US, the Security and Exchange Commission recently issued a new proposed rule  that includes requirements around managing third party risk
  • The new EU DORA (Digital Operational Resilience Act) regulation has an entire section devoted to managing third party risk
  • Don’t forget the legacy regulations that have implications in and around third-party risk – HIPAA, GDPR, SOX, PCI-DSS, FED SR 13-19, to name a few.

These are only some of the reasons why boards and senior executives are rightly paying attention to third-party and supply chain risk. But to be blunt, knowing something is important and knowing why it’s important are very often very different things. And in my experience (I’ve spoken to dozens of boards, hundreds of board members, and thousands of cybersecurity leaders that engage with their boards) these senior executives know they need to pay attention to supply chain risk, but don’t always know why.

A sample question guaranteed to freeze people in their tracks is: “if a critical partner in your supply chain (physical or digital) got hit with ransomware and were down for a week, how long would you be impacted?” Compare this to “one of our partners doesn’t do a good job of patching, has open ports to the Internet, and doesn’t use MFA.” As I always say, focus on the business impact and not on the technical issues.

The time has come to help your board and executives really understand why cybersecurity is a critical element of supply chain risk management.

Focus on operational and financial impacts – even if you can’t come up with hard numbers, you can ask questions about operational impact if any element within your supply chain got hit with ransomware, or was breached and lost critical data.