One of many things we’ve witnessed in the past two years is just how fragile and interconnected our supply chain is. As you think about your vendors and key suppliers, which of those are you most dependent on? Many organizations think about financial stability and brand reputation when evaluating partners for a business relationship. Have you done enough to validate that they also have adequate cybersecurity measures in place and that they will likely be able to withstand cybersecurity attack and still meet your expectations?

Next steps

  • Inventory your key partners and suppliers: Get started with building an inventory of your key suppliers and business partners. It’s a good step, too, to record the type of information you share with them. If you’re providing personally identifiable information like payroll data for employees or medical information about customers, this raises the risk profile of the relationship.
  • Evaluate their cybersecurity safeguards and practices: It’s important to discuss cybersecurity controls and your expectations for what safeguards are in place to protect the data you share with your business partners. Similarly, it’s important to understand what additional controls and safeguards are in place to help them withstand an attack. If the company can’t provide you with a SOC report, or some other form of assurance around cybersecurity controls, you might need evaluate them independently if the risk warrants it.
  • Negotiate cybersecurity attack notice requirements: If you have key vendors and suppliers, you’ll want to make sure they are required to give you notice of cybersecurity events they experience that could disrupt your business operations. Depending on the importance of the supplier, you’ll need to think through how quickly they should notify you of disruption. Is 10 days sufficient notice, or will too much commerce be lost by then? 36 hours? 24 hours? Find the right number and make sure the notice period is defined in your contract.
  • Identify alternatives: In the event that one of your key suppliers is taken down by a cybersecurity attack, you’ll need alternative suppliers in place to make sure your business cycles aren’t interrupted.
  • Regularly evaluate: This isn’t a once-and-done activity. You’ll need to regularly reassess your key partners and suppliers to identify whether there have been any material changes in their cybersecurity posture. Are they still carrying enough insurance? Have they had any attacks? If so, what was the impact? Have they implemented any new systems that required changes in the cybersecurity safeguards? The point is to identify any changes that increase your exposure to attacks affecting your suppliers and therefore your own resilience.