Supply-Chain and Third-Party Risks

In brief: This tool helps directors to consider where there may be gaps in the corporation’s cybersecurity due to third-party vulnerabilities. The piece provides key questions for directors to pose to management to ensure that third-party and supply-chain risks are addressed. This brief was written by Lisa Humbert, operational risk officer of the Americas, Bank of Tokyo Mitsubishi, MUFG, and Tim McKnight, chief security officer, SAP. It originally appeared in the Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards.

This resource can help your board to 

• pose questions to management to assess third-party and supply-chain risks,

• provide oversight of the third-party risks to the corporation, and

• consider the board’s understanding of supply-chain risks facing the corporation.

Most relevant audiences: Risk committee chairs and risk committee members

Some of the biggest cybersecurity risks that enterprises must manage are their supply chain and third-party relationships. Many data breach incidents are caused by third-party vulnerabilities. As a result, the strength of an organization’s cybersecurity often depends on the weakest link in its supply chain, which can directly affect the company’s profitability and reputation. This tool details questions that directors should be asking management to ensure adequate security measures are in place to address supply-chain and other third-party risks.

Below we have provided definitions for both Cyber Supply-Chain Risk Management and Third-Party Risk Management, and considerations for both disciplines. In some industries these functions overlap; however, the activities for each are distinct.

This tool details questions, with considerations, that directors should be asking management to ensure that adequate security measures are in place to address Cyber Supply-Chain Risk Management and Third-Party Risk Management.

NIST defines cyber supply-chain risk management (C-SCRM) as “the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of [IT] product and service supply chains.”