Third-Party Cyber Risk Management

We were at the Western Manufacturing Technology Show two weeks ago and it was clear that many companies we were talking to had a very narrow view of cyber risks.

Running a company involves taking many risks, and it they pay off more often than they don't, your company is successful and grows. So the better you understand the risks, the more you can tip the scale in the right direction. When we enter the realm of cyber risk management, most people's mind go straight to data and to be fair that is a very big part of it. Keeping data safe is very important (see here for tips), but for manufacturing, supply chain should also be a key concern.

The question we were asking the attendees was simple: "What would happen to your company if one of your key supplier could not deliver to you for 2-3 weeks" (and you should also think of the reverse questions: what would happen if your company could not deliver to your key customers for 2-3 weeks?). Quick conclusion: this is a risk and it must be managed.

Managing risks comes always comes down to the same things knowledge and planning.

• Knowledge: To help understand the level of maturity of your key suppliers and understand your risk exposure, we have developed a questionnaire ( here ) that asks all the important questions. This questionnaire was built based on some of the cyber security framework we use and from cyber security insurance questionnaires we receive (they are well aware of the risks and are doing a good job of adjusting). To be clear, we are not saying that your business partners should do everything on that questionnaire, but based no what they do and don't do, you should be able to gauge your risks.
• Planning: There are a lot of strategies to mitigate risks, so we will not do a deep dive here, but we will highlight the main three you should consider.
  1. Level up: You love them, they have a great product and you want them to stay in business, tell them to step up their game, increasing their cyber resilience will be a win/win.
  2. Diversify: Just get more than one supplier for that component, this way if the proverbial sh*t hits the fan, you already have a plan B in place.
  3. Move on: Sometimes, it might be just be better to part ways and say goodbye.

So here you have it, Cyber Risk Management is not just about data. We are seeing many industries getting disrupted and you don't want your company becoming collateral damage to one of your supplier's failings. Take the time to assess the risks and do what must be done to keep going.

You can find the questionnaire here.

As always, let us know if you have questions!