With SolarWinds, Accellion, Kaseya, and Log4j, the world realized that third-party suppliers are a key vector of cyber risk. We spoke with MassMutual CISO Ariel Weintraub about how firms need to go beyond third-party risk management to focus on supply chain resiliency, and the different thinking required to effectively build it.
1. In your own words, what is supply chain resiliency, and why is it one of the most important areas of cybersecurity in financial services today?
Supply chain resiliency can be defined as understanding the components of your supply chain for all critical business processes, as well as having backups for each component and a clearly defined plan for switching to a backup.
It is important for financial services as well as other sectors, because as individual enterprises we cannot control what happens at another organization. With an uptick of cyber attacks focusing not only on stealing data but also on availability, for example through a DDoS attack or a ransomware attack, more components of the supply chain are becoming impacted and unavailable. You cannot define your own resiliency based on the assumed resiliency of another component in the supply chain.
2. How can a firm measure its supply chain resiliency? What are the signs a company is managing it efficiently or not?
The first step is to document critical business processes and the suppliers used to support each process. You can measure your resiliency by identifying which components do not have a backup, and how long it would take to switch to another supplier if a critical supplier was unavailable.
To manage this efficiently, firms should not only document the end-to-end processes but also regularly engage in tabletop exercises that span both IT and the business.
3. How have business resiliency and IT resiliency teams operated historically, and how should they be working together now as cyber becomes a more critical component of resiliency?
Historically, these functions have been managed separately. IT organizations have mainly focused on physical disaster recovery - how easily can we failover to our DR site if our primary site is unavailable. Tabletops performed by IT organizations are also very IT-focused.
On the other hand, enterprise risk management organizations have historically focused on identifying critical business processes and identifying business continuity plans for each process. The issue is, typically those processes are more focused on temporary manual fallback procedures versus switching entirely to a new supplier in the event of a major availability event.
Now that cyber attacks are a primary reason suppliers become unavailable, the two areas need to come together both in the documentation of plans and testing. Third-party risk programs can assess the cyber resiliency of each key supplier, but that is not enough. IT and business leaders need to have candid discussions about risk tolerance and how comfortable they would be with shutting off a key supplier in the event of a major cyber event with unknown impacts or scope.
4. Is there an analogy or story that you can share from your experience about how this issue has affected an organization?
The example that comes to mind is the impact of the NotPetya attacks in 2019, where destructive malware attacks originating from Russia intended to target businesses in Ukraine ended up spilling over and impacting other organizations around the globe. One unlucky victim was Maersk, the world’s largest container shipping company. While not the intended target, Maersk’s operations were largely shut down for an extended period of time. There were significant downstream impacts to organizations’ supply chains for those who relied on overseas shipping of goods. Those downstream organizations may or may not have had alternative shipping options. Those that did would have demonstrated resilience, and those that did not were tertiary victims of the initial attack that was intended to only impact Ukrainian businesses.
5. Why is it so important to address multi-cloud strategy in terms of using it as a vehicle for resiliency and what are the high-level benefits that could result from doing so? What are the stakes if firms continue to ignore it?
There are two ways that a multi-cloud strategy can provide resiliency. First, which is much more easily obtained, is to host some applications in one cloud platform and other applications in another cloud platform. While this does require tooling and support in both Cloud Operations and Cybersecurity, it provides resiliency protection against outages fully taking down entire operations.
Second, the more impactful but more difficult to achieve strategy is operating in a true multi-cloud environment in which an application’s production environment exists in one cloud platform and its backup exists in another cloud platform. For many organizations this is a far-off pipe dream - it requires completely containerizing each application. If it is a vendor-supplied application, it also means the vendor must fully support both environments. The industry is not quite there yet but organizations should be working to achieve this vision. Once this is architected, you can easily test resiliency from one platform to another, as you would test a full data center failover. We have seen regions of cloud hosting providers go down for periods of time. Most cloud architectures have continuity in a separate region, but what if the cloud hosting provider is impacted by a ransomware attack and all regions are down? This is not only a supply chain attack, but exploitation of concentration risk for many organizations and for entire sectors.
© 2023 FS-ISAC, Inc. All rights reserved.