- Operational resilience and supply chain security are deeply intertwined, and regulators are increasingly focussed on both.
- To enhance operational resilience using effective scenario planning and mitigation strategies, identifying concentration risk deep in your supply chains is key.
- Without the ability to identify concentration risk, taking a risk-based approach to operational resilience planning is almost impossible.
- Most organisations have no visibility into their wider supply chain ecosystems beyond third parties, and are unaware of interrelationships and dependencies that might exist.
- This means that organisations can be affected by a single incident or vulnerability beyond their third parties without being aware of that risk, as the recent MOVEit Transfer example demonstrated.
- A social network approach to supply chain risk management offers a solution.
Scenario: One of your critical suppliers was just breached, what next?
Imagine it is 1pm on a Friday and a supplier supporting one of your critical business processes has just disclosed a cyber incident, and their services are disrupted.
As a cyber security professional responsible for keeping your company’s systems and data safe, your mind switches to response mode.
How do we minimise disruption to operations and maintain the critical service is the first question you ask yourself.
Other questions that spring to your mind include:
- What exposure do we have to that supplier?
- What data is shared?
- Do we have any persistent connections?
- Do we need to investigate our own infrastructure for lateral movement?
You really don’t want this on a Friday afternoon, but you’ve prepared for it and are confident you can pull it off before service is disrupted. You invoke failover to your backup supplier.
It is 2pm now and you have contacted your backup provider, but for some reason they are not responding to your messages. It appears their systems are not working at full functionality and their comms are delayed. What is going on?
An hour later, you finally get an email from your backup supplier’s customer service team. To your horror you find that they have also been compromised, and that their services are down too.
You and your response team scramble to come up with a manual workaround to keep the ship sailing. You have no other options. That’s the weekend gone! But this is the least of your worries. How could this happen? You ask yourself this all weekend, trying to investigate whether the two incidents are somehow connected, or whether you are just extremely unlucky.
In the next week you find out that both of your suppliers relied on the same file transfer software provider (an unknown 4th party to your organisation). A zero-day vulnerability was discovered in that 4th party software which began to be actively exploited. Both your primary and backup suppliers made the decision to take their services offline temporarily whilst investigating and containing the incident.
What regulators say about concentration risk
In this example, two of your critical suppliers were disrupted simultaneously, and the root cause was an unknown 4th party. In the real world, of course, things are not always that clear-cut. You will have many different suppliers supporting one critical business process, and sometimes a critical supplier will support more than one critical process. These suppliers, themselves, depend on an even larger group of suppliers to support their processes, and so forth. This creates many complex relationships and interdependencies that you won’t be aware of, but which could impact your organisation in numerous ways.
The need for identifying such a concentration risk is an increasing focus of regulators in the context of seeking to boost organisations’ operational resilience.
The updated (2019) “FG 16/5 Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services” by the Financial Conduct Authority (FCA), for example, requires organisations to “monitor concentration risk and consider what action it would take if the outsource provider failed”.
Under point (c) of Article 25(5), the Digital Operation Resilience Act (DORA), meanwhile, expects all regulated entities to “identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangements may contribute to reinforcing ICT concentration risk”.
The Prudential Regulatory Authority (PRA) asks of its regulated bodies to implement the European Banking Authority’s (EBA) ‘Guidelines on outsourcing arrangements’, which states that to “enable competent authorities to effectively supervise financial institutions’ outsourcing arrangements, including identifying and monitoring associated concentration risks, firms must be able to provide comprehensive documentation on their outsourcing arrangement”.
The UK Government Cyber Security Strategy - specifically put in place to secure the UK public sector - too, highlights the importance of identifying concentration risk when stating that “government will take steps to better understand its dependencies on suppliers”, and that “central mapping of government’s critical and common suppliers will enable the identification and coordinated management of systemic and aggregate supply chain risks to government.”
Concentration risk and operational resilience
This shows the heightened awareness of and importance that regulators are placing on the need for organisations to gain a thorough understanding of their full supply chains, especially in order to be able to identify potential concentration risk. But what exactly are concentration risks?
To put it simply, a concentration risk in the supply chain means that if an incident was to occur involving one specific supplier, that this would have a disproportionately negative impact on many other organisations that are in one way or another connected to this one supplier. It may also have wider systemic implications. Some concentration risks could even pose a serious threat to entire industries and economies. This is why the New York State Department of Financial Services (NY DFS), for example, when the Solarwinds supply chain attack happened, immediately required all New York financial institutions to report any impacts the attack had on them, and warned that “the next great financial crisis could come from a cyber attack.”
The problem, especially for operators of critical national infrastructure (CNI) is that there are often only very few specialised suppliers that are able to provide the niche services required. Since the vetting and procurement processes are also often long and complicated, the result is that tried and tested suppliers are used regularly and widely. This is also true for public sector bodies, and other industry groups. This further increases the potentiality for concentration risks and for single points of failure that could impact the entire supply chain ecosystem of a given sector.
Mitigating concentration risk in your supply chain
You will have likely already mapped some of your critical processes and your critical suppliers. You are also likely to have run playbooks and scenarios for what could happen, and how you can respond to any incidents at a critical supplier to ensure business continuity.
Some incident scenarios, however, are much more likely than others depending on the relationships and interdependencies in your wider supplier ecosystem. While you may be able to run scenario exercises for incidents at each of your critical suppliers, you are unlikely to be able to run them for combinations of supplier incidents, since there are too many possibilities.
The only way to ensure you are considering the highest risk scenarios, including where incidents may originate further down your supply chain, is to gain a much deeper understanding of relationships and interdependencies far beyond your immediate third parties. This is necessary for an effective risk-based approach to operational resilience.
At the moment, it is difficult enough to be fully aware of all the organisations that your suppliers might be connected with, and almost impossible to look even further than such 4th parties. So any concentration risk that might exist further down your supplier ecosystem, which would be a critical element in taking a risk-based approach, cannot be spotted like this. This is a clear blindspot.
Taking a risk-based approach is not about doing more assurance and scenario-planning; it is about taking a smarter approach, focusing on the real key risks, rather than the most obvious.
An effective mitigation strategy that takes account of potential concentration risks would therefore have to include:
- Understanding nth party interactions and dependencies in advance (we’ll come onto how later).
- Understanding the impact to you of a disruption at multiple (specific combinations of) suppliers, focussed on where concentration risks make these combinations more likely. This could then serve as an additional input into sourcing decisions.
- Using this understanding to focus your incident exercises on scenarios which are most likely to happen AND would have the biggest impact. These could be incidents further down the supply chain.
- Working with the relevant nth party suppliers, in collaboration with others who also rely on them, to ensure robust defences and early detection – secure the weakest link.
Without gaining visibility into your supply chains beyond third parties (into 4th, 5th and nth parties), none of the above is possible. Only this visibility will allow you to determine how a breach in a nth party might ripple through your extended supply chain, and potentially affect one of your critical suppliers. This crucial information is key in order to start taking actions to mitigate these risks through diversification of suppliers, and also through collaboration with exposed suppliers.
How Risk Ledger can help: Moving beyond third party risk management
Identifying these types of interdependencies further down your supply chain might sound impossible, but don’t worry. There are ways to leverage your existing third-party risk management (TPRM) activities to do this for you, with no additional effort.
Risk Ledger’s social network approach to supply chain security allows a client to simply connect with their suppliers in seconds using a connection request (like LinkedIn) on our platform. Once a supplier has completed their security profile - full of information and verifiable evidence about their security controls - they are able to share it at the click of a button with any of their clients in a 'do once, use many' model, eliminating the work of completing many different assessments per year.
We are free for and supportive of suppliers, driving up their engagement in the third-party risk management process and improving supply chain security for clients. Moreover, when organisations join Risk Ledger, they find that on average 20% of their suppliers are already on Risk Ledger, which means that they will be able to view their completed assessments, and review their compliance with their requirements immediately.
Crucially, suppliers can also use Risk Ledger to manage their own supply chain risk, connecting with their own suppliers, thus using Risk Ledger as both a supplier and client in their own right. Organisations acting as both suppliers and clients on the Risk Ledger platform is what uncovers the middle links in supply chains and builds the map of interdependencies within the full ecosystem, not just between one client and their third-parties. With all supplier profiles following the same standardised assessment framework and with live data about the relationships between organisations, it is possible to gain deep insights into the systemic risks across the ecosystem, including where concentration risk could affect your operational resilience.
With this new visibility into an ever-growing threat surface, you also have the information and opportunity to collaborate with your internal risk and resilience team(s), and the high risk suppliers you were able to identify, to address and reduce these risks and demonstrate to regulators that effective risk awareness is guiding your security governance and operational resilience efforts.
If you want to learn more about how to identify and address risks in your wider supply chain ecosystem, including concentration risks, get in touch with us.