A company's supply chain is an integral and sometimescomplicated part of its business.

As companies optimize their supply chains using interconnectedtechnology, the cyberrisk of disruption and lost businessmultiplies. Where a third-party supplier is connected to acompany's systems, a compromise at the supplier can disrupt thecompany's business or allow a direct attack on the company.

Cyber underwriters are especially concerned about recognizingand assessing the risk of disruption of supply chains after recentcatastrophes, such as the 2011 tsunami in Japan and flooding inThailand hit major manufacturing sectors that were single-sourcesuppliers to major manufacturing and electronics companies.

Current risk-assessment practices

Current risk-assessment practices, and cyberinsurance,focus on potential vulnerabilities of supply chain systems and thesystems in place to prevent and detect cyberattacks. This is anearly impossible task given the complexity and autonomy in supplychains as well as the constant change of technology affecting acompany's system and the constant adaptation of cybercriminalsprobing vulnerabilities. As discussed below, a more practical meansof risk assessment is to evaluate a company's ability to respond toa disruption in its supply chain. In other words, evaluate itsrobustness and responsiveness.

Since the olden days of 2011, the goal of developingan Internet of Things (IoT) has become a reality andsmart technology is allowing for greater and more autonomousinterconnectivity. Wireless sensor and controller technologies nowallow greater connectedness and autonomy in machines and robots,inventory and ordering, transportation and distribution, ground andaerial vehicles, medical devices and building and homesecurity.

Cyberphysical systems comprised of “smart devices” that collectdata and control actions are in place in companies and entitiesinvolved with power, manufacturing, health care, banking,transportation, municipal and home products and services, toname only a few. Yet experts have demonstrated that many devicesand protocols employed in these systems are vulnerable to outsidemanipulation when they are accessed. More often, a company's systemis accessed through an attack on an entity in its supply chain.

Recent cyberincidents in 2013 at Target and 2014at Home Depot demonstrated how a compromise at a smallerthird-party vendor allowed thieves to steal millions of customer'sdata, including payment cards. While those events involved theft ofdata, the risk to physical assets is growing.

As an example, in 2015, an attack at a German steel companyusing stolen login details allowed outside access to the controlsof a blast furnace. The intruders caused an unscheduled shut-downdamaging the furnace. This year, cyberthieves exploited a flaw in atelecommunications company's protocols to bypass 2-Factorauthentication and emptied a number of accounts at a Germanbank.

ID & evaluate risks accurately

Current underwriting practices are unlikely to identify andevaluate risks to a company's supply chain accurately as they relyon a company's knowledge of its connectivity, location and accessto data and vendor protocols and its efforts to secure its businessactivities. Even where a company can identify all of its suppliersand the extent of its connectivity to its system, it is unlikelythat it can evaluate the risk at each stage. Few companies drilldown for information on their supply chain from end to end or areaware of the various smart components, communications protocols orinsider training at a supplier.

Current risk assessment practices can develop an overallsnapshot, including identifying a company's most important vendorsin its supply chain, how reliant a company's income generation ison vendor operations and how much access a vendor has to thecompany's cyber-physical system. Entities, such asthe National Institute of Standards andTechnology (NIST), identify additional checklist items forinterconnected relationships, including the extent of:

• Vendor access to a company's cyberphysical system;

• Network segmentation, so that a breach cannot expand tocritical assets or processes;

• Vendor selection, guidelines, standards and controls,including contract language requiring reports, audits andvalidation of performance;

• Password and monitoring safeguards, policies andpractices;

• Insider threat training, including both intentional andunintentional insider threat; and

• Audit programs to monitor security protocols within thecompany and at supply chain vendors.

Complacency and lax security practices

This snapshot is affected by time and complacency. Researchdemonstrates that a lack of successful cyber intrusions leads tocomplacency and lax security practices. A culture of “it workedbefore” or “it hasn't happened” typically leads to anunder-appreciation or a biased assessment of risk. For example, acompany employee is contacted by a long-standing vendor to“troubleshoot” communications.

The employee may interact with that contact without firstverifying that it is in fact the vendor, that there is in fact acommunications issue and that the employee is authorized to giveout company information. Or, more commonly, an employee accessessocial media at work and, having opened photos, ads or “click-bait”many times before, introduces malware into a company's system.

With cybercriminals constantly attempting to introducemalware, deny service or access a company's system, researchersassert that it may not be a question of “if” a company'scyberphysical system will be impacted by outsiders, but “when.”Different attacks are discovered almost daily with alerts arrivingin my email about commercial or social media vulnerability.

How thoroughly & quickly a company can react

Of the many recommendations for assessing the risk of acyberevent that could disrupt a company through a supply chain andcause a physical or business loss, one of the least emphasizedis how thoroughly and quickly a company can react.

While an underwriter may not be able to accurately assess thestrength and vulnerability of a company's supply chain, it may beable to accurately assess its robustness and responsiveness. Usingthe German bank's 2-factor authentication as an example, the bankappreciates that its business is based upon authorized access. Anunderwriter can examine whether the bank has a separate system ofauthentication that it can quickly switch users to when the2-factor authentication system is shut down due to vulnerability atthe third-party telecommunications company. Where the bank isrobust and agile, an underwriter can determine whether an attack ona central system will result in a major loss.

Similarly in manufacturing, such as the German steel company orsimilarly situated power companies where the process controls arenetwork-segregated, when a major event such as a shut-down istriggered, an underwriter can examine whether there are systems inplace that automatically alert personnel to the directive beforethe shut-down process begins and require a manual response in orderto proceed.

Focus on ability to respond to cyberevent

Risk assessment that focuses on a company's ability to respondto a cyberevent impacting its supply chain provides more practicaland accurate information. It tracks the supply chain functionsnecessary for a company's profitability and measures its plans tomaintain these functions where one of its vendors is disrupted.Rather than gamble on “if” or “when” a disruption will occur, byexamining robustness, i.e., alternative or distributed systems andresponsiveness, i.e., agility to switch systems or vendors, anunderwriter can assess the extent of damage such a disruption maycause.