All organisations, no matter how small and uncomplicated, are impacted by third party/supply-chain, or “Nth-party” risk as it is also known. The latest report from RiskBusiness takes a look at some recent examples of risk events which have impacted the financial services supply chain in particular and puts forward some workable solutions for minimising the impact of this risk.
SolarWinds Hackers gained access to the SolarWinds network and planted malicious code (now known as “Sunburst”) into its Orion network management system in September 2019 (though it was not detected until December 2020). More than 30,000 organisations were using SolarWinds’ Orion product to manage their networks at the time, including several US Government agencies. The hidden malicious code planted by hackers meant that when users were sent a routine Orion software update, they were unknowingly installing the malware into their own systems.
Akamai Technologies Akamai, one of the world’s largest providers of content delivery networks, suffered an outage in July this year, impacting major banking websites including HSBC, Barclays, Lloyds, Sainsbury’s Bank, Tesco Bank and several gaming and retail sites. The outage lasted just over an hour and was caused by a configuration update which triggered a DNS (domain name system) bug.
Capital One/Amazon Web Services hack In July 2019, Capital One confirmed it had fallen victim to a data hack. More than 100 million Capital One customers were affected, plus a confirmed eight other companies using the service. It is understood that as many as 30 companies in total may actually have been targeted.
Sita/Singapore Airlines Sita supplies IT systems to the air transport industry and suffered a data breach earlier this year. The breach impacted several of its customers who used Sita’s passenger service system, which shares frequent flyer data with other airlines within the same airline alliance. Singapore Airlines was one of the firms affected by the breach, though it was not a direct customer of Sita.
Mitigating supply chain risk
Supply chain due diligence - KYSC, Know Your Supply Chain Supply chain and vendor risk isn’t just about cybercrime and technical outages; it’s also about how your suppliers conduct themselves in a world that increasingly prioritises corporate ethics, both from a consumer and regulatory perspective. Corporate social responsibility and ESG (environmental, social and governance) issues are therefore now a huge part of risk management. Selecting vendors who demonstrate due diligence in this area, and asking them to provide evidence of this, could help avoid a PR disaster by association further down the line. Pressure testing your scenario analysis If recent events have taught us anything, it’s that anything can happen. With the last 18 months providing a perfect storm in terms of supply-chain risk (COVID-19, Suez canal blockage, Brexit, a Taliban government in Afghanistan), firms need to look at how they categorise their risks in terms of their likelihood and impact in the current context.
Take a closer look at contracts and service level agreements (SLAs) Now is the time to take another look at any third-party contracts you have in place to see what measures are available if the promised level of service is not delivered. The COVID-19 pandemic exposed grey areas in many contracts.
Don’t stop at third party The terms “supply chain” and “third party” are perhaps out of date in today’s business environment. The interconnected nature of business means companies are often connected through a complex network, or “supply web” rather than a supply chain. This means that mitigating risk in this area shouldn’t stop at your third-party suppliers.
Operational resilience Managing third-party risk is a key component of operational resilience; a concept which has become a principal focus for regulators over the past 18 months. Earlier this year, the Basel Committee on Banking Supervision (BCBS) released its Principles for Operational Resilience, which outlines seven key principles for financial institutions to apply: 1. Governance 2. Operational risk management 3. Business continuity planning and testing 4. Mapping interconnections and interdependencies 5. Third-party dependency management 6. Incident management 7. ICT including cyber security
Principles 4, 5, 6 and 7 all touch on the subject of supply-chain risk.
Supply chain security vs other supply chain risks: avoiding silos Third party, Nth party, or supply chain risk - whatever your firm chooses to call it - is a complex and almost never-ending web of potential issues for the firm. This network of risks simply cannot be managed by the risk management function alone.
Good communication between departments and business functions is absolutely critical. The audit and compliance functions are well placed to help break down silos within the firm because they have unique access across all areas of the business. Every member of staff who is responsible for connecting with a third party should understand the company protocol for managing third parties and should be a part of the risk assessment process. This is an abridged extract from, Untangling the supply web: Managing third-party and supply chain risk by RiskBusiness. To view the full report, which goes into greater detail, click here: https://riskbusiness.com/wp-content/uploads/2021/09/Third-party-risk-report.pdf