We live in a time when Risk and Compliance have become an integral part of an organization’s supply chain. The kind of uncertainties, vulnerabilities, and disruptions today’s modern organizations are facing demands smarter risk management to not only control the financial losses due to production downtimes or recalls but also for protecting the critical intellectual property from rampant cybersecurity breaches.
According to Cybersecurity Ventures, cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the most significant transfer of economic wealth in history and risks the incentives for innovation and investment.
To better mitigate the risks in this highly uncertain and disruptive digital era, today’s modern organizations need:
- End-to-end transparency of the value chain through digitization and workflow automation
- Speed to actionable insights and faster Action TAT delivered through AI-Powered Augmented Analytics platforms (e.g. Course5 Discovery)
- Full-proof data security policies and compliances to protect the value chain from the various cyber-attacks
- Strict compliance around Tier 1 and Tier 2 supplier selection
- Adherence to the local and global regulatory norms
- Better preparedness for the supply and demand shocks in different parts of the world
- Agility in the overall supply chain process
If we look at the nature of risks today’s supply chain ecosystem is facing, they can be broadly classified into two buckets, i.e., Predictable and Unpredictable.
Predictable Risks can be identified and are possible to measure and manage over time. To better manage these risks, organizations need to define the various leading indicators. For instance, supplier insolvency leading to a disruption in the supply chain would be a known risk. Its likelihood can be estimated based on the supplier’s financial history, and its impact on your organization can be quantified by considering the products and markets the supplier would disrupt.
The other risk categories could be:
- Cost and time exceed forecast
- Failure to meet regulatory standards on quality
- Factory shutdown or slowdown
- Labor shortage
- Process disruption
- Failure to meet Sustainability Regulations
- Illegal interference from 3rd party
- Supply shortfall or stoppage
- Lack of data and transparency
- Recession and inflation
- Geo-political events and Trade wars
To mitigate the above risks, organizations should form a cross-functional risk governance body to catalog a full scope of risks they face, build a risk-management framework, identify the key measures and acceptable thresholds, and set up a tracking and monitoring schedule. Here the objective is to not only prepare for the predictable risks but dimensionalize the scale and scope of unknown threats.
Unpredictable Risks are those that are impossible or very difficult to foresee. Few significant operational events are irrecoverable asset damage, catastrophic personnel injury, and significant environmental or local impact. Here are a few unprecedented events which shattered the supply chain ecosystem in various parts of the world in the last decade:
- Humanitarian Crisis (COVID-19) we are going through in 2020
- Global Financial Crisis we experienced in 2007-2010
- Swine Flu Outbreak in 2009 which shocked Mexico and some parts of Canada and the United States
- Earthquake in Tohuku, Japan (2011) which shattered the entire country
- Major Protests in Hong Kong (2019)
- Extreme climate changes in certain parts of the world
For unknown risks, it’s imperative to have a resilient, responsive, and reconfigurable supply chain to sustain competitive advantage. Building secure layers of defense combined with a risk-aware culture can give an organization this advantage.
Build a Risk-Aware Culture
In the end, what modern organizations need is a risk-aware culture, which helps the different nodes or checkpoints in the linear/circular supply chain to establish and maintain strong defensive layers against unpredictable risks and respond swiftly when an unknown threat emerges and threatens the supply chain operations.
To build this risk-aware culture, the organizations need to invest in an open culture where management and employees could freely discuss on predictable and unpredictable risks, be transparent on the risk tolerance and appetite, and, most importantly, the empowerment of the employees to react rapidly to external events.
The leaders should recognize that risk management is not merely about setting up processes and governance, but also entails shifts in culture and mindsets.
Invest in a Good Cyber Insurance policy to protect your Value Chain
In 2019, nearly 300 cybersecurity incidents impacted supply chains. The major contributing factor behind the surge in cases has been the growing digitization in the Supply Chain ecosystem. There were two major ransomware attacks that had dramatic effects on production supply chains in 2019.
The March 19 cyberattack on aluminum producer Norsk Hydro involved LockerGoga, a previously seen ransomware tool that halted operations at the company’s corporate headquarters in Norway and impeded productivity in its extruded solutions division throughout Europe and North America.
Analysts believe the attack marks a worrying trend due to its international scope and direct impact on production and logistics assets.
On June 7, there was another ransomware attack on Belgian aerospace supplier ASCO Industries that forced the company to shut down production lines at four different factories across North America and Europe.
The attack was so damaging that the company furloughed nearly 1,000 employees temporarily and was out of operation for more than a month.
When you think about things like expired inventory, reputational losses, brand losses, falling stock prices, and other considerations, the total cost of ransomware attacks is actually much higher than the actual ransom itself.
Common Cyber Attacks on the Enterprise Digital Supply Chain
- Man in the Middle Attack
- Denial of Service Attack
- SQL Injection
- Zero-Day Exploit
- DNS Tunneling
What are the fallouts of a Cyberattack?
If a cyberattack hits your company, you could face numerous problems:
- Business interruption can occur while your organization deals with malware, security issues, loss of data, and the resulting fallout.
- Financial losses can result from the cost of notifying your customers and providing credit monitoring; restoration of files and computer systems; lawsuits; and regulatory fines.
- Reputation loss can occur if consumers lose trust in your company.
Cyberattacks are on the rise. As more and more businesses get hit with heavy losses, regulatory fines, and expensive lawsuits, the need for robust cyber insurance is clear.
What is Cyber Insurance and what do Underwriters look for?
As per Wikipedia, Cyber Insurance is a specialty lines insurance product intended to protect businesses, and individuals providing services for such businesses, from Internet-based risks, and more generally from risks relating to information technology infrastructure, information privacy, information governance liability, and activities related thereto.
Cyber insurance policy premiums are “not one size fits all”, as premiums are factored on a company’s industry, services, type of sensitive data stored/collected/processed, the total number of PII/PHI records, data risks and exposures, computer and network security, privacy policies and procedures and annual gross revenue
Cyber insurance policies generally do not cover: Potential future lost profits. Loss of value due to the theft of your Intellectual Property in the value chain.
Underwriting for cyber insurance is complex and evolving when it comes to insuring your linear or circular supply chain. To understand the factors that impact premium costs, underwriters look at the potential risks.
- Systems vulnerabilities
Hackers love to exploit vulnerabilities in software programs. Patches and updates can keep systems secure, but only if you actually apply them. Having up-to-date programs with top-of-the-line security features is essential.
Security training protocols
Data breaches can occur when employees mistakenly expose data. Business email compromise attacks succeed when employees fall for fraudulent requests. Malware attacks spread when employees click on links they shouldn’t. All employees must be trained on how to avoid cyber risks, regardless of their position in the company.
Data breaches and malware attacks are increasingly common. However, a long history of repeated issues could signal security flaws. The response is also important. Companies can run afoul of regulations if they attempt to cover up breaches, making a bad situation worse.
Types of data collected and stored
Companies that store financial details, the Social Security Numbers and other types of sensitive information are especially vulnerable to hackers.
Cyber Insurance Outlook for 2019
– Cyber insurance direct written premiums grew by 12% in 2019 to over $2.2 billion versus 8% growth in 2018, with $1.3 billion in cyber stand-alone direct premiums written in 2019, up nearly 14% from the prior year.
– Cyber insurance is a fast-growing market. Aon reports that the number of U.S. cyber insurers grew from 140 in 2016 to 170 in 2017, while direct written premiums went from $1.35 billion to $1.84 billion.
– According to A.M. Best, Chubb INA Group had $284.4 million in cyber insurance direct premium in 2017, making it the top cyber insurer.
– The Hartford Insurance Group had the greatest number of cyber policies in force.
How can businesses manage Cyber Risk?
Here are the main takeaways you should pay attention to:
Keep up with tightening regulations.
Make sure you’re in compliance with new laws regarding data breach notification and consumer privacy rights. The GDPR went into effect in Europe in 2018. The new NYDFS Cybersecurity Regulation impacts financial organizations and is now in effect. The California Consumer Privacy Act will go into effect in 2020.
Beef up your security.
This means updating your systems to include the latest security patches, the best anti-virus protection and encryption. It also means training your workers on how to keep data safe and avoid phishing and business email compromise scams.
Don’t assume you’re not a target. Nobody’s immune.
Even with good security measures, your company could fall victim to a data breach or other attack. Plan a good response that protects your company and your customers – and invest in cyber insurance.
Know that cyber-readiness may impact your credit.
CNBC reports that Moody’s Corp. has announced that a company’s cyber defenses, including breach detection and response, will soon be higher priorities in the assessment of credit-worthiness.
Get your board on-board.
Because cybersecurity can have a massive impact on business operations and profitability, boards must provide corporate oversight. Neglecting to do so may result in D&O exposures.
There’s no sure way to prevent cyberattacks. Your business will eventually be hit – the only question is when. As a recent McAfee report states, “Cybercrime is relentless, undiminished and unlikely to stop. It is just too easy and too rewarding and the chances of being caught and punished are perceived as being too low.”
Mitigate Risk and Create Value
Creating value in your supply chain while simultaneously mitigating risks to your company requires a coordinated effort between multiple stakeholders in the business, including IT, Networking, supply chain, procurement personnel, HR, legal, compliance, and finance. Vetting potential third-party relationships is a critical first step to mitigating risk to your organization, but it’s only a first step. By working together across the business, these various stakeholders can design a strategy for using third-party relationships to increase value within the supply chain. Companies that succeed can both protect their brands and drive business growth.