Why businesses need commercial cyber risk insurance
Supply chains are complex, dynamic networks. Recognising potential points of entry makes it possible for all businesses along the chain to build up their defences against potential cyber- attacks. But the extent to which people fully understand third party risk is a mixed bag, presenting issues as the blind spot which cyber attackers exploit have far reaching consequences such as malware infiltration resulting in the loss of customer data.
To understand business perception of supply chain risk and the ramifications of a supply chain data breach, PolicyDock took a look at PwC’s 2022 Global Digital Trust Insights Survey and a threat landscape analysis produced by the European Union’s Agency for Cybersecurity in July. Here are the highlights:
Source: PwC 2022 Global Digital Trust Insights Survey
Based on PwC’s survey, what type of risks do people have the highest understanding of based on formal, enterprise- wide assessments?
- Data breaches – 41%
- Privacy violations – 39%
- Cloud risks – 37%
- IoT/technology vendors – 35%
- Software supply chain risks – 34%
- Nth party risks – 31%
To what extent are companies refining criteria for onboarding and ongoing assessments?
42% of respondents said they are doing this. Publicly listed organisations are more likely to act.
The EU report studied 24 supply chain attacks that happened between January 2020 and early July 2021. Based on their observations, how were suppliers attacked?
16% exploiting software vulnerabilities
How were customers attacked after suppliers had been compromised?
Abusing the trust of the customer in the supplier (62%)
What did the attackers want to access?
Customer data (58%)
Key people (16%)
Financial resources (8%)
In the EU report, did the end user know about an attack when a supplier was compromised?
No. In nearly 2 out of 3 cases (66%) analysed, suppliers did not know or were not transparent about how they were compromised. Less than 9% of customers compromised through supply chain attacks did not know how the attacks happened. The notable disparity could be due to factors such as an unwillingness to share information, the complexity of the attacks, and slowness in identifying an attack.
Who are behind the attacks analysed in the EU report?
Half of attacks come from Advanced Persistence Threat (APT) actors. The people who carry out these attacks do not use code, exploits, and malware the authors regard as ‘advanced’. Rather, the perpetrators are described as such because a successful attack is a deliberate and complex task.
What can companies do to protect themselves against supply chain attacks?
These are some ways companies can proactively protect themselves against supply chain attacks: refine criteria for third-party assessments, rewrite contracts, perform more rigorous due diligence. Unfortunately, more than half surveyed by PwC said they have not done this in the past 12 months.
The Federation of Small Businesses in the UK recommends asking business partners for details about their cyber security insurance, in the same way that you would expect them to have proper fire and property insurance.