CyberManaging Cyber Supply Chain Risk
Q2 2024
An organization faces cybersecurity risks at several junctures in its supply chain, including risks stemming from a vendor’s cybersecurity missteps or misfortune. This risk was very apparent recently when a cyberattack against a single company affected operations at a large number of healthcare businesses.
A ransomware attack against Change Healthcare in February 2024 caused a system shutdown lasting more than a month. Change provides electronic infrastructure for payments and other matters to healthcare providers, pharmacies, and other healthcare businesses. Change is widely used in the industry, and its shutdown prevented its customers from issuing bills, receiving payments, issuing electronic prescriptions, and performing many other functions.1 Many healthcare providers experienced significant financial hardship and impact on their businesses.
As the Change Healthcare attack demonstrates, supply chain cyber risk can affect an entire industry. The level of supply chain cyber risk is rising, too, as companies increase their reliance on third parties to supply essential goods and services that depend on the functionality of the vendors’ information and operational technology systems. Cyber attackers know all too well that breaching the IT systems of a key vendor such as Change Healthcare can create enormous disruption to many other companies. That fact can give a threat actor immense leverage in an extortion situation.
There are steps organizations can take to avoid becoming victims of their vendors’ cybersecurity incidents or at least minimize the impact of these incidents. Those steps include enhanced review and verification of their suppliers’ cyber risk controls and risk transfer strategies available through appropriate cyber insurance products.
A company’s risk management strategies should seek to ensure that its suppliers maintain appropriate procedures, policies, and standards. This should involve creating a cyber vendor risk management (CVRM) program. A comprehensive CVRM program should include:
Risk transfer through insurance coverage is critical to a comprehensive risk management strategy. There are carefully designed insurance products that can protect a company from damaging fallout from cyber incidents in their supply chains.
CBI insurance coverage is widely available. Moving forward, organizations can expect underwriters to scrutinize the policyholder’s vendor management and business interruption protocols related to:
As more vendor cybersecurity events occur, policyholders may find that insurers want to limit CBI coverage. We have already seen insurers impose sublimits. We may see more drastic limitations if the Change Healthcare incident and others adversely impact cyber insurers’ profitability.
The cyber insurance marketplace will continue to innovate and provide new risk transfer solutions. Parametric policies providing CBI coverage are one example. A parametric policy requires the insurer to pay an agreed-upon, fixed amount following confirmation of a specified insurable event. This could include, for example, a service outage suffered by a major cloud provider such as Amazon Web Services, Google Cloud, and Microsoft Azure.
Sound supply chain risk management is essential. Organizations must identify exposures and actively manage this rapidly evolving area of risk. Proactive controls such as CVRM and sound terms in vendor contracts will assist with mitigation. As with other areas of risk that carry substantial financial consequences, insurance-based risk transfer should be seriously considered.
IMA maintains a practice group with experienced professionals 100% dedicated to cyber risk management. Our team assists clients in coverage analysis, financial loss exposure benchmarking, contract language review, cyber threat analysis, and placing tailored cyber insurance programs.
Tim Burke
EVP, Head of Cyber | Commercial E&O
William Boeck
EVP, Cyber Product Leader
Angela Thompson
Sr. Marketing Specialist, Market Intelligence & Insights