Best practice alignment for supply chain security across standards and regulatory frameworks

By Jesus Muñoz Miguelañez, Global Director of Operational Security; Nuria Talayero, Head Digital Public Policy, Telefónica S.A

According to a recent study conducted by the World Economic Forum, 39% of surveyed organizations in 2022 had been affected by a third-party cyber incident. In other words, they were “collateral damage” of a cyberattack on companies via their supply chain. Increasingly, threat actors are targeting small and medium-sized suppliers that may use less robust cybersecurity practices, with the aim of then surreptitiously accessing the systems of an intended target among their clientele. By breaking into a provider’s system, an attacker could potentially compromise any organizations which use their product or service – including larger companies, government agencies, and even critical infrastructure or essential services.

These incidents show the interdependence of companies, and the increasing need to address the security of the ICT supply chain as a whole by identifying and strengthening the weakest links. There is also a growing regulatory concern about supply chain security that is being translated into proposals ranging from reporting or vulnerability disclosure to restrictions or obligations on providers under various regulatory standards and frameworks.

How can companies better protect their supply chain to reduce risk and enable a more agile response?

Traditional approaches to supply chain risk management can present limitations, as they don’t increase cyber protection, are not generalized in their approach to diversifying and securing the supply chain, waste time and money, and lack cyber risk context. Importantly, small and medium-sized enterprises in the supply chains may struggle with responsible cybersecurity practices, including complying with recognized standards. Below is a selection of best practices on supply chain, some of which have been extracted from the RSAC ESAF Report “How Top CISOs are Transforming Third-Party Risk Management” based on Chief Information Security Officers (CISOs) interviews, and Telefónica’s own experience.

A security third-party risk management procedure, associated with contracts and selection of suppliers, will make it possible to determine: i) a supplier’s ability to implement appropriate technical and organisational measures and skills to ensure an adequate level of security across its services; ii) the level of experience of, and the maturity of the technology used by, a supplier is sufficient to provide the requested services in a risk-based manner; iii) the country of origin and the geographical location of the supplier and of the assets that will support the service and that could pose specific threats and/or be subject to specific jurisdictional or compliance requirements.

It is also necessary to standardise the approach to risk management in a joint procurement and security strategy based on a principle of co-responsibility of employees and suppliers in meeting pre-established cybersecurity requirements, including on diversification. Management indicators to be periodically checked (including with audits) are needed to monitor and identify improvement points for action throughout all the supplier lifecycle, even at the termination. Key elements of such a strategy include the following:

  1. Focus on a set of priority security requirements based on an assessment of risk, a short list instead of overloading the supplier, and ensure monitoring, oversight, and compliance.
  2. Reduce the impact of third-party incidents via discrete actions like diversifying the supply chain, applying zero trust policies, developing incident response plans, conducting tests, and demanding early reporting of incidents by suppliers.
  3. Actively partner with suppliers to help them improve their security programs, offering service mechanisms and trainings to protect against or respond to incidents as they occur. Third-party incidents will happen, so preparing to manage the impact on the enterprise must be a core priority.
  4. Consider leveraging emerging technologies such as blockchain for information sharing and asset management to minimize the consequences of third-party cyber-incidents, as well as artificial intelligence and advanced analytics to scale incident detection and response capabilities.
  5. Add incentives and enforcements to contracts, setting requirements for suppliers based on international standards (e.g. ISO 27001 Information Security, ISO 27701 Privacy, ISO 22301 Security and resilience).
  6. Establish processes to increase business leaders’ involvement in managing third-party cyber-risks. Doing so needs to be a priority at the most senior levels.

How can policymakers better ensure protection of supply chains in a global world?

The globalisation of the enterprise supply chain poses new challenges to ensure effective risk management in line with national security interests, which may call for tailor-made requirements.

The aim should be to achieve harmonized requirements across markets based on business best practices and international standards. Many past efforts to harmonize requirements and assessments have failed to reach agreement and have unfortunately increased the complexity of compliance, thereby increasing risk. As a result, it is proving difficult and costly for prime contractors for specific services to understand and manage the risks of multiple subcontractors.

Europe’s recently approved Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), applicable from January 2025, will test the waters further on supply chain protection. It includes provisions on contracts, security standards, management of risks, rights of access, inspection and audit on suppliers, risk and resilience training and awareness-raising for staff and governance structures for security management, among others.

Additionally, to sustain resilience and competitiveness of supply chains, diversification is key. Decisions restricting the critical components from specific vendors need to be proportionate, and based on facts and risks, as exclusions of providers have high impact on costs and may have an impact on service, resilience, and market development.

A cooperative and coordinated approach among all stakeholders is the best means by which governments will raise the baseline cybersecurity standards, avoiding over reporting, while generating an efficient common trust-based practice, particularly in the supply chain. Finally, as the International Chamber of Commerce sets out in its cybersecurity brief, enhancing multistakeholder cooperation to counter cybercrime and implementing rules for responsible state behaviour are essential to reduce cyberattacks, and thus increase security.