We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:

X
Canada CA
Americas
Asia Pacific
Europe
Middle East & Africa
English EN

RESEARCH AND BRIEFINGS

Digitized Supply Chains Bring New Cyber Risks

 


The increasing interdependence and digitalization of supply chains bring increased cyber risk to all parties, but many firms perceive the risks as one-sided, according to the Marsh Microsoft 2019 Global Cyber Risk Perception Survey.

Perceptions of Supply Chain Risk Vary Greatly

The survey found a wide discrepancy in many organizations’ view of the cyber risk faced from supply chain partners, compared to the level of perceived risk they themselves pose.  

Level of cyber risk pose by our organization to our supply chair 16% Level of cyber risk posed to our organization by our supply chain 39% % regarding each risk as “somewhat” or “very high”

 

This variance is consistent across industry sectors and geographic regions, and the largest organizations exhibited the largest dissonance: 61% of companies with revenues of $5 billion or more say their supply chain partners pose a risk, whereas only 19% say they themselves pose risk to 3rd parties.

Level of cyber risk posed to our organization by our supply chain 28% - <$25million annual revenue (n=182) 34% - $25m-99 million (n=139) 38% - $100m - $999 million (n=263) 46% - $1billion - $4.9 billion (n-121) 61% - $5billion + annual revenue (n=81) Level of cyber risk posed by our organization to our supply chain 14% - <$25million annual revenue (n=182) 18% - $25m-99 million (n=139) 14% - $100m - $999 million (n=263) 22% - $1billion - $4.9 billion (n-121) 19% - $5billion + annual revenue (n=81) % regarding each risk is “somewhat” or “very High”

 

Low Confidence to Manage 3rd Party Risk

The disconnect may be driven by organizations’ low confidence in their ability to prevent or mitigate cyber risks posed by commercial partners. The share of organizations who are “highly confident” about mitigating cyber threats from supply chain partners ranged from lows of 5% to 15%, depending on the type of third party. The proportion who are “not at all confident” was generally twice as high, ranging from 13% to 30%. Overall, 43% reported “no confidence” in their ability to prevent cyber threats from at least one of their third-party partners.

Technology Suppliers 15% Highly Confident, 62% Fairly Confident, 13% Not at all confident, 10% Don’t know Suppliers of Outsourced Business Processes 8% Highly Confident, 55% Fairly Confident, 23% Not at all confident, 13% Don’t know Other Service or Product Suppliers 6% Highly Confident, 55% Fairly Confident, 22% Not at all confident, 17% Don’t know Freelancers and Consultants 6% Highly Confident, 47% Fairly Confident, 30% Not at all confident, 18% Don’t know Acquisition Targets or Recent Integration* 5% Highly Confident, 46% Fairly Confident, 21% Not at all confident, 28% Don’t know % or organizations reporting different levels of confidence

 

Midsize firms reported the strongest confidence in managing suppliers. For example, 71% of firms with revenues between $100 million and $1 billion were “fairly” or “highly confident” in their ability to mitigate risks from outsourced business process providers, compared with 60% in all other size categories.

This may suggest that midsize firms are small enough to know their supply chain partners’ risks, yet large enough to have the resources to adequately assess and manage them.

Expectations for Third-Party Risk Management

There was also a disparity between cybersecurity measures and standards that organizations apply to themselves, versus those they expect from suppliers.

On balance, respondents were more likely to set a higher bar for their own cyber risk management measures than for their suppliers’.

For example, 56% of organizations said they expect supply chain partners to implement employee training, but 71% said their own organization had implemented training.

Likewise, only 73% expect 3rd parties to improve computer and system security, whereas 89% of companies require that of themselves.

Assess cyber risk and controls against cybersecurity standards (Disproportionately expected of third parties) 73% Measures organizations expect their supply chain partners to take 68% Measures organizations implement themselves Benchmark cyber risks against peers and or industry (Disproportionately expected of third parties) 37% Measures organizations expect their supply chain partners to take 30% Measures organizations implement themselves Improve security of computers, devices and systems (Implemented more internally than expected of third parties) 73% Measures organizations expect their supply chain partners to take 89% Measures organizations implement themselves Improve data protection capabilities (Implemented more internally than expected of third parties) 71% Measures organizations expect their supply chain partners to take 84% Measures organizations implement themselves Implement awareness training for employees (Implemented more internally than expected of third parties) 56% Measures organizations expect their supply chain partners to take 71% Measures organizations implement themselves Identify external services, resources and experts to provide support during a cyber incident (Implemented more internally than expected of third parties) 34% Measures organizations expect their supply chain partners to take 47% Measures organizations implement themselves

 

Such disparities could lead organizations to think their suppliers are less prepared to manage cyber risk than they themselves are, thus diminishing the organization’s trust in its supply chain.

Supply Chain Risk Must Be a Shared Responsibility

In a world of hyper-connected supply chains, there is a critical need for shared responsibility for supply chain risk.

Every organization needs to understand, have confidence, and play a role in the integrity and security of its digital supply chain.  

“Technological social responsibility”, the recognition by each organization of its role and cybersecurity obligations within the supply chain, should be on the agenda for all industry leaders.

Marsh.com Login

Please log in to access the full marsh.com site.

Click here to login as colleague

Forgot password Register

*Required