Business Insurance
A Guide to Understanding Your Data Supply Chain Security
April 21, 2022
As CFO, Carla was used to discussing supply chain issues with the procurement department, especially since two months’ worth of parts were stuck on a container ship offshore and were impacting cash flow. But she was surprised when Eric, the company’s highly respected CIO, said he wanted to talk about the supply chain.
Eric and his team had done an excellent job of educating the company’s management team about cyber risks and preparing the company for various scenarios by implementing multifactor authentication, instituting stronger data backup systems, and training employees to identify and report phishing emails—which had saved the company from a potentially costly situation only a week ago. So when Eric said, “It’s time to strengthen our data supply chain,” Carla was ready to listen.
Related Reading: E-Book: 6 Steps to a Better Cyber Insurance Policy
Defining Your Data Supply Chain
A company’s data supply chain comprises the people, organizations and systems that access its data in the course of doing business. It could include people who visit the company and use its Wi-Fi during a meeting. It could include a payroll software program that works with the company’s personnel information. It could include a supplier that sends and receives inventory and scheduling updates. Technology underpins almost everything we do today, and each of those touchpoints is part of the data supply chain.
A data supply chain attack—sometimes called a value chain attack or third-party attack—occurs when a bad actor infiltrates a company’s information technology system through a third party. One notable example occurred back in 2013 when bad actors gained access to the servers of retail giant Target by using credentials stolen from one of its HVAC contractors. The cybercriminal was able to access information tied to millions of debit and credit cards. A segmented network could have lessened the damage.
To strengthen its data supply chain, a company must first evaluate the chain’s components. Begin by identifying what needs to be protected, from whom, and on which technology platforms.
Which data assets need protection? Just as a company takes stock of its physical assets, it also should take stock of its data assets. Data assets can include such things as documents, files, engineering prints, intellectual property, credit card numbers, client data, financial accounts, patient health information and personally identifiable information.
Also, keep in mind that hackers don’t focus solely on stealing private data and freezing information technology systems. Many target operational technology (machines, assembly lines, logistics). Shutting down production can create havoc. Business interruption is a major concern. To prevent bad actors from accessing operational technology, it should be segmented from informational technology.
Who has access? For each data asset, consider who has access to the network(s)—and who could make the company most vulnerable. These “third parties” can include entities such as financial institutions, payroll companies, companies that perform maintenance on the company’s computer-enabled (“Internet of Things”) equipment, suppliers, customers, business partners and employees.
What are the critical data systems? Finally, identify the company’s critical information technology systems—those that would make it difficult or impossible to perform business as usual without. These can include things such as the cloud (i.e., remote servers belonging to another party), email, Wi-Fi, software applications or even access to another party’s network.
With this basic information in mind, the next step is to establish a plan for reducing risks as much as possible.
Protecting Your Data Supply Chain
Because every organization is unique, there is no “one-size-fits-all” cybersecurity plan. However, there are certain steps every company can take to improve its data supply chain security.
Control who has access to systems and applications. Use passwords and multifactor authentication to control access. Consider adding language to third-party contracts that clarifies who is responsible for a breach resulting from a contractor’s or vendor’s negligence
Segment the network to control the amount of access users have. Not every employee needs access to all systems, applications or parts of the company’s network. That is even more true of third parties. Limit each user’s access to only what is needed to perform work or complete a necessary transaction. If a system is compromised by a bad actor, network segmentation makes it easier to discover what has happened, limits the amount of potential damage and reduces overall downtime.
Routinely install software patches. Software vendors issue updates and patches to resolve product weaknesses as they are discovered. It is important to install and test them promptly when they become available. Failing to make timely updates or install patches is akin to not only leaving your home unlocked when you leave for a lengthy trip, but also leaving the doors and windows wide open.
Vet third-party data security controls. Ask third parties for proof that they have implemented and are complying with an appropriate security framework. Ask about the controls and processes (such as those discussed above) they have in place to safeguard your company as well as their own. Remember that the data chain is only as strong as its weakest link.
Confirm the existence of cyber insurance. Make sure that each third party that works onsite or interacts with your company’s network or data has a cyber liability policy with appropriate limits to protect your business in the event of a cyberattack. Keep in mind that a bad actor already may have infiltrated a third-party’s network and is looking for the opportune time—and target—to attack.
How Your IT Department Influences Your Insurance Rates
Because of the growing number and magnitude of cyber events in recent years, cyber insurance has become more difficult to obtain. Underwriters are asking more questions before deciding whether to offer a policy and under what conditions. Companies that can show they have evaluated and addressed their risks put themselves in a better position than others not only to obtain a cyber policy with favorable terms but also to recover better when a cyberattack occurs.
Hylant supports the great work of today’s corporate IT teams in identifying specific areas of vulnerability and quantifying their potential impact. By understanding the relative probability and magnitude of cyber exposures, corporate leaders can make better decisions about process changes, security investments and cyber insurance protection. Contact Hylant here to learn how we can help.
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.
Authored by
Alex Clark
Cyber Risk Practice Leader
Indianapolis
Alex helps clients understand emerging technology risks and the importance of pre- and post-breach readiness. He takes a hands-on approach to placing coverage and ensuring clients know how to use their cyber policy, prevent incidents, minimize payouts and execute incident response plans.