COVID-19 and Supplier Risk

by Justin Luebke

These are unprecedented times and the impact of COVID-19 is already evident in the economy and in business/supplier relationships. Some organizations are better prepared than others as they have built strong relationships with key suppliers. These organizations have put systems in place to provide visibility across their extended supply network to understand their risks and drive specific actions based on their priorities. While others need to take some basic measures for managing risk from their suppliers:

Establishing trust in unprecedented times

Each business is dealing with the pandemic differently – for some, the business is growing (e.g. retail food businesses), while others are trying to keep themselves in business. In a connected ecosystem, suppliers are equally impacted, and the first order of business is to establish trust and transparency with your suppliers. Corporate leaders through their actions, communications, prioritization and direction, must inculcate the importance of dealing with an epidemic as well as the need for suppliers to work together at this crucial time. Knowing who your suppliers are and the level of dependency with each of the suppliers is of paramount importance to building a secure and trustworthy ecosystem.

Keeping critical services running through innovation

In times like these, the importance of continuing to run critical business operations is paramount. Need for survival is resulting in businesses innovating newer ways of operations – liquor companies / chemical factories are making sanitizers, event companies are doing virtual conferences, retail outlets are trying delivery and online shopping’s mechanisms. Knowing how new innovations are changing the way you interact with your suppliers is important as it has an impact on how they are accessing, using your information. And their access and use of your information will have an impact on the inherent risk associated with your supplier. As a result, reviewing inherent risk of your suppliers will be critical to ensuring your innovation isn’t outweighed by risk.

Getting ready to work from home

With most countries forcing people to stay at home, businesses are asking employees to operate from home, and this has to be extended to suppliers. Traditional ways of operating out of extended networks of businesses (such as extended MPLS links) have to be reviewed, which means newer controls have to be established to ensure uninterrupted and secure operations. Things like secure remote connectivity (from home), controlled access to critical information and secure ways of communications are some of the key controls that need to be tested. Reviewing your suppliers’ operations (including extending connectivity for employees of suppliers who are connecting from their homes) as well as evaluating associated cyber security controls is critical, especially during times when there is a significant spike in threat activity. Performing cyber security assessments of your suppliers is crucial to ensuring your remote workforce is secure.

And given the effort required to conduct this exercise, especially when the testing of key controls is common across suppliers and is a need for every business organization, using an exchange-based utility model such as CyberGRX makes a perfect business sense. CyberGRX is not only time efficient and cost effective, but also makes use of threat intelligence along with supplier responses to identify controls which need improvement. And the exchange model allows suppliers to demonstrate once to all its clients.

Finally, business resilience: a key factor for survival

Potential operational and economic impacts along with human resource issues associated with pandemic are testing the business resilience measures of organizations and their suppliers. Organizations are prioritizing and making investments to uplift their contingency plans. However, these plans need to be evaluated. Some of the key business resilience controls that should be tested include:

  1. Presence of a risk management function which considers legal, operational and supplier risk (Risk Management).
  2. Knowing the impact of business-critical operations and ensuring that they are running, which requires newer ways of connectivity (remote operations), communication (virtual conferences), etc., and supporting secure infrastructure to protect against threats (Business Impact Analysis and associated Business Contingency Plan).
  3. Communication to all stakeholders and including checking their well-being on a periodic basis (Crisis communication framework).
  4. Presence of insurance coverage, including cyber insurance- given the attacks are increasing substantially (Cyber Insurance).
  5. Finally, updating contingency plans regularly to reflect lessons learnt from testing, technology changes, and requirements from the latest Business Impact Assessment. (BCP Testing & Updates).

All of these controls are important components of organization’s supplier control questionnaires and are part of CyberGRX question set as well.

 Vikram Asnani
Sr Director Solution Architecture