A board’s response to supply chain cyberattacks

Three practical steps for a balanced approach

Successful supply chain cyberattacks are particularly troubling because they poison a trusted well. So how does the board help management answer challenging questions related to supply chain preparedness, given recent events and the expectation that such activities will increase in both frequency and severity?

The board must ensure that management has right-sized the company’s approach to addressing this issue. The questions are no different for a public versus a private company or a Fortune 500 compared with a mid-market business. But the answers will vary, and how the board reacts — via thoughtful challenges to management’s responses — will determine whether there is sufficient risk coverage. From the board’s perspective, there are three legs to this stool.

First leg: Meaningful protection, indemnification, cooperation and disclosure

Has the company contracted for basic protections regarding incidents caused by and/or implicating key vendors and suppliers? Has the organization sought indemnification from these key parties, and is that indemnification meaningful? In the risk-management arena, there is a marked difference between being entitled to a legal judgment and collecting from one. If your company’s supply chain contracts include a deal with a cloud provider with $20 million in annual revenues, and a cyberattack on that provider results in a $200 million exposure, your organization will likely be entitled to a reimbursement it will never obtain.

Notice provisions are also important. Have you required vendors to notify you in a timely way of incidents that implicate your organization? Likewise, have you contracted with these vendors to require cooperation during active incident responses and/or investigations? Failing to have these options can be a source of costly delay, at a minimum. Having them in place before an incident can provide you with significant advantages.

These basic protections should be considered before anything else. Directors can encourage the company’s risk managers to both identify and improve upon existing exposure with better notice, cooperation and indemnification terms. Likewise, directors can collaborate with legal counsel to ensure that these protections are meaningful should you ever need to rely on them for an active incident.

Second leg: Know thyself and take on what you can

The second leg of the stool relates to evaluating the organization’s existing capabilities related to updates, patches and new releases entering the IT environment. Companies with robust IT shops may be able to vet major and minor software releases to guard against future supply chain attacks. But many organizations may not be able to do this.

With the benefit of perfect hindsight, many of the malicious “enhancements” in the SolarWinds code base would have been red flags (e.g., new code functions permitting modifications to user and account privileges in what was ostensibly a minor product release). Directors should be pushing their management to be certain about the organization’s ability to perform vetting of this kind. If this is not something that can be done in-house (i.e., software composition analysis via security scanning of third-party software components), are there reliable third parties that can perform this function? At root here — whether done in-house or by a third party — is whether the organization can contextualize code-level changes and measure whether such changes are both expected and reasonable in such updates.

If your company can neither take on nor contract with a third party for such assessments, what other options are worth exploring? Can you revert to the publisher of the patch/update/release and require (or at least request) that some independent vetting of the code changes be performed? Perhaps this risk can be addressed by obtaining and carefully reviewing a Statement on Controls report or an Agreed-Upon Procedures report about the nature of the changes within the patch/update/release in question. Your organization must know its capabilities (given its technical aptitude and risk appetite), it must take on what it reasonably can, and it must seek other methods to address risks the organization cannot address on its own.

Third leg: Insuring for remainder and residual risks

The third leg of our proverbial stool is to work with your risk management teams — and very likely your insurance broker — to explore whether you can insure for the residual risk. Given the dynamic market for cyber coverage, with new products arriving on the scene every six to eight months, there may be new products that cover your residual risk. Indeed, it might be possible to manuscript such coverage, given carriers’ desire to address a nascent and only partially tapped market.

Directors are uniquely situated to provide oversight to management teams seeking to address these critical issues. They have a perspective that allows for best practices to be brought to bear from different industries and contexts that aren’t always known to management teams. Accordingly, directors play a crucial role in helping organizations find a balanced approach to addressing the threat of supply chain cyberattacks. Grant Thornton advises numerous boards and can answer questions or further discuss any of the recommendations here.