Vendor Risk Management – How to Confront Third-Party Cyber Risk in Your Supply Chain

June 2017

TSC Advantage has released a paper that examines third-party cyber risk, the complexities of cyber vendor-risk-management-250x324security and how the growing shift from physical security controls to digital controls in the supply chain introduces new and complex security risks that professionals must seriously consider.  The paper warns that cyber security risk is not limited to the IT department but encompasses vendor management, supply chain continuity and quality, transportation security and many other functions across the enterprise. The free, 10-page paper is available through the Advisen platform.

Regulators Now Demand Board-Level Attention

In 2017, WannaCry, a ransomware capability released by ShadowBrokers to the general public and exploited by criminal elements, locked upwards of 200,000 computers in 150 countries across sectors to include hospitals, finance, and telecommunications. With that kind of damage, it’s understandable most organizations focus cybersecurity efforts on firewalls, patches, and updates, though true enterprise security considers additional threat vectors such as insiders and third-party dependencies.

In the white paper Vendor Risk Management – How to Confront Third-Party Cyber Risk in Your Supply Chain, TSC warns that as the risk environment expands, companies should consider whether organizational change is required to elevate supply chain  risk management issues and professionals to the C-suite.  It further warns that board of directors often have lower level of engagement and understanding of cybersecurity risks, especially neglecting the risks involved in vendor management system.

The paper also reiterates that although the services and products fall outside what an organization has direct control over, it has the ability and the responsibility to shape the security environment in a manner that protects the organization from risk. Third-party cyber risks should in fact be considered upfront when contemplating shifting the operational control of a critical element of the business, since doing so means relinquishing some of the company’s own preventative and detective control.