Emphasizing the need to avoid “unforeseen risks” and shift the cyber risk discussion from the IT department to the full enterprise, panelists noted that organizations need to evaluate their dependence on services, deliveries, and materials provided by outside vendors or suppliers and do an impact analysis. Very few businesses operate nowadays without the use of suppliers or vendors, the panel commented.
“These cyber risks and dependencies have to have a voice,” said Will Durkee, director of security solutions at TSC Advantage. He urged organizations to communicate the potential business interruption and financial loss due to supply chain disruption up the command chain, allowing the board to accept, reject, mitigate, or transfer those risks.
“It’s not an easy process, but it’s not overly complex,” said Durkee. Basic risk management principles can be applied, even to cyber risks, he added, and legal, finance, and even human resources should be involved in assessing the risk.
Chris Adderton, vice president of the Council of Supply Chain Management Professionals, noted that those unforeseen risks will continue to accrue on balance sheets unless organizations shift to being more proactive than reactive.
Robert Rosenzweig, vice president and national cyber risk practice leader for Risk Strategies, said that businesses also need to ensure that, in the event that risks can’t be fully avoided, they transfer risk appropriately, either to their vendors through contracts or to their insurance policies.