Navigating cyber risk in the supply chain with confidence

One of the most significant supply chain risks is cyber

Modern organisations rely on their digital supply chains. From traditional IT (information technology) to innovative AI (Artificial Intelligence) technologies that solve complex problems, the range of digital products and services is large and growing.Where there is reliance there needs to be resilience. The 2023 BCI (Business Continuity Institute) supply chain resilience report found 55% of respondents say the risk of cyber-attack on a supplier was their main supply chain resilience concern¹.

Your supplier’s cyber resilience could affect you

Data is a source of competitive advantage and value for many organisations, and should be protected like any other critical asset. The security of sensitive data such as private customer information, intellectual property, financial records, and trade secrets can be as important as plant and machinery.

If you trust a supplier with your physical assets, you work hard to ensure they keep them safe from theft or damage. Suppliers that process or access your data assets are no different. In 2022, thousands of schools in the US reported pupils’ sensitive personal information had been exposed after a software supplier was targeted by cyber-criminals. Although the third party suffered the attack it was executive management of the schools who were accountable for the loss of the data².

Cyber-attacks in the supply chain can disrupt your organisation in a more direct way. A ransomware attack on a logistics provider can lead to delays in shipping or distribution. This can have cascading impacts across the entire supply chain.

In February 2022, Toyota had to halt its production lines because a key supplier was unable to fulfill orders after a cyber-attack at their production facility³. Even when suppliers are providing tangible products rather than digital services, it is important you understand their level of cyber resilience. Supplier selection due diligence might consider financial resilience, geographic and political factors. Cyber resilience is just as important.

Assessing cyber supply chain risk

At first glance you might think the technical language and seeming complexity of IT systems make understanding cyber risk challenging. Does dealing with cyber risk in the supply chain have to be more complicated than other types of third-party risk? The good news is, it doesn’t. 
The UK Government’s National Cyber Security Centre (NCSC) guidance for managing cyber risk in the supply chain uses standard third-party management concepts that supply chain managers will be familiar with⁴.

We think these principles are the most important: 

• Understanding what needs to be protected and how third parties could introduce risk to your critical data and processes.
• Establishing minimum risk-based criteria for cyber security practices for supply chain partners and educating stakeholders to build them into sourcing requirements.
• Regular monitoring and evaluation of the cyber security posture of suppliers alongside other third-party risks such as financial, geopolitical, climate and Environmental, Social and Corporate Governance.
• Where minimum criteria are not met, ensure the level of risk is understood and accepted, but if the risk posed by a supplier is unacceptable, be prepared to act. Where possible build your requirements into your legal arrangements and be clear about the responsibilities each party has for cyber security, and the arrangements and protections in place for your organisation if the supplier is affected by a cyber-attack.

Managing cyber risk in the supply chain is necessary but shouldn’t be difficult

As the range of digital technology and services increases, so does our dependency on them. You already manage financial, geographic, and other risks in the supply chain. Cyber risk can be managed in a similar way by building cyber risk into sourcing requirements and working with critical partners. In a digitally connected world cyber resilience in the supply chain isn’t a nice to have. It’s a necessity.

 How can ZRS (Zurich Resilience Solutions) help you assess your supply chain cyber risk?

• We have an experienced team of supply chain and cyber risk management consultants ready to help your organisation build an effective supply chain cyber risk management strategy.
• Utilising the Zurich Risk Management Framework, our experts can analyse your exposures, hazards, and controls as it relates to your supply chain cyber security processes and procedures.
• Help you determine your tolerance for cyber risk in the supply chain and translate that to minimum standards.
• Help you to assess your suppliers in a practical and efficient way based on the risk they pose to your organisation.
• Ensure you have controls or processes to manage and reduce the residual risk to within your appetite or tolerance.

For more information about the services we offer and how they can help you with these issues please visit or contact us.