In today's interconnected world, the risks faced by third-party providers can quickly become an organization’s own problems. Earlier this year, we hosted a webinar with SecurityScorecard entitled “Supply Chain Guardians: Strategies for Resilient Ecosystems” to discuss key steps to achieving supply chain resilience. Together we explored how to proactively mitigate risk by leveraging strategic partnerships and bolstering third-party relationships to fortify business continuity. Here are the highlights:
Supply Chain Risks Still Persist
Every day, Supply Chain Guardians navigate risk across many dimensions to ensure access to critical resources, such as raw materials, food, medicine, and gas. These Guardians are a diverse group of people who work throughout the value chain to create and enforce controls and take responsibility for risk management.
Global supply chains have faced decades of disruptions, including the U.S.-China trade war, the COVID-19 pandemic, various Suez Canal disruptions, and the consumer goods boom stemming from the Russia-Ukraine war. Supply chain disruptions have also included a variety of data breaches, natural disasters, financial failures, and operational difficulties.
While the supply chain was normalized for the most part of 2023, there remain significant risks, including the impact of labor action, climate change, and cybersecurity issues. Supply chains need to be more resilient, but will corporations and their investors be willing to make the investments necessary to build strength?
- Labor. According to the Institute for Supply Management, semi-annual forecasted employment is at 2% and is expected to increase by 2%, with wages and benefits rising by 5.2%. This suggests that costs will increase and must be passed on to consumers or productivity will have to improve. If the supply chain is disrupted, that will hinder the productivity factor.
- Climate change. From 1922 to 1980 there were approximately eight events that were significant billion-dollar disasters. In 2022, there were 18, and the fear is that more will come.
- Cybersecurity. The average cost of a data breach in 2023 was about four and a half million dollars, approximately a 50% increase over three years. This poses significant financial risk.
Polling webinar attendees showed that 55% believe that cybersecurity is the major risk, while 27% said geopolitical issues, and 3% said trade policy and labor costs. No-one said climate change.
Reliable Data is Critical
Business leaders and risk managers need reliable data and analytics to continually evaluate their growing roster of suppliers, since the roster brings a complex set of risks across multiple dimensions.
For example, when it comes to credit, how financially resilient is a supplier? Then there are political, economic, legal, sustainability, and operational risks to consider. Depending on the country of domicile, these could be extreme.
The Supplier Risk Indicator™ is a solution that consolidates these dimensions of risk into a single metric that captures each supplier’s unique risk profile.
Supplier Risk Indicator
There is a need to do deep due diligence with new suppliers, plus continually monitor relationships over time. Supplier Risk Indicator (SRI) is a fully automated, and multi-dimensional that provides immediate access to millions of risk profiles. Bringing together leading datasets, algorithms, and practitioner expertise, SRI spans multiple risk dimensions that impact the entire supply chain, including cybersecurity, business resilience, financial stability, location, and sustainability.
SRI translates these complex factors into a single indicator on a 100-point scale that can be compared against a benchmark or peer performance, explored in detailed reports, and tailored to a firm’s risk parameters and desired metrics. It generates real-time information and supports monitoring and alerting, notifying a user to changes in any of the subcomponents of interest.
This is helping users efficiently look at a large portfolio of suppliers, which is especially important as global regulators turn their attention to medium- and low-risk suppliers in addition to those that are critical and high-risk.
Risk Indicators from Leading Sources
SRI integrates risk data and analytics from S&P Global with select third-party intelligence to generate a detailed and balanced picture of a supplier's risk. For example, it draws from:
- S&P Global Market Intelligence’s RiskGauge™ that offers a holistic assessment of financial resilience and creditworthiness.
- SecurityScorecard’s Cybersecurity Scorecard that supplies cybersecurity ratings, response, and resilience data.
- S&P Global Market Intelligence’s Economics & Country Risk that provides a 360-degree perspective of country and sovereign risk scores.
- S&P Global Sustainable1 ESG Scores and raw data that provides in-depth data intelligence on company performance, and the management of ESG risks, opportunities, and impacts.
- In addition, newly established relationships will provide information on sanctions screening and adverse media.
Users can also input their own data and create a wide variety of portfolios to zero in on industries or look at specific types of suppliers.
Many Facets are Considered
Each indicator is based on comprehensive multidimensional risk data and can be benchmarked, monitored, customized, and contextualized with capabilities to drill-down to sub-indicators and view deep-dive reports.
Figure 1: Sample Security Risk Indicator
Source: S&P Market Intelligence. For illustrative purposes only.
The upper left-hand corner of Figure 1 shows a score of 76 out of 100 for this supplier. The bottom right-hand corner shows Resilience, which is a combination of a financial rating and location risk. In turn, location risk includes many different components, such as political, economic, legal, tax, operational, and security risk for a location. So, results for France will look different from those for the U.S.
The Conduct Score at the top right-hand side (i.e., 42) provides insights on a company’s environmental, social, and governance (ESG) stance, plus which of the three components is stronger/weaker than the others. In the center, the Cybersecurity Score of 93 is from SecurityScorecard, along with all the details on how the score was calculated. Here, most is showing green, with one amber. The information also shows how this supplier is performing on cybersecurity relative to its peers.
SRI provides a quick snapshot of a supplier’s score to see if it hits the trigger for a company or not. If it falls below, a deep dive into the details can reveal more about potential risks.
The Cybersecurity Score by SecurityScorecard
As third-party supplier relationships have grown, how do you protect your data and systems? SecurityScorecard is an information security company that rates cybersecurity postures of companies by analyzing signals of cyber security threats. Members of the team walk the streets of the entire Internet and note what they find. This goes beyond web searches, scans, and observations to dark web hacker forums to find things such as leaked credentials, expired certificates, exposed services to a firewall, and ransomware.
Figure 2: Proprietary Risk and Threat Intelligence
Source: SecurityScorecard. For illustrative purposes only.
The team takes a hacker’s view and looks at every Internet Protocol (IP) and then performs an attack surface discovery, which is the attribution process that starts with a top-level domain and links it to all the related and sub-domains an organization uses. That enables all the collected data across the Internet to be joined to the attribution table, which creates the scorecard. Many engines have been developed by SecurityScorecard to support this effort, which is complemented with human intelligence overlays based on an analysis of campaigns of stealthy threat actors, and more.
The company collects data on all the intrusion prevention systems and domains and updates that in a continuous fashion to understand where the assets are geographically located and logically located in the Internet space. That helps build the relationships between assets and related information, such as which cloud providers are being used. When that is married with the attribution table, it becomes a scorecard.
Figure 3 shows a sample scorecard that presents 10 different areas of security and compares a company against others with a similar digital footprint. The sample shows that this company is performing below average next to others of similar digital footprint size. Here, a score of F has a 7.7 greater likelihood of breach than an A.
Figure 3: Sample SecurityScorecard Scorecard
Source: SecurityScorecard. For illustrative purposes only.
To illustrate the detail behind the scores, there are approximately 30-40 different issues that are assessed for the network security factor, such as network exposures, certificate problems, and crypto problems, plus users can see what events are causing a score to change. Specific IP-level detail and port-level detail are also provided, which is the level of information that someone would need to identify and fix any issues.
Companies can be grouped to uncover interesting trends, whether for industries, vendors, or M&A targets. Users can easily identify bad scores and those that might be deteriorating. This points to commonalities and creates opportunities for change through campaigns against problems.
Scaling the Analysis
One of the challenges is how to evaluate cyber risks correctly for many suppliers. The Supplier Risk Indicator enables this analysis to be easily scaled, plus makes it more intelligible and digestible for non-technical audiences to be able to see and compare performance across industries and companies.
Click here to request a FREE trial for Supplier Risk Indicator, or watch the webinar recording on-demand here.