Third-Party Cyber Risks At The Core

With increased cyberattacks against organisations’ supply chains, the Board of Cyber has interviewed several companies to understand better their handling of third-party cyber risks regarding suppliers, the tools at their disposal, their methods and their current expectations.

Faster digital transformation means that organisations are becoming more and more exposed to cyber risks. At the same time, they are relying more and more on suppliers and subcontractors, and are increasing their third-party risks. Attacks are increasingly being made on organisations’ supply chains: when an organisation is attacked, an average of 150 businesses are endangered because of the knock-on effect.

Board of Cyber’s first White Paper presents an exclusive survey carried out among the Chief Information Security Officers (CISOs) and Directors of Cyber Security of about 30 companies, 18 of which handle over 1,000 suppliers. These companies rank among the world leaders in their sectors: Energy, Transport, Construction industry, Chemical industry, Retail, Services, and Luxury. 

It transpires that 49% of the companies surveyed regard third-party cyber risk as “very high”, and 41% regard it as “high”. However, although 90% of the companies are highly concerned by the risk, it is only followed up by one out of two boards of directors (48%). Regulatory pressure should increase awareness: 52% of companies surveyed will be modifying their approach to third-party risk as part of the new NIS2 and DORA regulations.

The Board of Cyber has also attempted to identify obstacles to third-party risk management. These are quite clear: the lack of time and procedures for taking on a heavy and costly workload, the difficulty for certain suppliers to make the necessary investment and, more generally, a lack of cyber maturity on the part of certain suppliers, which means that a considerable amount of instruction must come from those who place orders. 

The survey also analyses the many methods and tools organisations use to deal with third-party risk regarding suppliers. Although they often combine plans for guaranteeing security with measures for audit and risk analysis, the CISOs express a certain dissatisfaction and would like to see new solutions, like cyber ranking and automated measures. 

“Increasing geopolitical risks and their economic consequences must bring organisations to realise that cyber risks must get priority treatment. With regard to third-party risks, a global, holistic approach is needed. This White Paper shows that companies want rationalisation and automation to make up for the lack of time and means, and the very varied levels of cyber maturity of subcontractors.” said Luc DECLERCK, Managing director de Board of Cyber.