2024 was a year of numerous and notable cybersecurity failures – although, to be fair, most years are now marred by numerous and notable cybersecurity failures. That’s no longer anything special.
What makes 2024 interesting is that its biggest cybersecurity incidents weren’t just compliance failures; they were operational failures of the highest order.
For example, in February 2024 a small but critical player in the U.S. healthcare sector suffered a ransomware attack. That attack exposed the personal information of some 100 million people; but it also paralyzed pharmacies’ ability to fill prescriptions and hospitals’ ability to schedule surgeries. In July 2024 a small but crucial IT services firm released a flawed software update that crashed IT systems for thousands of businesses; airlines couldn’t schedule flights, 911 systems went off-line, logistics firms couldn’t deliver packages.
This is the world that’s coming: one where cybersecurity threats strike your business through its supply chain and erase the line between a compliance failure and an operational risk failure. Instead, the CISO, the compliance officer, and senior management are all confronted with a multi-dimensional mess that could leave your enterprise staggering.
Preparing for that world will require new partnerships among the senior leaders, and new emphasis on resiliency, due diligence, monitoring and continuity planning. And you can’t start soon enough.
How did we get here?
Organizations reached this precarious state thanks to several long-term trends:
- Globalization and modern internet-based communications have transformed supply chains, creating increasingly long and complex networks of suppliers. Companies now depend on a vast number of third parties for a wider range of goods and services than ever before – all of which are intertwined with their IT systems and associated risks.
- A shift among the hackers of the world away from mere privacy breaches, which are compliance failures (sometimes painful ones) but don’t threaten your operations; to ransomware attacks, which can cause real-world disruptions to your core business activities.
- An increase in regulators’ attention to privacy and cybersecurity, in the United States, Europe and around the world.
Altogether, that means more cybersecurity risks, which can cause greater damage, and are more likely to be both compliance violations and operational risk failures.
At the same time, corporations are struggling to keep pace with that changing landscape. Compliance teams must develop new due diligence and monitoring procedures to get a comprehensive view of third-party risk that includes cyber issues. IT, internal audit, and procurement teams all play important roles too, but they’re often overworked and under-staffed, and don’t always have the necessary familiarity with cybersecurity.
That’s not to say all is lost. It only means that the risk landscape has changed so rapidly that companies need to regroup their resources and build better defenses. That will include a better ability to assess potential cybersecurity risks and to withstand and recover from cybersecurity failures when they (inevitably) do happen.
How do we reach a stronger position?
Compliance officers first need to think about these challenges in terms of capabilities your organization will need to have, regardless of exactly who manages them. We can identify a few right away.
Better mapping of your data, IT systems and critical IT assets. First, this lets you see potential compliance risks, since you’ll know the types of data you have (such as personally identifiable information or credit card numbers, subject to U.S. regulation; or personal data stored in Europe, subject to the GDPR). Mapping of your IT systems and critical IT assets lets you anticipate where attackers might strike so you can implement necessary precautions.
Better cybersecurity risk assessments of third parties. Companies will need to take steps such as requiring a SOC audit for technology vendors, or even performing direct testing and monitoring of critical suppliers yourself. You’ll also need to extend “standard” third-party risk techniques that anti-corruption compliance teams have been using for years to the cybersecurity realm, such as documenting the purpose of the third-party relationship and assigning an “owner” responsible for it.
Better supply chain management. None of that third-party oversight and risk assessment can happen if you don’t know who your suppliers are, so supply chain management will become more important too. For example, the procurement team will need stronger contract management capabilities, to assure that third-party engagements give you the right to risk assessment, testing and monitoring.
If your organization has no dedicated procurement team, you’ll need to fashion a set of policies and procedures so all business functions that do source goods and services are asking the right questions and collecting the right information.
Better testing and training at all levels. As we mentioned earlier, cybersecurity failures and operational disruptions are inevitable. This means that your organization will also need to spend more time developing and testing business continuity protocols to confirm they work in practice.
This effort will take different forms across your enterprise. For example, senior executives should run table-top exercises: what would you do if key technologies suddenly stopped working? How would different teams swing into action to restore operations, and how much would that cost? Meanwhile, the audit team should test the more mundane parts of business continuity (will that redundant system actually kick into action when the primary system fails?), and routine cybersecurity training for all employees is a must.
Better alerting, escalation, and reporting. Successful management of your supply chain cybersecurity risks will result in a multitude of alerts on potential risks. The trick will be in evaluating those alerts and then escalating them to the proper people. CISOs will need to assure that those alerting and escalation capabilities exist; while CISOs and CCOs alike will want strong reporting capabilities so you can see the organization’s whole cybersecurity and supply chain posture in one frame. Only then will you be able to brief senior management or the board on whether supply chain risk is under control.
Remember the human element of resiliency and security
If this all sounds like a lot, that’s because it is. Resiliency and business continuity will require a “whole of company” approach, so defining proper roles and responsibilities will be crucial.
For example, CISOs and compliance officers will need to work together to identify risks. Some cybersecurity threats might be “pure” compliance risks, such as attackers copying personal customer data. Others might be operational threats, such as failing to test a third-party software patch before implementing it. The controls you need to address those threats, however, might well be one in the same for both concerns.
CISOs, compliance officers, and internal auditors will also need to collaborate with the First Line operating units to design effective policies and controls. If you devise controls (password policies, due diligence requirements, testing obligations) that are too onerous for employees, they’ll find workarounds to do their “real jobs.” First Line teams can also be invaluable sources of information when crafting or testing business continuity plans. You need their input and support to build an effective culture of compliance; imposing one from above won’t work.
It’s about security driving better performance
Fundamentally, the issue here is how to gain more assurance over your supply chain, so that your organization can pursue its business objectives with confidence. That’s what boards and management want to know: the extent to which they can rely on the supply chain as they set strategy, make investments, and pursue goals.
Hence compliance and IT security teams need to frame security and supply chain oversight as a way to enable better business performance. The more you can “harden” your supply chain and internal operations, so that they can withstand disruptions, the better your organization will be able to keep doing its business even in today’s complicated and chaotic environment.
That will require better tools and systems, as you perform more risk assessments on your third parties and test your own cybersecurity controls. It will require better policies and procedures too, so that everyone involved knows how to manage cybersecurity in the supply chain and how to recover when something goes amiss.
And above all, it will require more collaboration among risk management functions. You’ll need to identify key risk metrics, adopt wise policies and procedures, and figure out the right reports – based on complete and accurate data! – to provide to management.
Then you’ll be able to rely on your supply chain, rather than get tangled in it and all its attendant risks.
2025 prediction
We will, alas, see even more cyber disruptions caused by key suppliers suffering a failure, with consequences reverberating across the corporate world. We will also see regulators and governance enthusiasts stress the need for better risk oversight. Whether that happens in practice is anyone’s guess.
2025 Top 10 Trends in Risk and Compliance
For deeper insights into the most pressing topics for risk and compliance leaders, download the full eBook and watch the companion webinar on demand.