CYBER SECURITY SUPPLY CHAIN RISKS AND SAFEGUARDS
After a series of high-profile incidents as a result of supply chain attacks, regulators, technology standards-setting bodies and cyber security-forward organisations have increasingly focused on supply chain risks.
This article discusses the continued evolution of cyber security risks, with a focus on supply chain risks.
It describes how the evolving technology landscape led to more cyber security incidents involving vendors and service providers, summarises several high-profile supply chain attacks, details developing regulatory and contractual compliance requirements for cyber security and supply chain risks, and concludes with steps organisations can take to enhance their cyber security supply chain risk management programmes.
Environmental changes
No longer do companies’ IT environments consist of on-premise systems hosting home-grown software solutions. Instead, organisations increasingly rely on complex networks of third-party vendors and service providers (and countless subprocessors to those parties as well).
The adoption of cloud services, such as software as a service applications, has created an interconnected web of vendors, suppliers and service providers. While cloud adoption brings great efficiencies, cloud reliance also creates particularly high-impact targets in the event of a cyber security incident affecting a vendor.
The farther downstream a vendor is, or the more reliant entities are on the vendor for providing infrastructure underpinning other systems and processes, the greater (potentially exponential) effects a successful cyber security incident targeting these entities may have.
Threat actors understand this relationship and have increasingly targeted certain vendors as one successful attack allows for the potential to impact and possibly extort many companies at once. This is similar to the adage of robbing banks because that is where the money is.
Apr-Jun 2025 Issue
Hogan Lovells