James Rundle at The Wall Street Journal today reported that in response to escalating supply-chain cyberattacks, companies are intensifying their scrutiny over suppliers to protect sensitive data and prevent breaches.
This article is excellent budget ammo and I recommend you send it to your C-level execs that hold the infosec purse strings.
Traditionally relying on periodic security questionnaires, corporate security chiefs are now enforcing stricter contractual terms for immediate notification of cyber incidents. They are pushing for adherence to best practices outlined by the U.S. Commerce Department’s National Institute of Standards and Technology among other standards.
Recent high-profile cyberattacks, such as those on Change Healthcare and Progress Software's MoveIt tool, underline the urgency. These incidents have shown the rapid spread and severe impact of breaches through the supply chain, affecting thousands of companies and compromising the data of millions of customers. For example, the cyberattack on Change Healthcare severely disrupted the U.S. healthcare sector, affecting billing and revenue collection for weeks.
Corporations like JPMorgan Chase and Voya Financial are implementing rigorous guidelines for their suppliers regarding data breach notifications and cybersecurity protocols. New regulatory measures in New York and by the Securities and Exchange Commission mandate closer oversight of third-party suppliers, emphasizing the need for robust incident-response plans and compliance with industry security standards.
Pat Opet, global CISO at JPMorgan Chase said: "The way in which third-party dependencies are managed is probably insufficient for today’s market, given the threat outlook and the sophistication of the actors that are engaged in either social engineering tactics or in ransomware operations,"
Challenges exist in securing strict contractual agreements on breach notifications with suppliers, as differences in expectations and templates can lead to negotiation hurdles. However, cybersecurity leaders emphasize the importance of establishing data-breach requirements at the beginning of supplier partnerships to enhance accountability and security measures.
Notably, JPMorgan applies its threat intelligence to assess risks among its suppliers, aiming for transparency and preemptive action against potential attacks. This proactive approach highlights a growing trend among companies to not only defend their own networks but also to ensure their suppliers are equally fortified against cyber threats, though it's recognized that such extensive oversight may be challenging for many organizations to implement.
