Supply chain oversight: what action should you be taking?

Author: George Ralph

It’s National Supply Chain Integrity Month in the US and the Cybersecurity and Infrastructure Security Agency (CISA) is partnering with the Office of the Director of National Intelligence (ODNI), the Department of Defence and other government and industry partners to promote a call to action for a unified effort by organisations to strengthen global supply chains.

The Financial Conduct Authority (FCA) also offer industry specific guidance and support around working with third party vendors and outsourcing to public cloud providers. This guidance focusses on the scope of obligations each firm has relating to sub-contracting and supply chain management, so well worth noting if you are currently reviewing this area of your business.

The calibre of the organisations involved in this initiative tells us that securing supply chain integrity is a real and present issue that will not go away on its own. Generating electricity, running hospitals, supplying clean water and providing your home broadband are all critical functions underpinned by supply chain infrastructure and all things we could not have managed without, particularity in the last 12 months.

If vulnerabilities in any hardware or software infrastructure are exploited, the consequences down the supply chain can be increasingly significant. It is a necessity to make sure your business isn’t the weak link. Your cybersecurity, data and ESG policies, procedures and behaviour will have an impact on your vendor relationships, your investor relationships and your regulatory requirements too. Supply Chain Risk Management (SCRM) should be a vital and ongoing part of your day to day business IT model. Here, I take a look at what you can do to protect your supply chain:

Assess trustworthiness

Your firms supply chain doesn’t just include your vendors, in theory it includes your vendors vendors, and so on. Protecting your information requires an understanding of the whole chain. Don’t be afraid to ask businesses you work with to provide their SCRM model as good practice when setting up a new relationship. You could build a supply chain risk programme that you can use to guide you and to make better informed decisions around who you choose to work with. This will define too how you monitor risk. It’s also important to remember here, that by outsourcing a service (common enough in our industry), you are not outsourcing the responsibility for that service. Consequently, you need to work with industry partners who can evidence they have a robust, secure and well monitored supply chain themselves. Uniform and proven methodologies are out there to assess and monitor risk. RFA can help you with this.

Understanding supply chain threat

The scope and scale of the job of understanding your supply chain can be intimidating. Understanding what your duty of care is in amongst all the other firms you work with can also be intimidating. Most of us are now working without the fixed barriers of the four walls of our office, where we could rest assured that our firewall was protecting our hardware, data and staff from outside threat. Our cloud based environment means there are no physical barriers and there are significantly more opportunities for cyber attack. For our industry, cybersecurity is by far the most significant way to protect our supply chains.

The need for new technology and skills

Internally, it is good business practice to make your cybersecurity agenda part of your day to day business activities. Make sure your team are trained to look for risk and encourage a risk aware culture asking everyone to highlight any potential issues; it is important to make sure your team know, no matter how innocent or small the anomaly might seem, it could be vital in the fight against cyber attack. The attack on your business might come from a vendor in your supply chain, who themselves is equally unaware they have been hacked.

Where you don’t have the experience in house, work with a third party technology firm who can guide you through the best options for your firm. As well as known and obvious risks, there are always unknown risks that a specialist firm can guard against, working towards attack prevention rather than defence. RFA works with hundreds of alternative investment business, and we can share our knowledge and what we have learned from your peers to help you manage your SCRM initiatives. As always, if you’d like to talk, please get in touch with me.