Insights from Jennifer Bisceglie, Alpa Inamdar, Agnes Berecz, and Renee Forney
CEO and founder of Interos, Jennifer Bisceglie, moderated a lively and informative panel for this year’s OpRisk Global virtual event, “Solar Winds and the Supply Chain Threat We’ve ignored for Too Long.”
Joined by an all-woman virtual roundtable of industry veterans — Alpa Inamdar, Head of Third Party Risk Governance for BNY Mellon; Agnes Berecz, Senior Risk Analyst for Danske Bank; and Renee Forney, Senior Director, Azure Hardware Systems Information Security, for Microsoft — Jennifer led the discussion of how massive cybersecurity breaches like Solar Winds must shape boardroom discussions surrounding supply-chain resilience moving forward.
Solar Winds, COVID-19, and the not-so-“Black Swan” events that cause disruption
“These highly public attacks will certainly not be the last… what have we learned and where do we go from here?” Bisceglie posed to participants.
An estimated two-thirds of highly publicized cyber breaches reportedly now occur through the supply chain, and the magnitude of the impact is immeasurable with no predicted endpoint.
Real-time visibility into extended supply chains — and full accountability for risk — has become vital for any organization to operate in the current landscape. Within the boardroom, it is now an expectation to understand the end-to-end supplier chain when working with critical vendors. Over the last year, many corporations became acutely aware of their siloed approach and were forced, by exogenous shocks (COVID-19, Solar Winds, ongoing trade wars) to the supply chain, to determine a new strategy – one that would involve more than just point-in-time visibility of supply nodes down to say two tiers.
“Because of the current situation that we’re going through — a pandemic — organizations and industries are changing significantly at a very fast pace. So that single point of time will not [represent] all operations. You need more data. You need more analytics,” said BNYMellon Bank panelist Alpa Inamdar.
A risk associated with any one supplier is potentially a risk to the entire supply chain. Events like the Solar Winds supply chain hack illustrate how cyber risk issues can emerge and proliferate via exposure through third-party vendors. It’s become even more apparent over the past year that the interconnectedness and the interdependencies among vendors and solutions is a complex web that’s ever-changing. And, by neccessity, things have started to advance beyond traditional semi-annual, manual-focused supply chain analysis of days gone by that served as a snapshot of risk.
Compliance and cybersecurity must go hand in hand — “Ditching the three-ring binder”
“I think we’re in a position now where we have to challenge our traditional way of thinking, right? We all come from the ‘three-ring binder’ point in time assessment model… we have to move beyond the point in time assessment to utilizing a multilayered approach to assessing our vendor population,” said panelist Renee Forney with Microsoft. “A continuous monitoring model is key for 2021.”
Long gone are the days of measuring risk assessment focused on only the first, second, and, at most, third supply chain tiers — that only provides insight into the tip of a supply chain iceberg.
Corporations have to move into a threat-based, intelligence-led risk management model. It’s important to be able to look at vendors on an ongoing basis, to be able to understand where they reside in the supply chain, and to clearly assess their level of importance to the company’s mission and the criticality of operations.
What’s next and how do we get there?
Operational resilience can’t happen overnight; it’s always going to be an ongoing process. That said, it’s crucial to integrate a continuous monitoring model with a layered approach. Understanding where to put resources, determining the mission criticality of different vendors, and having a model that allows room for flexibility with backup options will put everyone in a better position to halt disruption before it starts.
Every supply chain is inherently exposed to risk, but in working with a provider like Interos, corporations and government entities are able to analyze the level of risk associated with any supply chain decision and monitor it on an ongoing basis in order to prepare for potential disruption or stop it in its tracks altogether.
“We are actually very, very hopeful that this digital operational resilience act will be introduced with the proper support and pillars because exactly this is what we need,” said Dansk Bank panelist Agnes Berecz. “We need this digital, cyber, and third-party requirement to wrap together holistically so that we, as a financial industry, are able to be more resilient and provide products and services to our customers…Ultimately, this is a business issue and if we are going to have issues with these areas, our customers and shareholders will pay the price.”