Regulatory

Supply Chain Resilience: Complex, Interdependent and Systemic

The challenge

It is tempting to focus on the management of risks within the boundary of a single organisation where we can establish governance and culture, create systems and controls, audit and monitor compliance. Our world is now far more complex that that, with dependencies on an ecosystem of partners and suppliers, giving rise to challenges of systemic risk associated with the critical nodes within that ecosystem.

Our approach to managing resilience demands we engage with many third parties who may not share our culture or incentives, and certainly not our systems and processes. The world of cloud, software as a service (SaaS) and open application programming interfaces (API) – challenges us to rethink our approach to risk and resilience.

The changing pattern of cyber attacks we have seen over the last 5 years shows that organised crime (and indeed States) are alive to this issue, and willing to exploit our dependencies for financial and political gain.

In 2017, the destructive wiper malware known as NotPetya struck several unsuspecting firms despite their maintaining costly in-house security operations and controls. The initial vector for the attack? The compromise of a tax and accounting software package little used outside the Ukraine produced by a small-to-medium sized enterprise.

In the case of shipping giant Maersk, all it took was one infected Odessa-based system connected to the corporate network to compromise much of their global network. In total, the NotPetya compromise cost Maersk somewhere in the region of $250-300 million.

Likewise, in 2020 it was revealed that Russian hackers had successfully introduced a backdoor into the Orion software system of SolarWinds, a major IT firm with some 33,000 Orion users as customers. Included amongst these were Microsoft, Cisco, Intel, Deloitte, and various US Federal agencies. Alongside reputational damage, the affected organisations were left with the uncertainty surrounding whether sensitive company data had been exfiltrated and whether their systems were secure or not.

Of course, technology failures also play their part, with configuration changes to complex technology causing surprising levels of disruption. Facebook’s outage on the 4th October 2021 was attributed to a routine maintenance job which resulted in a command being issued to assess capacity on their global backbone. That, well-intentioned, command took down the whole Facebook global backbone and disconnected all of their data centres.

Fault finding and diagnostics when the network is down is hard, and so was physical access to some of the data centres sites. Restoration of complex and interdependent services takes time, and so it did for Facebook, and for many firms who depended on their services.

While isolated cases, these do illustrate a broader trend toward malicious supply chain attacks which sits alongside other cases in which systemically important infrastructure is disrupted or fails for a wide range of reasons from technology failure to human error.

The dilemma

At the heart of these questions and the related problems surrounding FS supply chain risk is a simple prisoner’s dilemma. Every firm at every tier has a vested interest in lowering the overall risk across the supply chain. But they also want to minimise their own obligations to expend resources on what they likely see as somebody else’s responsibility.

No firm wants to have to invest its own resources to prevent the emergence of negative externalities which arise due to the failure to manage risk by some other node of their supply chain.

This is further complicated by the significant imbalances of power within the supply chain, and very different approaches to risk and resilience management.

A systemically important bank or FMI provider is likely to have a well-resourced, advanced and enterprise-wide approach to risk management, and sophisticated security operations. They have significant financial leverage on their supply chains when compared to smaller parties.

But the real picture is more complex. They often interact with equally powerful (or more so) large technology service providers, monopolistic market data providers who cannot be easily replaced, and market leading FinTechs with highly attractive and innovative offerings. Each of these categories of firms have very different risk and resilience approaches. So, the scene is set for a complex and potentially adversarial power game.

The regulations

Most large UK financial institutions are grappling with the recently released Operational Resilience regulations from the PRA and FCA. In particular, the obligation placed on institutions to understand the resilience of their third parties in the case of a range of severe but plausible disruption scenarios.

A deliberate counterpoint to conventional risk-based approaches which consider likelihood and impact, and often focus on the preventative controls which reduce likelihood rather than the impact mitigation measures which reduce either the time to recover or the harm caused by the outage to customer and clients.

This regulatory obligation adds to an already complex set of obligations flowing from previous material outsourcing and third-party risk management regulation.

So how then can financial institutions satisfy themselves of the resilience of their supplier ecosystem, and what behaviours might this quest for confidence generate in the actual resilience of that ecosystem?

The models

1. Direct Assurance Model
Financial institutions can seek to demand assurance from their suppliers directly, perhaps including these obligations in changes to standard contract terms. In doing so, the power game plays out. The big financial institutions will succeed in “arm twisting” suppliers, but the larger suppliers will push back against the multitude of different approaches they will receive as every financial institution attempts to enter into dialogue.

2. Regulatory Model
One option is that the supplier ecosystem be brought under the same regulatory model as the financial institutions themselves, allowing them to rely on the effectiveness of that regime. This seems unrealistic for all suppliers within the ecosystem, and perhaps for all but the most systemically important of those suppliers.

Nevertheless, the Treasury has signalled its intent to explore the regulation of critical third parties which are systemically important to the financial services sector. The Department for Digital, Culture, Media and Support (DCMS) is also consulting on the potential extension of the Network and Information Systems (NIS) regulations to MSPs also, which will also involve discussions on how they set the materiality criteria for which MSPs are included.

3. Utility Model
Supplier assurance is provided through centralised risk monitoring and management platforms (e.g., FSQS, KY3P). These platforms provide centralised data on suppliers’ control posture, meeting most organisations’ needs, but focus more on control evidence than scenario testing.

4. Certification Model
Suppliers are assessed against externally defined standards (SOC, ISO 27001, ISO 22301, Cyber Essentials, CAF). Certification can provide assurance but resilience-specific standards are still in early development.

The answer?

Perhaps the answer is a hybrid approach, evolving as our experience with the regulations develops.

We expect:

  • A growing number of systemically important firms will come under direct regulation.
  • Development of utility platforms to encompass operational resilience assurance.
  • Cross-sector collaborative scenario testing (e.g., CMORG proof of concept).
  • Certification standards maturing to cover resilience.

Independent audit and certification could scale over time, with self-certification possibly as a first step.

The community

Each model should aim to improve resilience across the community. But will firms have the capacity or skills to meet these demands?

Large firms have a role to help their supply chains build resilience through training, sharing best practices, and aligning requirements (similar to the MOD’s Defence Cyber Protection Partnership). A similar approach may be needed across the FS sector.

The next steps

Over the next 12 months, implementation of PRA and FCA operational resilience regulations will continue to dominate, with growing pressure for a coordinated approach to third-party and supply chain resilience.

Expect:

  • Regulatory action for critical third parties soon.
  • Utility and certification models to evolve over 12–24 months.
  • Continued surprises from unexpected failures in our interconnected digital ecosystem.

The challenge

It is tempting to focus on the management of risks within the boundary of a single organisation where we can establish governance and culture, create systems and controls, audit and monitor compliance. Our world is now far more complex that that, with dependencies on an ecosystem of partners and suppliers, giving rise to challenges of systemic risk associated with the critical nodes within that ecosystem.

Our approach to managing resilience demands we engage with many third parties who may not share our culture or incentives, and certainly not our systems and processes. The world of cloud, software as a service (SaaS) and open application programming interfaces (API) – challenges us to rethink our approach to risk and resilience.

The changing pattern of cyber attacks we have seen over the last 5 years shows that organised crime (and indeed States) are alive to this issue, and willing to exploit our dependencies for financial and political gain.

In 2017, the destructive wiper malware known as NotPetya struck several unsuspecting firms despite their maintaining costly in-house security operations and controls. The initial vector for the attack? The compromise of a tax and accounting software package little used outside the Ukraine produced by a small-to-medium sized enterprise.

In the case of shipping giant Maersk, all it took was one infected Odessa-based system connected to the corporate network to compromise much of their global network. In total, the NotPetya compromise cost Maersk somewhere in the region of $250-300 million.

Likewise, in 2020 it was revealed that Russian hackers had successfully introduced a backdoor into the Orion software system of SolarWinds, a major IT firm with some 33,000 Orion users as customers. Included amongst these were Microsoft, Cisco, Intel, Deloitte, and various US Federal agencies. Alongside reputational damage, the affected organisations were left with the uncertainty surrounding whether sensitive company data had been exfiltrated and whether their systems were secure or not.

Of course, technology failures also play their part, with configuration changes to complex technology causing surprising levels of disruption. Facebook’s outage on the 4th October 2021 was attributed to a routine maintenance job which resulted in a command being issued to assess capacity on their global backbone. That, well-intentioned, command took down the whole Facebook global backbone and disconnected all of their data centres.

Fault finding and diagnostics when the network is down is hard, and so was physical access to some of the data centres sites. Restoration of complex and interdependent services takes time, and so it did for Facebook, and for many firms who depended on their services.

While isolated cases, these do illustrate a broader trend toward malicious supply chain attacks which sits alongside other cases in which systemically important infrastructure is disrupted or fails for a wide range of reasons from technology failure to human error.

Download our Insights Piece

Related Articles

READ ALL THOUGHT Insights

Want to speak to us?

If you would like to discuss a cyber or resilience problem with a member of the team, then please get in touch however you feel most comfortable. We would love to help you and your business prepare to bounce back stronger.

Get in touch

Consent

This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. Learn more

Allow All

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Always active

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.