EXECUTIVE SUMMARY:

Could the next financial crisis occur as a result of a cyber attack? The New York State Department of Financial Services (DFS) says it’s possible. In a recent report, the DFS outlined its investigative findings surrounding the SolarWinds attack. The document provides a high-level overview of the attack, the response from companies that must comply with DFS regulations, and incident planning concepts to prevent future supply chain attacks.

“Seeing hackers get access to thousands of organizations in one stroke underscores that cyber attacks threaten not just individual companies but also the stability of the financial industry as a whole,” stated Superintendent Linda Lacewell.

Supply chain attacks, stealth

Why are supply chain attacks particularly insidious? They’re dangerous on account of the fact that malware is hidden within a piece of software that may then be deployed to hundreds, thousands, or hundreds of thousands of organizations. Once the software has been installed by unsuspecting parties, hackers can easily obtain unfettered access into systems.

Finance and supply chain security

“The SolarWinds attack confirms that cyber risks are a threat not just to consumers and individual companies, but also to the stability and soundness of our entire financial services industry,” says Lacewell. “This is an existential threat, and we urge the industry to treat it as such.”

Many of the firms affected by the SolarWinds breach genuinely assumed that their security was adequate. They believed their cyber security to be effective. However, the SolarWinds breach underscores the fact that a surefire prevention and detection approach isn’t possible. There are no 100% guarantees.

Cyber criminals continuously evolve and update their tactics. As a result, previous prevention and detection methodologies may no longer remain efficacious when it comes to contemporary threats.

Common supply chain threats

According to the a new report from the US Cybersecurity and Infrastructure Security Agency, in partnership with the National Institute of Standards and Technology, the three most prominent supply chain risks are the hijacking of software updates, duplicitous code signing and the compromise of open-source code.

Recommendations

How can organizations mitigate supply chain risks? The National Institute of Standards in Technology (NIST) recommends the following:

  • Organizations should establish a set of security requirements or controls for suppliers. These mandates should align with the criticality of the supplier and permissions around information access and technology use.
  • Supplier certifications can help organizations gain a sense of whether or not a supplier incorporates secure software development practices into lifecycle phases.
  • Organizations can encourage vendors to enforce supply chain security requirements that match those in place within the client organization.

While strong supply chain security requires a substantive monetary investment, for most organizations the benefits outweigh the costs, according to a newly released Stanford University report. For the very first time, a study has effectively quantified the value of organizational investment in supply-chain security.

Regarding financial supply chain management in particular, Accenture recently released information concerning a supply chain management framework for financial firms to consider.

As Carlos Alvarenga, global lead for operations finance and risk for Accenture sees it, the CFO role will gradually begin to elide with the role of a chief supply chain officer. Conversely, he notes that supply chain strategists may “need to rethink their training and expand their view and knowledge of finance and risk management in the coming years.”

For more advice on how to secure against a supply chain attack, visit Bankinfosecurity.com.

RELATED ARTICLESMORE FROM AUTHOR