Third-Party Supply Chain Risk during the COVID-19 Outbreak

– How to Have a Conversation with Your Suppliers                                                                                

Home » Insights » Third Party Supply Chain Risk during the COVID-19 Outbreak

Organizations – public and private – have felt the impact of the COVID-19 outbreak on our supply chains as suppliers have diminished workforces and capacity. While cybersecurity threats may appear less of a priority, hackers and cyber attackers are leveraging the headlines to swiftly escalate their attacks across most industries, including healthcare, banking, retail and entertainment.


“CYFIRMA’s threat visibility and intelligence research revealed a massive increase of over 600% of cyberthreat indicators related to the Coronavirus pandemic from February to early March.”


Many businesses today tend to have a higher dependency on outsourced products, services and tools to maintain ongoing operations. These services and tools can include hybrid cloud environments, hosted websites, external applications, mobile apps, and cloud storage services. This results in a higher risk exposure to critical services and potentially your sensitive data.


During this critical time, it’s important to engage and have an honest dialogue with your suppliers on business continuity and cybersecurity risk.


  1. Establish a strong communication channel with your suppliers. It is essential for a successful partnership. Ensure you have established a clear and transparent process with a single point of contact. Begin with setting expectations and defining the related processes for refining and enforcing them. From a security standpoint, set those expectations with a clear understanding what your vendor will do and how their activities and responsibilities can create potential security issues for your organization, in turn letting them know the potential issues.


  1. Cybersecurity Awareness. Your third-party suppliers, especially smaller organizations, may not be aware of the increased cyber threats. Be proactive through regular meetings and creating an established channel to share vetted information they can use to avoid phishing and other forms of cyber-attacks. Create a dashboard of reporting metrics to monitor your critical supply chain partners.


  1. Business Continuity. Some third-party suppliers to your organization’s operations may be determined critical. If they should be adversely affected, you may risk a loss to certain areas of your business operations. Engage your third-party suppliers and ask what they are doing to ensure their operations continue in the face of adverse events. Like cybersecurity awareness, partner with them to share vetted information for best practices in ensuring they have resources to cope with these types of challenges.


  1. Risk and Controls. Moving operations to alternative locations and external providers carries increased risks. It is important to understand your regulatory and compliance landscape, in turn inventory and understand the critical services and sensitive information your third-party supplier handle. Beyond conducting risk assessments with your suppliers, partner with them to monitor and assess cybersecurity risks especially when there is a change in the relationship, and product or service. In many cases, the regulatory and compliance liability remains with your organization.


Centralizing your assessment of supplier risk and resilience during periods of disruption and heightened risk represents a major operational advance for many. Third party data breaches may force your organization to respond to incidents that are outside of your control or originate from an indirect source. Regardless of obligation, your organization may suffer significant reputational damage as a result of the incident.




  1. Communication, establish clear and transparent processes, set expectations.
  2. Cybersecurity Awareness, partner to understand the risks.
  3. Business Continuity, understand the impact to your business if your supplier is interrupted.
  4. Risk and Controls, understand the regulatory and compliance landscape, monitor compliance.



Laszlo Gonc, CISSP

Founding Member and Senior Fellow, DivIHN Center of Excellence for Digital, Security and Risk at DivIHN Integration, Inc.