On February 28, 2022, Toyota announced that the company was suspending operations on all 28 production lines at 14 manufacturing plants in Japan for a day due to a system failure at a supplier, Kojima Industries. Other Toyota partners, including Hino Motors and Daihatsu Motor were also affected by the shutdown. The cause of the system failure at Kojima appeared to be a cyberattack which prevented communications with Toyota and production monitoring systems. On March 1, Toyota announced that they were resuming operations for the first production shift only starting March 2.
This incident is a clear example of the risk involved when a critical supplier is unable to deliver, and it demonstrates the domino effect of negative consequences throughout the supply chain. Shutting down manufacturing for a day (and reducing the number of shifts for additional days) could result in missed production goals, lost revenue, and missed earnings expectations for Toyota – not to mention the loss of customer trust.
The reality of supply chain security is that, although your organization is not responsible for supplier security, your organization assumes some of the risk. So, how can manufacturers and other organizations mitigate the risks of cyber-related supply chain failures? Consider these six steps.
Performing pre-contract due diligence helps to ensure that a new vendor does not introduce unacceptable risks into your environment. The process involves conducting assessments of the supplier’s information security, operational security and business resilience practices. And although this particular incident is cyber-related, organizations should extend their pre-contract due diligence efforts to also include assessments of a supplier’s financial position and reputation. For example, if a supplier has negative news regarding its products, or has shown uneven financial performance, they may be unable to quickly adjust to shifting production demands or could be underfunding security. These insights inform inherent risk calculations that help determine which areas need further evaluation.
To accomplish better pre-contract due diligence, many companies choose to leverage libraries of already-completed supplier cyber risk assessments. Simply downloading a completed assessment will provide much needed visibility into a potential supplier’s risks faster than conducting the assessment yourself from scratch.
Effectively reducing supplier risk requires an understanding of how they are performing against expectations, and that starts with establishing enforceable service levels during the contracting phase. Measurable service levels can include uptime, mean time to detection (MTTD) of the reason for an outage, and mean time to resume (MTTR) operations after an outage. The contracting phase is also the right time to include key clauses to ensure system failover and backup, especially because it’s not easy to simply “switch off” a supplier and replace them with another one. Finally, centrally managing key performance indicators (KPIs) and key risk indicators (KRIs) brings enterprise-level visibility to supplier performance.
With many internal and external parties involved in negotiating contracts, the process can quickly get out of control. To address this, many companies standardize on contract lifecycle management products that provide role-specific views to track key performance attributes, enable version control and embedded discussions, and workflow to move contracts more efficiently through the review and approvals phase.
Pre-contract due diligence will bring needed visibility to the inherent risks that a new supplier introduces to your environment, but risk assessments don’t stop at the onboarding stage. Fortunately, several industry frameworks exist that make the detailed controls assessment process much more standardized than by using spreadsheets. For example, NIST 800-61 and ISO 27036 feature specific question sets designed to evaluate supplier security controls.
Third-party risk management platforms automate the collection vendor questionnaire responses and the assignment and tracking of risks. They also include built-in remediation recommendations to mitigate those risks down to an acceptable level. When suppliers are “too big to fail” you can turn to expert managed services providers to perform the assessment due diligence collection and analysis on your behalf, leaving your team to focus on remediations instead.
8 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
Risk assessments provide a point-in-time view of a supplier’s security controls, and although essential to understanding their security posture, you also need to maintain a continuous view of risks – cyber or otherwise – that can impact your supplier’s ability to deliver.
Monitoring the Internet and dark web for cyber threats and vulnerabilities – as well as public and private sources of reputational, sanctions and financial information – can provide signals of an impending security incident. Consider monitoring:
Incorporating these insights into your holistic supplier review process adds context to events and helps to validate the controls evaluated in Step 3 above.
Sometimes a cybersecurity incident in your extended supplier ecosystem (for example suppliers of your suppliers) can impact your supplier’s ability to deliver, and therefore your ability to deliver. As part of the pre-contract due diligence step, collect information from your suppliers on their suppliers to assemble a relationship map. This will help you discover dependencies and visualize weak points in your supply chain. It can be as simple as knowing the 4th-party technologies deployed in your supplier ecosystem so you can determine which would potentially be exposed to a targeted breach. Instead of relying on multiple non-integrated tools to gather this information, look for single monitoring solutions that automatically build that database for you.
If a cybersecurity incident occurred in your supply chain, would your organization be able to quickly understand its implications to your business and activate its own incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential supply chain problems. A more programmatic third-party incident response plan could include:
The Toyota supply chain disruption is a reminder that all organizations – regardless of the sophistication and diversity of their systems – can be impacted by a supplier failure or cyber incident. Evaluate your own organization’s supply chain security posture using the six steps included here, or contact Prevalent for a strategy session or maturity assessment of your existing supply chain risk management processes.