Insight

Securing the ecosystem

Constructive regulation in third-party assurance

Jonathan Dambrot

Jonathan Dambrot

Principal, Cyber Security Services, KPMG U.S.

+1 908-361-6438

It’s time to shift the cyber third-party assurance operating model. It’s a critical activity, but the approach companies currently take can be inefficient for suppliers, resource-intensive for organizations seeking assurance, and is unable to give a mechanism for understanding ecosystem-wide interdependencies and resilience. Additionally, the imagery organizations use to understand supplier ecosystems is somewhat outdated. The term ‘supply chain’ suggests images of neatly stacked, pyramid-like hierarchies of suppliers upon suppliers, answering higher and higher orders of assurance. But the reality is that supplier ecosystems more closely resemble a large bowl of intertwined noodles.

So, how do companies move in the right direction? How do they graduate to a more effective model? Let’s take a closer look at the role of regulators in this space.

Regulators often apply a strategic lens to market challenges. COVID-19 has forced organizations, sectors and nation-states to question fundamental assumptions about the interconnectedness of the global market ecosystems, their dependence on technology, and their resilience in the face of cyber-attacks. More than anything, the pandemic has spelled out the need for governments and regulators to take a step back and accept a holistic view on:

  • How can businesses identify single points of failure in industry ecosystems?
  • How can they make sectors resilient to large scale cyber-attacks?
  • What can organizations do to make supplier assurance more effective, efficient and more adaptable?

There are two key behaviors that regulators should encourage in their markets if we want to achieve a close to an ideal state — collaboration and transparency. 

Competitors should think about how to collaborate better to secure their supplier ecosystems. Understandably, competitors in the same industry may not wish to divulge business-critical information about their supply chain. Still, the lack of collaboration does lead to inefficiencies and a growing risk to the ecosystem. Even though organizations have different risk appetites, there will likely be a baseline set of security controls reviewed in every supplier review. Do popular suppliers need to submit to fifteen identical, week-long security reviews a year? Can most security risks be covered by a smaller set of reviews, with shorter, more tailored question sets covering off differentiated risks relevant to that supplier and their services?

Independent assurance reports — such as SOC II Type II reports and ISO 27001 audits — have attempted to address this problem in the past. But suppliers often find that while these can help them clear the barriers to entry in some sectors (notably the public sector), they’re not enough to alleviate their major contracts’ concerns. Industries need to define a security assurance methodology and reporting process that they can rely on and trust.

There may also be a case for suppliers offering more transparency when it comes to assurance reports. The results of supplier audits are typically bound by non-disclosure agreements (NDAs) — but should suppliers consider relaxing these to reduce their overall audit burden? Regulators seeking to optimize market efficiency should encourage the publication of assurance reports, with the results of perhaps three or four published reviews by mature organizations able to satisfy the whole market’s cyber security assurance standards and regulators. Maybe there is even a role for rating agencies in this space. Such an approach would allow organizations to regularly review their supplier security risk metrics and quickly adapt to a suppliers’ changing security posture.

It’s critical to encourage transparency with regulatory bodies. When regulators view which organizations are using which suppliers; they can paint a picture of the industry ecosystem and factor them into nation-state resilience planning. There are challenges to work through, but the goal is for regulators to understand where the critical dependencies are in key sectors, and what they need to do to secure critical infrastructure and services against cyber-attacks. In the new reality, where cyber threat groups act as agents of geopolitical and economic agendas, nothing short of this level of planning is required. Nations and organizations need a business continuity and disaster recovery plans, which can be achieved through transparency and collaboration.

The question remains — how do organizations drive these behaviors and change the collective operating model? How can this be done in a graduated fashion, avoiding a sudden regulatory mandate and instead a phasing in ecosystem-wide cultural shift? Should regulators be gently nudging organizations to collaborate over third-party assurance and standardize acceptable security assurance measures, or should they be mandating such behavior? Should they be demanding complete transparency from organizations over their supplier landscape shape, or should they build a transparency culture that encourages regular self-reporting in return for benefits? The most effective method likely lies somewhere in the middle. Where regulators can demonstrate a tangible benefit to organizations, a carrot will probably suffice. However, for the aspects of collaboration and transparency that provide no apparent natural advantage to organizations, perhaps a stick may be needed.

In either case, the inputs from critical industries are important to understanding the most effective approach. Action to drive such behaviors would represent significant intervention on behalf of governments. It would likely be tied in with efforts to drive ecosystem-wide active defense models to target cyber, fraud and organized crime threat groups. Industry input is key to ensuring cyber third-party assurance regulation stays up-to-date, productive and advantageous to market ecosystems, ensuring buy-in from sectors they’re seeking to protect. The current approach to cyber third-party assurance is no longer suited to the challenges of the new reality. This decade, regulators have an opportunity to embed an uncommon combination of resilience and agility into its governance and drive real efficiency and efficacy for the market.