Supply Chain Security
Ticking the Regulatory Box Might Not Save You
In a world where supply chains span continents and industries rely on intricate webs of third-party providers, many organisations are still approaching supply chain security as a tick-box exercise in compliance. But the unfortunate truth for some is that they may be exposing themselves to risks they’ve just not yet encountered. Supply chains can be complex and unpredictable, and so too can the impact of security breaches within. Focusing solely on regulatory frameworks, like the new NIS2 Directive or DORA, may shield you from fines, but it might not save your company from the chaos of a real-world breach.
Senior Programme Manager
Last Updated: October 17, 2024
A survey conducted in 2023 revealed that nearly 75% of large organisations faced a significant supply chain disruption, but shockingly, only a fraction of those disruptions were caused by the events that new and emerging regulations such as NIS2 and DORA are designed to prevent. The real threat? The hidden vulnerabilities in the supply chain—weak links in the form of under-resourced suppliers, unsecured digital interfaces, and the sheer complexity of multinational operations.
If your organisation operates in high-stakes industries or if you’re navigating a merger or acquisition, your supply chain may be at even greater risk. Relying on compliance as a safety net could be a gamble—and in today’s volatile landscape, one that you might risk losing.
Why Your Supply Chain May Be More Vulnerable Than You Think
It’s easy to see why many large organisations focus on ticking off compliance checklists. New regulations like NIS2 and DORA are complex, far-reaching, and failing to meet them can result in fines that run into the millions. But here’s the unorthodox view: compliance isn’t security. It’s a baseline—a foundation on which to build, but far from a guarantee of resilience.
In fact, the assumption that compliance equals security has been the downfall of many high-profile businesses. In 2023, hundreds of retailers were impacted by a cyber-attack at an IT supplier that crippled its logistics for weeks, affecting the retailers their ability to trade online and fulfil orders. Compliance didn’t prevent hackers from exploiting a weak link in one of their third-party logistics providers, resulting in millions in losses and irreparable damage to the supplier’s brand.
The pharmaceutical industry is another example. Despite rigorous oversight by bodies like the FDA and EMA, vulnerabilities often arise not from the manufacturers themselves but from the complex network of suppliers, transporters, and distribution channels they rely on. In 2023, Pfizer faced significant logistical bottlenecks after discovering a security breach in a supplier’s system, jeopardising not just profits but also public health.
Supply chain vulnerabilities are far-reaching. The reliance on outsourced IT services and data centres presents an increasing layer of complexity but while cyber threats are very real, so are geopolitical shifts, sudden regulatory changes, and even natural disasters that can disrupt supply chains in unexpected ways.
Moving Beyond Tick-Box Audits: A New Approach to Risk Assessment
So, how do you protect your supply chain from risks you can’t even see? Start by rethinking how you assess vulnerability. Many businesses rely on annual or quarterly audits, but these are snapshots of the past, not predictive tools for future threats. A supplier might pass an audit today and fall victim to a cyberattack or operational failure tomorrow.
Let me give you a recent example from the manufacturing sector where leading automobile company Ineos faced millions in lost production after a Tier 2 supplier—a critical component manufacturer—declared bankruptcy. The warning signs were there: cash-flow issues, late deliveries, and deteriorating supplier performance, but the company’s annual audit hadn’t flagged any red alerts.
Continuous proactive risk assessment, powered by AI and real-time data, is the way forward. Technologies now exist that allow businesses to monitor their entire supply chain, flagging potential risks like financial instability, operational delays, or even geopolitical threats before they become catastrophic. This proactive approach not only provides early warning signals but also enables better, more strategic decision-making about who you partner with and where your vulnerabilities lie.
Incident Response: Hope Is Not a Strategy
The most secure supply chains don’t just focus on preventing disruptions; they’re built to respond to them. If a supplier falls victim to a cyberattack, what is your organisation’s immediate response? Do you have a team ready to act? Do your suppliers know their roles in incident recovery?
In 2021, Morgan Stanley suffered a data breach due to a failure by their third-party vendor, Guidehouse, which was responsible for decommissioning old hardware. Despite Morgan Stanley having stringent cybersecurity protocols, the vendor improperly disposed of devices, exposing sensitive customer data, including account details and social security numbers. Facing regulatory scrutiny and financial losses, Morgan Stanley had to act fast to notify affected clients immediately and mitigate against further impact.
When TNT Express was hit by a ransomware attack disrupting their entire supply chain for weeks, FedEx had to respond rapidly to contain the damage and protect its wider operations. Despite having strong internal cybersecurity measures, the TNT attack impacted FedEx globally, as their operations were deeply interconnected. The attack crippled TNT’s ability to process shipments, leading to widespread delays and lost customer packages. FedEx had to rapidly mobilise its incident response teams, coordinate with international partners, and activate contingency plans to prevent further fallout from the attack. They immediately worked on rerouting shipments through unaffected parts of the network.
In February 2022, Toyota had to halt operations at all 14 of its plants in Japan after one of its key suppliers, Kojima Industries, was hit by a cyberattack. Kojima, which supplies parts to Toyota, was targeted by ransomware, which disrupted its production systems. Due to the interconnected nature of just-in-time manufacturing, this cyber-attack forced Toyota to shut down its entire domestic production for a day, leading to a production loss of around 13,000 vehicles.
Companies in high-stakes sectors, particularly those where supply chain disruptions can halt entire production lines, need to be especially vigilant. A fast response to an incident could mean the difference between shutting down operations for days or bouncing back within hours. The key is ensuring that both you and your suppliers are aligned on your response strategies—there’s no room for ambiguity when things go wrong.
Cross-Border Complications: Navigating the Regulatory Maze
For organisations with global supply chains or those navigating cross-border mergers and acquisitions, the challenges multiply. Every country has its own set of regulations, and compliance standards often clash. When merging operations across borders, the need to align supply chain practices becomes critical—and failure to do so can lead to significant penalties, operational delays, or worse, outright failure of the merger itself.
In 2023, the MOVEit supply chain attack targeted multiple organisations worldwide, by exploiting vulnerabilities in file transfer software used to manage large volumes of sensitive data. This breach revealed significant complexities for companies operating across borders, where differing regulatory frameworks in various jurisdictions added layers of difficulty to an already delicate situation. This impacted their ability to move swiftly with real-time coordination between internal teams, third-party vendors, and regulators and in aligning their response strategies with international vendors. Had they planned more thoroughly for the operational and regulatory differences, the fallout could have been lessened.
Be More Than Compliant
Supply-chain compromises are more severe than direct attacks. According to IBM’s Cost of a Data Breach Report 2023, business partner supply chain compromises cost 11.8% more and take 12.8% longer to identify and contain than other types of breach.
At Saros Consulting, we understand that supply chain security goes far beyond compliance. For multinational organisations in industries like Pharma, Finance, Retail, Manufacturing, and Energy, where even minor disruptions can lead to significant financial losses, we focus on building resilience for the long term.
In our work with global organisations, we’ve seen the same patterns emerge: those who treat supply chain security as a regulatory checkbox often pay the price in the form of reputational damage and operational setbacks. But those who adopt a proactive, strategic approach to managing supply chain risks thrive—no matter how complex or unpredictable their supply chain might be.
Our approach is straightforward: we go beyond audits, helping organisations develop continuous risk monitoring, robust incident response plans, and clear alignment with their suppliers. We prepare you not just for compliance but for the unexpected. So when the next disruption hits, you’ll be ready.
Related Articles
Explore Mary-Ellen Snook’s career journey and her expert perspectives on leading IT teams, managing digital transformations, and driving successful technology initiatives.
Transform tech debt into tech wellness with actionable strategies to build a sustainable and efficient IT infrastructure for long-term success.
Discover the four critical components of change management to ensure smooth IT transitions, strategic planning, and overcoming resistance in tech projects.
Learn the keys to achieving IT transformation success, from integrating new technologies to engaging stakeholders and optimising communication.
Discover how effective Knowledge Management can enhance ITSM, driving efficiency and innovation in your organisation.
Explore how Saros Consulting masterfully enhanced IT operations and compliance for a global pharmaceutical leader.