Manu Dwivedi, Partner and Leader – Cyber Security, PwC IndiaIn an increasingly interconnected world, supply chain disruptions can have a significant impact on businesses and individuals, leading to financial loss, business disruption and loss of trust among stakeholders. According to PwC’s 27th annual Global CEO Survey: India Perspective, 66% of CEOs said supply chain disruptions have changed the way their organization creates, delivers and captures value over the past five years.
Two recent events highlight the vulnerability of the global supply chain. First, a recent IT outage (Microsoft CrowdStrike July 2024) had a wide-ranging impact on organizations worldwide. Although the incident was not cybersecurity related, it resulted in extensive IT recovery efforts and operational disruptions across the supply chain, severely impacting all parties involved. However, users of a different operating system were not affected by the incident, primarily because their closed supply chain ecosystem offered greater visibility and tighter controls. Similarly, the sophisticated cyberattack SolarWinds experienced in 2020, in which the SUNBURST malware affected its IT monitoring product “Orion,” affected thousands of organizations worldwide and highlighted the vulnerability of interconnected systems. These incidents draw attention to the importance of modern tech supply chains and highlight the role of effective risk management in reducing the impact of such disruptions.
Today’s tech supply chain – a complex network
Today’s technology supply chain is a complex web of resources, technical tools and processes that are critical to delivering seamless tech products and service experiences to consumers. It includes hardware, software, data and services and serves numerous stakeholders – from manufacturers, suppliers and distributors to retailers and end users. The interconnected structure leads to rapid escalation of incidents. However, fully mapping all supply chain components is a daunting task due to the hyper-connected nature of these supply chains.
Among the many risks in the technology supply chain, we believe five of them could have significant impacts on the technology ecosystem across industries:
1. Increasing IT disruption, increasing digitalization and rising number of cyber threats: Rapid digitalization increases vulnerability to IT disruptions and cyber threats. This requires robust IT operations and measures to defend against cyber threats, including increased vigilance to protect critical infrastructure and sensitive data.
2. Black Swan events and geopolitical uncertainties: The COVID-19 pandemic and geopolitical developments such as the Russia-Ukraine conflict have highlighted the need to strengthen resilience in today’s volatile global environment. Disruptions in the supply of semiconductor chips, which are critical to maintaining the resilience of cyber and IT equipment and infrastructure, have highlighted the vulnerability that industries face in the face of trade uncertainty and geopolitical tensions. Unpredictable geopolitical events and natural disasters require robust contingency plans, adaptable strategies and agile response mechanisms to optimize business continuity while minimizing disruptions across the supply network.
3. Excessive dependence on a single supplier: Limited supplier diversification and over-reliance on a few well-known technology providers can increase a company’s operational risks and lead to increased vulnerability – disruption from incidents such as supplier failures, natural disasters or geopolitical conflicts. PwC’s 27th annual CEO survey shows that such incidents can have far-reaching effects, with 46% of Indian CEOs saying that supply chain instabilities are impacting their company’s ability to change the way it creates, delivers and captures value.
4. Complex regulatory environment: Regulations such as the General Data Protection Regulation (GDPR), the Digital Personal Data Protection Act (DPDP) Act, the Digital Operational Resilience Act (DORA) and other such laws focus on AI ethics, data localization requirements and environmental aspects that can change or transform technology supply chains. Companies must adapt their procurement strategies, operational practices and supply chain management frameworks to comply with the various regulations in a rapidly evolving regulatory environment.
5. Outdated technologies: Supply chains can easily become vulnerable when embedded technology becomes outdated. These outdated technologies create potential vulnerabilities that are susceptible to operational failure or exploitation by cyber threat actors. Frequent updates, upgrades, and proactive monitoring of legacy systems help manage technology obsolescence across the supply chain.
Building a resilient modern technology supply chain
To develop a comprehensive, balanced, strategic and tactical risk mitigation strategy, companies must prioritize three key aspects.
First, business leaders need to have a better view of the entire supply chain. This includes a detailed understanding of the scope of the supply chain – identifying key suppliers and the services they provide, and determining and classifying relevant risks. A 360-degree view of supplier risk data and data ownership can improve risk management and provide valuable insights to stakeholders. This also includes an overview of resource challenges to manage supply chain risks with limited resources. It is also important to focus on risks related to supplier concentration risk, Nth-party, geopolitical concerns, and financial health to better understand the entire ecosystem and mitigate potential vulnerabilities.
Second, it is critical to plan and prepare for disruptions. This includes conducting business impact analyses and performing scenario planning and response testing. Defined expectations around recovery, transition, and contingency planning to ensure response flexibility and continuity are imperative. It is important to establish critical response teams dedicated to monitoring, triaging, and supporting recovery efforts during disruptions. Equally important is developing clear accountabilities to identify those responsible for identifying, assessing, managing, and monitoring supply chain risks. The idea is to increase efficiency and effectiveness and build a robust supply chain risk management framework that is consistent, transparent, scalable, and flexible.
Finally, embedding and improving the resilience of third-party relationships throughout their lifecycle ensures adaptability and continuity. Integrating resilience criteria into supplier selection and prioritizing continuity planning in contractual agreements is important. Involving alternative suppliers from a diversified supplier pool and reviewing procurement strategies are best practices.
A zero-trust approach for greater resilience
Modern tech supply chains are shaped by changing customer expectations and digitalization. These tech supply chains are becoming increasingly more connected, customer-centric and adaptable, but this also exposes them to increased risks. Business leaders should invest in increased transparency across the supply chain. Adopting a “Zero Trust” approach with a greater emphasis on transparency across the supply chain, continuous and rigorous assessment of the evolving risk and threat landscape, and agile risk mitigation strategies will go a long way in improving tech supply chain resilience and is the need of the hour to build future-ready businesses.
The author is Manu Dwivedi, Partner & Leader – Cybersecurity, PwC India.
Disclaimer: The views expressed are solely those of the author and ETCISO does not necessarily agree with them. ETCISO is not responsible for any damage caused directly or indirectly to any person or entity.
