By William Oh, Head of Asia Pacific and Japan, BlueVoyant
The fast-evolving threat landscape requires organisations today to focus on bolstering operational resilience and addressing third-party risks, driven not only by commercial imperatives but also by new regulatory mandates. With progressively stricter enforcement data security and compliance in Singapore and around the region, supply chain risk management is now a strategic necessity.
As highlighted by the Singapore Institute of Directors’s recent Cyber Resilience Guide for Boards, third-party cyber risk management must become a priority. Endorsed by the Cyber Security Agency of Singapore, the comprehensive guide highlights the need for boards to assess and manage the cyber risks associated with vendors and partners.
According to BlueVoyant’s fifth annual Supply Chain Defence report, which examines fast-evolving supply ecosystems, many Singaporean organisations don’t appear to be prioritising supply chain cyber risk management or are unaware of cyber security gaps in their supply chains.
Thirty-five per cent of Singapore organisations said they have no way of knowing when a cyber security incident occurs within their supply chain and rely on self-reporting.
The board’s role in managing cyber risk
The severe implications of supply chain cyber breaches, ranging from business disruption to reputational damage, alongside the threat of regulatory fines, have caught the attention of boards.
It is essential for CISOs and CSOs to have a comprehensive understanding of supply chain cyber security to provide effective oversight. A board’s view of an organisation’s cyber risk posture is incomplete without considering third-party connections, as these play a pivotal role in the company’s extended ecosystem.
With 70% of Singapore organisations reporting an average of 3.97 breaches, boards must recognise that their organisation’s digital attack surface is broader and more complex than often realised. The interconnected nature of supply chains demands a heightened focus on third-party risks to maintain a robust security posture.
Engagement and collaboration is increasing – but not enough
While awareness of third-party cyber risk management (TPRM) is increasing, with more organisations investing in strategic TPRM activities, there remains much to be done. Cross-industry TPRM awareness is growing, with the last 12 months having seen a significant evolution across the sector and with organisations investing more time and money in strategic TPRM-related activities. Organisations are increasingly engaging with vendors, embracing automation, and managing SLAs to penalise poor security hygiene. However, the journey towards proactive risk mitigation and incident remediation is ongoing.
The sheer size of organisation’s supply chains is exacerbating the lack of visibility and control.
For organisations that reported suffering one or more supply chain cyber incidents in 2024, the research shows that the number of incidents tends to increase directly in proportion with the size of a firm’s supply chain ecosystem.
Increasing senior stakeholder awareness of third-party cyber security risk
There has been a continued uptick in organisational understanding of third-party risk, with companies monitoring ever more numbers of vendors and with senior stakeholder reporting becoming more common and standardised.
To better tackle supply chain cyber security risks, businesses should:
-
Initiate a proactive visibility program at all levels – especially at board and C-suite level. This includes cross-departmental and senior stakeholder briefings, reporting, and collaboration;
-
Prioritise effective third-party cyber security risk management and collaboration to reduce breach risk;
-
Implement structured incentives and penalties for third parties to encourage compliance amongst those that fail to demonstrate sufficient hygiene, response, and remediation measures;
-
Monitor and evaluate all suppliers on a continuous basis;
-
Introduce tiered monitoring — from simple questionnaires to advanced continuous monitoring — offset against costs and aligned with vendor criticality. This will help to alleviate resource, technology and expertise challenges;
-
Ensure third-party cyber security risk management isn’t siloed in IT or elsewhere;
-
Work closely with their third parties to close the remediation loop; and
-
Triage and track all issues through every step to full remediation.
Building confidence through preparedness and leadership buy-in
While awareness of third-party risks is rising, preparedness is still lacking. Both are essential for securing third-party ecosystems and instilling confidence in the C-suite and boards.
By positioning cyber security as a foundational pillar of risk management, Singapore organisations can better protect critical operations, ensuring resilience in the face of future challenges.
This journey begins with a robust third-party risk management program, enabling effective business continuity planning and strategic engagement with all stakeholders.
