News about cybersecurity attacks, which impacted many manufacturers, their trade partners and customers during 2017 and 2018, is unlikely to diminish in 2019. Many of these attacks were material, negatively impacting revenue, earnings, operations, IT and perhaps most insidiously over the long-run, reputation.
The top of the value chain has figured out that potential security breaches at their suppliers may represent a risk as impactful as an earthquake or a terrorist attack. So, buyers are insisting that suppliers improve their cybersecurity game during 2019. The automotive industry offers a clear example.
During 2018, the Automotive Industry Action Group (AIAG) and the VDA, key supply chain standards bodies for the automotive industry for the USA and Germany, respectively, added considerable weight to their guidelines for supplier cybersecurity. Like MMOG/LE – the global Materials Management Operational Guidelines/Logistical Evaluation which is the de facto risk management standard in the automotive supply chain – these more demanding automotive industry cybersecurity standards will put suppliers into the position of comply or say goodbye.
Automotive is only one such example. If you scan various industry supply chains, you will find buyers insisting that suppliers provide proof of making a considerable commitment and effort into cybersecurity defense. What does this mean to suppliers in terms of investment and best practices regarding cybersecurity?
Suppliers should choose cloud providers carefully. Tier manufacturers and suppliers using cloud-based solutions, and honestly, who isn’t, should be prepared to show original equipment manufacturers (OEMs) that those cloud systems meet evolving industry cybersecurity standards. Suppliers should look for cloud providers that carry applicable certifications and apply best practices around areas like patching, GDPR, the soon-to-be California data privacy, additional evolving country-level compliance, disaster recovery, penetration testing and more.
Look for checkboxes in supplier relationship management apps. Many OEMs use supplier relationship management (SRM) apps to help them determine optimal purchasing journeys. Some of the leading or smartest SRM app providers have or will soon add cybersecurity measures, not just as a fixed rating but as part of the overall formula for rating suppliers. That means a supplier who does everything else right, but doesn’t measure up in terms of cybersecurity defense, may not get the order.
Logistics. One of the lowlights of 2017 was the massive attack on AP Moller Maersk, a key player in global transportation and logistics. In recent years, the global shipping industry has faced increasing vulnerability to cyberattacks, as evidenced by the massive breach that affected this shipping giant. This was a scale that was unprecedented, costing hundreds of millions of dollars in damage with difficult-to-imagine downstream side effects. For those buyers that are concerned about suppliers’ information security defenses, and the number of those buyers grows daily, it isn’t just about material, it is also about getting the material delivered.
For many suppliers, 2019 will be year they must act seriously to shore up cybersecurity. Their customers increasingly demand it, plus it carries strategic risk for reputation, margins and long-term viability. App providers in the SRM and perhaps quality management spaces, will augment their apps to include cybersecurity as an auditable measure. Shoring up those defenses, however, cannot be limited to on-premise solutions run and managed in-house. It extends to cloud providers, cloud apps and third-party service providers.
Evan Quinn is the Principal Director of Marketing at QAD.