The recent ransomware attack on Collins Aerospace’s Muse software, which brought chaos to airports across Europe, serves as a stark reminder of a critical gap in how organisations approach Third Party Risk Management (TPRM). While individual airports may have assessed Collins Aerospace as a vendor, the widespread disruption affecting Heathrow, Berlin, Brussels, and other major hubs reveals the dangerous inadequacy of siloed risk assessments in our interconnected digital ecosystem.
When ransomware crippled check-in and boarding systems across Europe’s busiest airports last week, it was not just an IT failure. It was a failure in how we think about Third Party risk.
Impact of Siloed Risk Assessment
We can assume that each airport conducted its own due diligence on Collins Aerospace, yet none were prepared for the systemic failure that would cascade across the entire aviation ecosystem. The attack on Collins’ Muse check-in software did not just affect one organisation; it simultaneously crippled operations across multiple airports and airlines, affecting thousands of passengers. This interconnectedness and cascading risk demand a fundamentally different approach to TPRM - one that recognises shared vulnerabilities and promotes collective defence strategies.
Traditional TPRM works in isolation. Organisations assess vendors based on their own requirements, conduct individual security reviews, and make procurement decisions within organisational silos. This approach may create blind spots:
- Intelligence gaps: While one organisation may discover concerning security practices or incidents involving a Third Party, this intelligence rarely reaches other organisations using the same vendor. The Collins Aerospace attack shows how quickly a single point of failure can cascade across multiple organisations simultaneously.
- Inefficiencies: Multiple organisations conduct similar risk assessments on the same Third Parties, creating inefficiencies while failing to leverage collective intelligence that could strengthen everyone’s security posture.
- Power imbalances: Individual organisations often lack the negotiating power to demand robust security measures from major Third Parties, particularly when dealing with dominant market players.
Pivoting to Community-Driven Risk Management
- Enhancing and improving sector-specific risk-sharing communities: Aviation, healthcare, financial services, and other critical sectors should formalise information-sharing networks specifically focused on Third Party risk intelligence.
- Develop standardised risk assessment frameworks: Communities should create common methodologies for assessing Third Party risks, ensuring consistency and enabling meaningful comparison of risk profiles across organisations.
- Facilitate “Collective Cyber Security Bargaining” (CCSB): Particularly where there is a disparity in individual organisational bargaining power, communities should establish mechanisms to collectively demand stronger security standards from vendors.
- Create joint incident response protocols: When Third Party failures occur, communities need pre-established procedures for sharing resources, coordinating response efforts, and communicating with stakeholders.
Paradigm Shift
It is too early for all the details of the incident to be known, but what is apparent is that the conditions that led to the disruption could occur again if the current understanding and appreciation of supply chain cyber risk does not evolve.
This incident presents an opportunity to fundamentally reimagine how we approach TPRM. The digital ecosystem's interconnectedness means that your Third Party’s security failure could become an operational crisis. Across the supply chain, there is mutual benefit in a deeper examination of how risk is managed and resilience ensured. Through community-driven, holistic approaches to TPRM, organisations can build the resilience necessary to thrive in an increasingly complex threat landscape.
The question should not be whether to invest in community-driven TPRM. The question should be: is it affordable not to?
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
Insights
Woodford’s Fall: Could ODD Have Stopped the Biggest Fund Failure in a Generation?
The collapse of the WEIF in 2019 was a shock to the UK investment industry, given Neil Woodford's previous reputation as a star fund manager.
How Private Equity Leaders Turn Cyber Security Investment into Competitive Advantage
Leading firms are discovering something counterintuitive: investing in cyber security creates advantages worth far more than just protection.
Recent Cyber Attacks on Australian Super Funds: A Wake-Up Call for Enhanced Cyber Security
Recent cyber attacks on Australia’s Super funds highlight the need for stronger security.
The Rising Threat: How Cyber Risk is Reshaping Operational Due Diligence Priorities
Cyber threats are reshaping operational due diligence. Learn how investors are adapting to evolving risks and protecting their portfolios.