Understanding supply chain and concentration risks in cloud services  

It is concerning that a single organisation can have such an impact on the global economy – and the everyday lives of individuals. From people being unable to pay for a coffee to core financial services being unable to function, we have only just started to understand what the fall out of these events will be.  

In cyber security, we speak of the “Black Swan event”. It’s the event that no one sees coming or understands until it happens. This severe outage, caused by a world-renowned security provider and its interoperability with one of the world’s most common operating systems, brings to the forefront the extent of the interconnected nature of our technology landscape.    

Multiple considerations, learnings and takeaways from today are possible, and should be embraced by businesses, regulators, and the wider community. Let’s start by considering what they are, both at an industry level and at a business level.   

Firstly, was this really a Black Swan? Surely an event such as this could have been predicted. We have seen a convergence towards key technology providers. Statista now estimates that only three cloud platform providers account for around two thirds of the global market.  

Regulators have identified this as a concern – including the Bank of England, which has also highlighted the need for operational resilience and the incorporation of technology providers into the scope of its oversight powers.   

Within Europe whole initiatives have been introduced to encourage the growth and security of the digital economy through a series of regulations and legislation. One of the most recent has been the introduction of the Digital Operational Resilience Act (DORA) for the express purpose of increasing resilience across the financial services sector and supporting ICT providers.   

As part of this regulation, a list of critical ICT third-party service providers (CTPPs) will be drawn up by European Supervisory Authorities (ESAs) for the purpose of (hopefully) identifying and helping to reduce the impact of similar incidents.  

Beyond DORA, today’s events have highlighted that there is presently significant concentration risk spanning industries and businesses well beyond the financial services sector, and thus directives such as NIS2 (which covers essential entities) will improve the level of cyber security across the board. A focus on supply chain risk, including third-party risk and fourth-party risk, must also be a top priority for organisations.   

So, what next for businesses?  

Identify supply chain risk by using this incident to assess concentration risk within third parties and your supply chain. Do not automatically dismiss large providers on the assumption that, ‘the bigger they are, the harder they fall’. A careful analysis of all providers, whether large, small or in the middle, will ensure your organisation retains the providers that best suit its needs. 

1. Embark on a programme of third-party risk management.  

2. Assess and continue to monitor the performance of these third parties.   

Internal business continuity planning should be front and centre. Consideration of what the business-critical services are and the resources, people, processes, and technologies that support them should be a priority and mechanisms should be put in place to ensure continuity of operations.   

Response plans that include scenarios such as non-malicious cyber incidents should be reviewed, refined, tested, and updated as required. We spoke about resilience testing, but even the most basic assumptions built into plans should be tested, e.g. where are the documented plans stored? Without email, how do you communicate with the team first thing on a Friday morning? 

Aftermath  

The dust is yet to settle, and the full impact of Friday’s events may not be understood for months. 

There will be numerous stories of people who lost data because they couldn’t use the recovery keys for their work devices, support teams working around the clock trying to restore systems, and of many disgruntled clients, customers, and patients.  

One thing does give me confidence and hope – the speed with which the tech community sought to communicate and help each other in this time of need. Status updates, potential work arounds and solutions were all shared in real time.  Long may this attitude continue, and we will learn from what we experienced during this global disruption.