The latest trends in supply chain cyber risk management at overseas financial institutions

日本語

In recent years, regulatory authorities have increasingly called upon financial institutions to strengthen cyber risk management for their supply chains, resulting in a need for both Japanese financial institutions and their subcontractors to update their risk management measures. A failure to sufficiently address supply chain cyber risk management could lead not only to impacts like information leaks and system outages, but also to medium- to long-term business impacts including damage to an institution’s reputation and customer loyalty.

However, many security officers of financial institutions have concerns regarding issues such as the extent to which they can require subcontractors with whom their institution has no capital relationship to implement management measures and what kind of measures they need to take to implement efficient and effective management. To help those responsible for security at Japanese financial institutions obtain hints on how to address such issues, PwC Consulting LLC conducted interviews with experts at overseas financial institutions regarding their own past successes.

This report is intended for those responsible for cybersecurity at Japanese financial institutions. It presents examples of advanced initiatives taken overseas with regard to supply chain cyber risk management and compiles recommendations for actions to be taken by Japanese financial institutions in the near future.

Recommendations based on our discussions with experts

We conducted interviews with experts at overseas financial institutions that are pursuing advanced initiatives in supply chain cybersecurity, and arrived at the following recommendations for each phase of the process, which can also be adopted by Japanese corporations.

Phase	Recommendations
Security risk assessment: Contractor/service selection phase	Conduct security risk assessment for target companies and services by gathering and analysing publicly available information. Utilising third-party risk evaluation services might help to streamline the process.
Security risk assessment: Contracting phase	Assign personnel who are familiar with technical security to the assessment team and conduct assessment based on trending threat scenarios. Anticipate the occurrence of incidents and suspected incidents, and stipulate the scope of responsibilities and reporting time limits in a service level agreement (SLA).
Security risk management at subcontractors’	Conduct on-site visits to subcontractors that handle high-risk systems to review their risk management processes. If work is sub-outsourced, demand that the original subcontractors conduct security management for the parties to which work is sub-outsourced (third parties). If work is sub-sub-outsourced etc., require all subsequent parties to implement security on the same level as that which your own company requires.
Software management	Software configuration management should be conducted thoroughly when new products are implemented, and should be linked with vulnerability management. Also consider the use of software bills of materials (SBOMs). Utilise management tools for open source software (OSS) to streamline the selection of such software and identify dependencies.
Hardware management	Be thorough in asset management, and develop a system to enable firmware to be updated promptly. Conduct threat scenario-based security tests.
Reporting to senior management	In reports regarding security costs, avoid overuse of technical terms, prepare documents using business language and make reports based on the impacts on profits, customer satisfaction, reputation and customer loyalty. The optimal solutions regarding the routes for reporting cybersecurity risks to senior management vary from one organisation to another. Therefore, consider risk-based, monetary cost-based, IT-based and other approaches to determine the route best suited to your organisation. When doing so, take measures to ensure there is no conflict of interest between the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO).

What are supply chain cyber risks?

In recent years, both damage caused by cyberattacks that exploit supply chains and concern about such attacks are on the rise. Rather than directly targeting institutions, these attacks target affiliated organisations whose security is comparatively weak, and use those systems as a springboard to attack the suppliers and users of widely-used hardware, software and services.

In ‘10 Major Security Threats’, a document compiled by the Information-Technology Promotion Agency (IPA), Japan, the category ‘Attacks Exploiting Supply Chain Weaknesses’ is rising in rank, from third in 2022 to second in 2023. Potential cyber risks and their anticipated entry points are shown below.

Entry point	Examples of anticipated cyber risks
Subcontractor	Information leakage caused deliberately or due to negligence on the part of subcontractor employees Theft or leakage of source code or intellectual property due to inappropriate access control for online services Knock-on effects of cyber incidents occurring at the subcontractor Unauthorised access via subcontractor
Supplier (of hardware or software)	Unauthorised access through backdoors embedded at the pre-delivery stage Malware infection through contaminated software updates Unauthorised access through the exploitation of vulnerabilities
Service provider	Malware infection through contaminated software updates Unauthorised access through the exploitation of vulnerabilities
Open source software	Unauthorised access through the exploitation of vulnerabilities Embedding of malicious code at the time of development

Scope of this study

In this study, we examined initiatives aimed at countering cybersecurity risks at primary entry points (third parties) as well as at fourth and subsequent parties, based on the anticipated supply chain patterns shown in the following figure. The targets of this study were experts engaged in cybersecurity initiatives at financial institutions.

Please download the PDF from the following download form to view the latest trends in supply chain cybersecurity risk management in overseas financial institutions.