The explosive supply chain disruption that wreaked havoc in the early weeks of the pandemic has settled down to a gentle roar: companies now are looking at how to turn their short-term coping strategies into long-term, proactive resilience. Many organizations along the supply chain are looking to expand their sourcing options —while doing so can reduce business risk, bringing on new suppliers creates new cyber risk. Fortunately, there are innovative approaches and tools to address the challenge.
I recently spoke with Chris Wallace, Director of Cyber Risk at T-Mobile, on how his team of professionals is managing the additional risk that fourth parties — companies that T-Mobile’s 30,000 existing third-party vendor partners may subcontract to — can introduce.
Identifying Critical Third-Party Connections
“The biggest issue with fourth parties is that they have no contractual obligation to us directly,” Chris said. “Here, the critical factor is if the [third-party] supplier has data access. With a general influx of fourth-party suppliers during the pandemic, it’s increasingly important to focus on third parties that have direct access to data, as compared to those with no access at all.”
T-Mobile uses a risk framework to categorize vendors, so the company knows whether a specific third-party supplier has data access. “Within our framework for vendor categorization, we have developed a workflow to address the intersection of risk and criticality, differentiating the way we address those suppliers,” Chris said. “We monitor high-impact suppliers and can adjust our cyber insurance coverage to ensure appropriate risk transfer.”
How T-Mobile Measures and Monitors Supply Chain Risk
For monitoring of supply chain risk, T-Mobile uses tools such as the U.S. Chamber of Commerce Assessment of Business Cyber Risk (ABC) that provide an overall assessment of cyber health. T-Mobile additionally uses the FICO® Cyber Risk Score to monitor suppliers individually.
“With the Cyber Risk Score we can check on a particular supplier’s cyber risk posture,” Chris explained. “That company may or may not know who their fourth-party subcontractors are, but we can use the Cyber Risk Score to do a quick check and say, ‘From what we can see externally, this company is meeting our requirements, or not,’ and have further discussions with them as necessary.”
Chris emphasized the importance of ongoing cyber risk management in today’s pandemic environment, which the Cyber Risk Score’s point-in-time and trend assessments easily allows. “Our third-party risk management process is constantly evolving as we reach deeper into fourth- and fifth-party suppliers and the broader supply chain,” he said. “It’s definitely not a ‘one and done’ process.”
To learn more about how T-Mobile is applying innovative cyber risk strategies and tools across its expanding supply chain, download my new FICO Executive Brief, “Beyond Third-Party Cyber Risk: Proactive Management Strategies to Move Forward.” Follow me on Twitter @dougoclare to keep up with my cyber views and the latest FICO news.