Contracting for Supply Chain Cybersecurity: Recent Report Provides Insight on Best Practices


Enterprises are increasingly reliant on complex and interconnected ecosystems of technology solutions. Companies are reducing their dependence on the legacy monolithic highly customized solutions, instead opting to power their business by leveraging what many refer to as a component approach — utilizing numerous suppliers, custom developers, system integrators, and related service professionals. Restructuring a technology ecosystem with the component approach has clear benefits for the buyer. It often results in operational and financial efficiencies while also enabling a company to stay competitive in the marketplace by facilitating interoperability and rapid innovation.

However, unless a company includes a clear risk management framework and minimum security standards, this type of transformation increases the potential for supply chain-related cybersecurity risks that are overly dependent on the cooperation among marketplace competitors with misaligned incentives.

The Cost of Breach

IBM Security recently released its annual Cost of a Data Breach Report. The document, commonly referred to as the “Ponemon Report,” summarizes findings based on information collected by Ponemon Institute, an independent organization performing research related to enterprise information and privacy management practices. This year, the cost of a data breach to an enterprise averaged $4.24 million per breach.

The Prevalence of Risk

In addition to providing insight into the average cost of a data breach, for the first time in its 17-year history, the Ponemon Report isolated the breaches attributable to supply chain vendors to provide data on the effect on an organization. The results were shocking. First, about 20% of all data breaches are the result of a breached third-party vendor. Second, in addition to being one of the more likely scenarios, supply chain data breaches tend to take longer than other types of breaches to discover and remediate. Finally, although the average costs of all data breaches average $4.24 million per breach, when the calculation is limited to supply chain data breaches, that average increased to $4.46 million.

Covering Attack Vectors

Another important takeaway from the Ponemon Report is that it is insufficient to limit security requirements only to the actual products or services provided. The report categorized the breaches and associated costs by attack vector. When the data was segregated in that manner, the two costliest attack vectors are tied to business email compromises and phishing. It is imperative that companies evaluate and address this type of risk by including security requirements at both the enterprise and the product level.


The need for proactive security posture continues to increase as reliance on technology grows and the regulatory landscape continues to evolve. Having standardized vendor facing security requirements is a critical component of proactive security posture. Crafting a vendor-facing security stance that is appropriate to a business unit or organization requires collaboration among IT, business stakeholders, and legal professionals. AGG has a team of seasoned professionals available to advise practical and market-aligned risk mitigation strategies and contractual controls appropriate for your organization to increase cyber resilience.