How to strengthen your supply chain security to comply with new PRA regulation

Banks are on high alert for cyber attacks. The European Central Bank recently told them to prepare for possible Russian-sponsored cyber attacks as tensions with Ukraine increase. This follows a surge in ransomware attacks on banks, which rose 1,318% year on year in the first half of 2021, according to a report by Trend Micro. Further research by IBM indicates that 23% of all cyber attacks are aimed at financial organisations, with a single data breach costing on average USD 5.72 million, the second-largest among all sectors. 

But as banks boost their security posture in response to rising threats, managing risk across the supply chain has never been more important. 

Risk of supply chain attacks

With banks increasingly outsourcing their IT infrastructure and data management to cloud-based suppliers, the average attack surface has expanded exponentially. Last year the European Union Cybersecurity Agency (ENISA) predicted that supply chain attacks would increase fourfold, meaning data breaches and ransomware attacks, caused by weaknesses in the supply chain, are becoming far more prevalent.

The SolarWinds attack in 2020 is a prime example of the devastating and widespread impact of a supply chain attack. It affected 18,000 organisations across several sectors, including Denmark’s Central Bank, causing downtime of systems, monetary loss and reputation damage. To achieve this, hackers inserted malicious code into Solarwinds’ Orion network management product software. This meant when customers implemented their software update, they unknowingly gave hackers access to their network, enabling them to steal sensitive data and launch attacks. 

New PRA regulation

The Prudential Regulation Authority (PRA) recognises the significant risks of supply chain attacks and now requires PRA regulated international banks active in the UK to enhance their security controls to manage the increasing risk of cyber threats from suppliers. This part of the regulation aims to ensure greater resilience and safer adoption of new technological services via third-party suppliers and puts the onus on banks to manage risk across the supply chain.

But time is running out.  Banks only have until 31 March this year to start testing their outsourced operations for cyber security resilience to meet the new PRA regulation requirements. 

Four steps to safeguarding your supply chain 

While safeguarding your supply chain may sound overwhelming, as banks have hundreds if not thousands of suppliers worldwide who pose varying degrees of risk, there’s a four step approach you can take in partnership with a vendor risk management company:

1. Identify the risk level of each supplier. To prioritise your supplier segments by risk, adopt a tiered approach to assessment and monitoring using open-source intelligence (OSINT). OSINT is the analysis of publicly available information about your suppliers, such as company records, news and social media accounts. The risk level of your supplier also depends on their access to your sensitive customer data. Focus your efforts on analysing and monitoring the suppliers that pose the most risk to your organisation.

2. Taking the high-risk segment, evaluate each supplier’s policies and data security certifications to check they’re still valid. Provide them with an online questionnaire to fill in which will enable you to collate relevant security information. Analyse the data to assess and identify any areas of potential risk impact. Then assign each supplier with a risk score and outline the key risk areas that require action, providing recommendations on how to address them. ​​These actions will be critical to safeguard your organisation from attacks.

3. Ask your supplier to perform some remediation actions to improve their security. These can be as basic as activating two-factor authentication across their accounts or ensuring segregation of duties for Admins. As the cost is usually on them to make any required security updates, it’s advisable to run these checks before you start working with them.

4. Once the supplier has made any required security improvements, use a vendor risk management (VRM) dashboard for ongoing monitoring. This includes both OSINT monitoring and immediate visibility of any critical risks, allowing you to identify changes and trends. You can then reassess your suppliers as required, to ensure ongoing compliance. 

Ensuring security and compliance 

The new PRA regulation is testament to the increasing risk that banks face from supply chain attacks. As banks increasingly outsource their IT services and the threat landscape becomes more severe, ensuring your supply chain is cyber resilient should be your number one priority this year. 

By identifying high-risk suppliers, analysing their security maturity and then taking the required action to reduce risk, you can avoid severe consequences from having your customer data breached, critical damage to your IT systems, loss of revenue from downtime and hefty fines from the PRA.