By Jerrod Montoya
April 14, 2021

Recent events related to the cybersecurity of the supply chain have raised our awareness of the many shortcomings we face. Yet, there is another dark storm brewing in the distance, and the supply chain still has a blind spot – The buyer.

Supply Chain Cybersecurity became a hot topic following the Target breach in 2013 and is once again front page news with the recent SolarWinds breach. Securing the supply chain is about ensuring that those providing products or services to a buyer implement reasonable cybersecurity measures as prescribed by the buyer. Note: there’s potential controversy regarding the proper usage of the term “supplier” or “vendor” in the supply chain world. For simplicity’s sake, this article just uses the term supplier.

Various measures are being put in place to mitigate Supply Chain Cybersecurity risk. One example is the use of standard cybersecurity related contract language that requires suppliers to adhere to certain best practices. With all the emphasis on Supply Chain Cybersecurity, the buyer (demand) side of the equation is missing.

This short article introduces the concept of Demand Side Security, describes its importance, and offers three steps to help mitigate the risk.

“Demand Chain Cybersecurity” can be defined as the concept that those providing products or services to a buyer ensure that the buyer implements reasonable cybersecurity measures. To help understand this concept, consider the following hypothetical: 

Imagine Company A contracts with a supplier for a product. The contract between Company A and supplier mandates cybersecurity best practices and includes indemnification language. Company A has good security and it ensures that supplier meets its standards using the contract. All is good in the world.

Now Company B contracts with the same supplier, but there is no cybersecurity best practices language in the contract between Company B and supplier. Company B has terrible security, but supplier likes money and didn’t see a need to ask a whole lot of questions. The plot thickens.

Next, someone at Company B gets a well-crafted phishing email and ends up compromised. A sophisticated attacker then uses Company B as a conduit to compromise the supplier. Then, the sophisticated actor uses the supplier as a conduit to successfully attack Company A. Headline news.

Far fetched? Digital data connections are commonplace and growing today. There are bi-directional data exchanges over countless APIs with questionable security. If there is a digital connection, it can be compromised. Also, there are two known examples mentioned above relevant to the evaluation of this risk. The HVAC supplier that led to the compromise of Target demonstrates the concept of using a third party as a conduit to its victim. The SolarWinds attack shows how compromising a single supplier can impact thousands of other companies. It is only a matter of time before 2 and 2 come together. This is the next variant in the evolution of sophisticated hacks to which there is no inoculation available, yet.

Consider these three steps to help mitigate Demand Chain risk:

First, establish a baseline using existing best practices and require buyers to adhere to that standard at a minimum. The buyer may have more stringent requirements, but at least buyers with no requirements adhere to a baseline. The NIST Cybersecurity Framework (CSF) is a great starting point for a baseline.

Second, reciprocate cybersecurity contract obligations back to those requiring them. For example, suppliers are often required to communicate cybersecurity incidents the buyer within some specified time period. Suppliers should require the same type of report from the buyer. Security is a two-way street and customers should be held to the same standard they are requiring.

Third, make the indemnification clause in the contract apply to security breaches by the buyer. If SolarWinds were compromised as a result of one of its customers, such an indemnification clause would become an important aspect in subsequent litigation.

It might seem strange now for the supply chain to push cybersecurity requirements back up the Demand Chain. There is no major breach or some other example to point to that is obvious. That is exactly the reason why everyone should be considering this concept today. Suppliers should get with their legal teams and start implementing this strategy before it becomes yesterday’s news.

Jerrod Montoya is a leading cybersecurity attorney in Minnesota with corporate cybersecurity leadership experience in the energy sector. Among other things, he has been involved in the development of energy industry cybersecurity supply chain security standards and assisting in drafting related guidance materials alongside electric utilities and the North American Electric Reliablity Corporation (NERC). In his law practice, Jerrod helps companies take strategic and decisive action to mitigate legal risk regarding all aspects of cybersecurity. He is the past-President for InfraGard Minnesota Members Alliance and has been affiliated with the Cybersecurity Summit since its creation. He can be reached at jerrod@montoyalaw.net.