Moody's: Mitigating Third-Party Supply Chain Cyber Risk
Cyber attacks are increasingly targeting the sprawling and often complex network of third-party suppliers, turning trusted partners into unwitting entry points for malicious actors.
A cyber incident that disrupted production at Jaguar Land Rover (JLR) has brought this vulnerability into sharp focus.
This event was more than a minor inconvenience, halting manufacturing lines and caused significant financial repercussions and highlighting how a single breach in the supply chain can have cascading effects across an entire enterprise.
The expanding attack surface
The digital transformation that has optimised modern supply chains has also massively expanded the potential attack surface for cybercriminals.
Every vendor partner and contractor with digital access to your systems represents a potential doorway into your core infrastructure.
This includes everything from shared cloud platforms and integrated payment systems to the software used for logistics and inventory management. Each connection, while boosting efficiency, is a new vector that must be secured.
Vulnerabilities within this intricate network are a clear and present danger.
Attackers often view smaller suppliers as the path of least resistance, knowing they may lack the sophisticated defence budgets and dedicated security teams that their larger clients possess.
These smaller suppliers may not have 24/7 security monitoring or a formal incident response plan, making them attractive and softer targets. This disparity in security maturity creates dangerous gaps that are ripe for exploitation.
In this article, Cyber Magazine speaks to Andrei Quinn-Barabanov, Supply Chain Industry Practice Lead at Moody's, about how organisations can reduce their exposure to supply chain cyber threats.
Why do businesses continue to underestimate the risk/impact of cyber attacks on their supply chains?
Businesses have historically underestimated supply chain cyber risk for a number of reasons. Many organisations lack specialised expertise in cyber risk management and there is also a tendency to focus on more traditional risks, such as operational, financial and compliance issues. However, recent surveys, including the Moody’s Ratings 2025 Cyber Survey, highlight that supply chain cyber attacks are on the rise, with vendors increasingly targeted as entry points. The growing prominence of these attacks is prompting organisations to pay closer attention to cyber risk in their supply chains. For example, a recent Hiscox survey found that one third of business leaders now admit their organisations lack the expertise to manage cyber risks effectively – with the shortfall being particularly acute among small businesses. While the vulnerability is harder for small businesses to address, larger enterprises are better placed to fortify their defences and they will likely spend more time looking at supply chain cyber risk going forward.
What are the main types of supply chain cyber attacks companies face?
Not all cyber attacks result in catastrophic damage; some are limited to financial loss through ransom payments. Yet others carry material consequences. And many of these originate within supply chains. Larger businesses face three primary sources of supply chain cyber threats:
- Supplier systems vulnerabilities: A breach of a supplier’s infrastructure can expose sensitive assets shared during collaboration, such as product designs.
- Third-party IT service providers: Cyber criminals may exploit weaknesses in IT vendors to infiltrate a company’s internal systems, leading to severe operational disruptions and data compromise.
- Compromised products and equipment: Components or equipment sourced through supply chain – particularly, servers and computers – may be embedded with undetectable malware or even, in extreme cases, spy chips. Consequences range from intellectual property theft to complete operational paralysis.
How can organisations balance operational efficiency with tighter access controls for third-party service providers?
Balancing operational efficiency with robust access controls requires a strategic approach. The first step is to tighten processes around access to internal systems, ensuring only a limited number of service providers have access to sensitive information. These vendors should be carefully selected and subject to significant vetting. In many companies, HR or IT may manage these service providers, which can lead to gaps in supplier due diligence and monitoring if not coordinated with the supply chain team. To address this, whoever manages these vendors should monitor them closely, ideally using the supply chain team’s vetting and monitoring processes. This approach allows organisations to maintain operational efficiency by working with trusted partners, while minimising risk by ensuring that only essential service providers have access to critical systems and data. Importantly, regular reviews and updates (e.g. once a year) to access policies help maintain this balance as business needs evolve.
What common mistakes do companies make when sharing information with suppliers?
A frequent mistake is sharing too much information with suppliers without evaluating the necessity to do so or the sensitivity of the information. One effective approach is to share documents exclusively in secure environments, such as secure cloud platforms or company-issued laptops for suppliers who must receive information. Inconsistent application of these protocols leaves organisations vulnerable, especially when they are dealing with a diverse range of suppliers across different geographies. Companies risk exposing sensitive product, design, or contractual information by not tailoring information sharing policies to the supplier’s cyber risk level. Regularly reviewing and tightening information sharing practices is essential to minimise these risks.
How important is it to integrate supplier cyber risk profiles into broader enterprise risk management processes?
Considering supply chain cyber risks in a broader context of enterprise threats is not only prudent – it is strategic, as it creates an opportunity for cross-functional consistency, learning and efficiency. However, it is important to recognise that inclusion alone does not equate to integration – many enterprise risk management programs nominally encompass supply chain risks without embedding them meaningfully into decision-making frameworks. Effective integration is most critical at the level of supplier risk profiling. A unified risk dashboard that consolidates operational, financial, compliance and cyber scores empowers leaders to identify and prioritise the issues that require immediate attention and resource allocation. The absence of an integrated scorecard leads to mitigation decisions often relying on intuition rather than insights, perpetuating a cycle of reactive rather than proactive risk management.
What practical, data-driven steps can organisations take to build more cyber-resilient supply chains?
As I’ve mentioned, supply chain cyber risks often stem from vulnerabilities in supplier systems, outsourced infrastructure maintenance and procured products or services. Building a cyber-resilient supply chain requires taking steps to address these sources of risk. A practical starting point is identifying all suppliers who currently have access to sensitive information and limiting it to only those who truly need access. For these suppliers, it is important to consider setting restrictive policies regarding what information can be shared. Next, organisations should review suppliers’ cyber risk exposure using external assessments, such as Moody’s integrated cyber risk ratings, to understand their likelihood of experiencing a cyber incident. Then, they can assign information sharing limits and due diligence requirements – according to suppliers’ risk levels. Preparedness for problems is also critical: companies should plan for scenarios where key suppliers are disrupted, including stockpiling extra inventory and implementing basic risk mitigation measures. These risk mitigation steps are driven by the organisation’s defined risk appetite and available resources.
