Governments should better safeguard their supply chains against cyber risks

Governments should better safeguard their supply...

Related content

Businessman and businesswoman talking

As governments embrace technology – and innovative partners and suppliers – to deliver public services more efficiently, their exposure to cyber security risk is escalating. Just as corporations have suffered damaging online security breaches – too often through third-party vendors – governments must fortify their own complex and often global supply chains.

Fortunately, smarter third-party risk management strategies and new technologies are helping governments engage safely with a wide world of innovative suppliers, while preventing state secrets and citizens’ data from falling into the wrong hands.

Government suppliers build risky supply chains

While governments have long dealt with legions of suppliers to source everything from stationery to submarines, the complexity of these relationships has multiplied. Globalization, innovation and a demand for cost-savings have led governments to seek routine goods and services from distant vendors. And, as governments seek to procure innovative, specialized technology solutions – potentially from small niche firms or even start-ups – they find themselves contracting services from new business partners with unfamiliar reputations or unproven security practices.

Adding further complexity to the supply chain, these third-party suppliers may outsource or partner with others, creating the inherent risks found in a cascading relationship chain, making it more difficult for governments to know precisely who the root supplier of goods and supplies are. This issue is compounded when these companies are acquired by conglomerates, offshore entities and holding companies, or foreign governments and investors. This means that even a company in your own backyard could have hidden overseas ties.

It’s little wonder that as governments spend heavily to safeguard internal systems, hackers are turning to softer targets including vulnerable connections between government networks and suppliers. 

Growing government cyber security risks

Cyber security risk is only expected to increase in the years ahead, as governments use more business-changing technologies like the cloud, mobile devices, Internet of Things and social media channels. The threats will be continuously evolving, since ever-newer technologies create an endless duel between government security teams and hackers to protect, attack, repair and repeat. Software patching alone will never be an adequate mitigation strategy.

And, as governments strive to be more responsive to public needs, while working faster and leaner, it’s possible that traditional due diligence and manual compliance processes will fail under the strain.

Third-party risk solutions for cyber security gaps

As the links in their supply chains become attractive targets, many governments are incorporating sophisticated, third-party risk management strategies to ensure they and their vendors are ready to prevent, detect and respond to cyber attacks.

At first, purchasing officers might worry that new practices will slow down the procurement process and prevent them from contracting cutting-edge suppliers. However, today’s third-party risk management programs are not designed to find risk and dictate who not to do business with. Instead, they focus on understanding the risks associated with a third party, making informed decisions, and introducing the right level of controls to do business safely.

Know who you are dealing with

There are many elements to a third-party risk management framework, but it ultimately comes down to government understanding who it is doing business with at each stage of the relationship lifecycle.

  1. In the onboarding stage, you must decide if you want to do business with the third party. This includes identifying them, gathering information and due diligence for a solid risk assessment and risk segmentation, and then accepting or rejecting them based on the risk, or performing risk mitigation actions.
  2. If you decide to proceed with the contract, you must monitor the relationship, to ensure you are getting what you paid for and know whether it is safe to continue doing business. This involves contract management to ensure vendor compliance, ongoing performance evaluation and risk re-evaluation if events occur, for example if their ownership or financial state changes.
  3. Finally – and often overlooked – you must follow a careful off-boarding process when the relationship terminates. This encompasses verifying that the third party has fulfilled its obligations and that it doesn’t continue to represent a risk, relating to data ownership and physical or virtual access to government property or systems.

Technology to simplify third-party risk tracking

It is a sizable undertaking to introduce and manage third-party risk controls in a government agency with hundreds or thousands of suppliers, but new technologies can simplify the task and target the organization’s points of weakness, whether they are cyber security, business, financial, integrity or reputational risks.

Astrus, KPMG’s due diligence solution, includes an automated integrity monitoring tool that can perform cost-effective risk-based tracking and reporting of an organization’s global third-party relationships. Additionally, KPMG’s Third Party Intelligence tool can efficiently monitor the financial health of numerous suppliers and partners. Using sophisticated algorithms that turn data into insights, this automated intelligence engine captures and analyzes financial statements from thousands of third parties in 82 countries to continuously track risk factors and flags possible issues.

These business intelligence tools were inspired by past advisory and audit engagements by KPMG member firms to address clients’ particular needs, from M&A due diligence and regulatory compliance reviews to supply chain management and forensic investigations. 

Taking a holistic approach to third-party risk

Although governments and corporations may initiate a third-party risk management review to address a single, urgent risk, they frequently realize the value of taking a bigger, holistic approach.

For example, a major technology company enlisted KPMG to examine its security controls following a major cyber security breach. They soon recognized the need to take a more proactive, integrated approach to their other risks and brought together stakeholders from across their organization and a team of KPMG professionals from numerous practices. They performed an inventory of current risk exposures, segmented third-party risks, and scrutinized the existing end-to-end third-party management process.

A change management component proved essential, since success hinged on driving culture and behavior change across the client’s operations and procurement staff. Communication and training was needed to bring new procedures to life, so that everyone understood and prioritized cyber security issues and learned to think like compliance officers.

This solution, proven effective in the private sector, offers a good model for government administrators who feel the pressure to plug cyber gaps, but also desire an integrated, wider-view strategy to prevent, detect and defend against a gamut of yet-unknown future threats.

By taking a strategic, risk-based approach to continuously guard their supply chains – without putting up an impenetrable, innovation-stunting wall – governments can create the right controls and internal culture, so they can do business with next-generation suppliers and deliver public services that benefit from an unfolding technology revolution.

@gov: Inspiring innovative government

A new digital magazine for governments.

Read more

Connect with us


Request for proposal



KPMG's new digital platform

KPMG's new digital platform