Supply-Chain Risks Prompt Deeper Vendor Scrutiny

Security chiefs say simple questionnaires are no longer adequate

Omar Khawaja, chief information security officer at Highmark Health, and Alissa Abdullah, deputy chief security officer at Mastercard, speaking at this week's WSJ Pro Cybersecurity Executive Forum in New York.

Photo: Andy Davis/ProductionManager for The Wall Street Journal

Cybersecurity risks are prompting companies to come up with new ways of assessing the security of their suppliers, security chiefs say, but deep examinations can prove prohibitively expensive.

While vendor surveys have long been a favored due-diligence tool for large companies to examine the security posture of supply chains, these provide a limited view, said Omar Khawaja, chief information security officer at Pittsburgh-based nonprofit Highmark Health. Furthermore, it is easy for a supplier to overstate their security provisions on such forms, he added.

“We found that there’s a there’s almost no ability to really rely on the efficacy of the responses coming through,” he said, speaking Tuesday at the WSJ Pro Cybersecurity Executive Forum in New York.

香蕉视频苹果下载Levels of scrutiny should vary, said Alla Valente, an analyst at Forrester Research Inc. Create a catalog of all suppliers and the data they have access to, she said. Suppliers that process customer data or provide digital components in devices require a higher level of scrutiny, she added.

The effectiveness of due-diligence surveys has been questioned in other industries, including financial services.

香蕉视频苹果下载At Highmark, Mr. Khawaja knew he wanted to examine suppliers closely, but said assessing thousands of companies isn’t feasible.

香蕉视频苹果下载“If we want to review and assess and evaluate evidence for every single control, that in and of itself could be a $30 million program, because it would probably take us about a month to validate every control for each of those vendors. We can’t do that,” he said.

The solution was to move to a common framework from the Health Information Trust Alliance, known as Hitrust. The standards body, based in Frisco, Texas, was created in 2007 by a consortium of health-care organizations including Highmark.

香蕉视频苹果下载Using Hitrust lets Highmark delegate basic security checkups, Mr. Khawaja said. The company’s contracts require that a supplier be Hitrust-certified. This also ensures that suppliers keep up-to-date on threats.

“Three years ago, four years ago, we probably weren’t thinking about controls to protect against ransomware, but we should now. So the Hitrust framework, every year, gets updated a couple of times. Control requirements go up and they change based on the risk associated with the specific context of the organization,” he said.

The health-care sector is highly regulated, meaning that regulators are scrutinizing whether companies are making sure their suppliers protect data.

香蕉视频苹果下载Medical providers make basic mistakes such as failing to have proper business associate agreements, violating the Health Insurance Portability and Accountability Act, said Roger Severino, director of the office of civil rights at the Department of Health and Human Services. HHS collected a record $28.7 million in fines in 2018. The department has issued more than $12 million in enforcement actions so far in 2019, he said.

香蕉视频苹果下载“They must spell out every condition as to how that entity can use that data, what analytics will be done, what protections are going to be put in place to make sure the data is safe and complies with Hipaa,” Mr. Severino said Tuesday during another session at the Pro Cybersecurity event.

Before signing new business agreements, corporate cybersecurity teams should ask potential suppliers which standard frameworks they comply with, said Alan Brill, senior managing director in the cyber risk practice at Kroll, a unit of consulting firm Duff & Phelps Corp.

Questionnaires give companies a written record of their suppliers’ statements, which can be helpful in case of legal disputes, Mr. Brill said. But it can take a long time for corporate cybersecurity teams to analyze responses from all of their suppliers. Mr. Brill recommends that businesses ask for certification from a third party such as an accounting firm proving that the supplier complies with some widely used security standard, he said.

Other security executives cautioned against ditching questionnaires entirely. Alissa Abdullah, deputy chief security officer at Mastercard Inc., said these are still useful, as long as they aren’t the only source of information.

“I don’t necessarily agree that questionnaires and assessments aren’t the way to go. We have a vast network of suppliers and so we rely on that as our first point of data collection,” said Ms. Abdullah, a former deputy chief information officer at the White House under the Obama administration, speaking on the same panel as Mr. Khawaja.

香蕉视频苹果下载Ms. Abdullah said her approach is to start with vendor surveys, then follow up with on-site visits. Every supplier for Mastercard, she said, has a relationship with someone in the company who can continuously discuss security arrangements.

Write to James Rundle at james.rundle@wsj.com and Catherine Stupp at Catherine.Stupp@wsj.com