Organizations worldwide are increasingly impacted by cyber incidents occurring at partner organizations. The number of supply-chain cyber incidents is growing, as is the magnitude of their impact.

Large organizations face a 25% probability of experiencing a cyberattack with an average remediation cost of $4.9 million. According to Verizon’s 2024 Data Breach Investigations Report, the number of cyber incidents involving software vulnerabilities increased in 2023 by 180% year-on-year; 15% of these involved a third-party supplier.

The unintended upstream and downstream consequences affecting society are of even greater concern. Such a risk pool may eventually hit the boundaries of what cyber risks can be insured. Unfortunately, only 27% of supply chains are regularly monitored and evaluated by their customers.

Existing approaches for addressing these challenges fall short. Confronted with limited visibility in supply chains, security risk inequality between organizations and misaligned market incentives, gaps in managing cyber risks in supply chains are inevitable. This causes inadequate supply chain cyber risk assessment and poor communication and cooperation among organizations, resulting in severe consequences.

A global IT outage in July 2024 was an inadvertent supply-chain cyber incident by CrowdStrike that caused 8.5 million systems to crash in thousands of organizations worldwide. This was due to a single faulty database content update, resulting in overall societal losses exceeding $10 billion. A deliberately engineered version of such an incident could have been much worse.

Yet, in the aftermath of this global IT outage, the market discourse contains little about managing cyber risks in supply chains. The focus is mostly on tactical discussions on the technical aspects of this particular incident, as well as on speculative accusations among organizations on who should be held accountable for the losses.

As another example, Change Healthcare processes nearly 40% of the 15 billion medical claims made in the US. An attack on Change Healthcare in February 2024 caused a backlog of unpaid claims, putting doctors’ offices and hospitals in an urgent cash flow situation and constraining patients’ access to healthcare. Furthermore, sensitive healthcare data of millions of people was leaked to the Dark web, costing United Healthgroup $2.5 billion in recovery, all from a single point of failure.

Society has already been subjected to smany significant, impactful global supply chain breaches, including the Not Petya attack on Maersk, the Sunburst attack on SolarWinds, the cyberattack on MOVEit and the Okta supply chain campaign. Yet, the worst is possibly to come: many executives expect a catastrophic cyber event within the forthcoming years.

Given the societal impact, better management of supply chain cyber risk is required. Through legislation (e.g., such as the NIS2 in the EU and SEC cybersecurity rules in the US) boards of organizations have been assigned the task of managing these risks. Limited capabilities exist, however, to assess the overall global digital dependencies among organizations and thus the risk and resiliency implications of such dependencies. Increasing supply chain breaches may cause an erosion of trust and confidence and ultimately impede digitalization efforts.

In May 2024, MIT CAMS, in collaboration with the German government’s Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur), convened a pivotal workshop at MIT aimed at establishing a more robust framework for managing cyber risk and enhancing cyber resiliency within supply chains. This workshop brought together a diverse group of thought leaders, including chief information security officers, cyber insurance experts, tech company executives, regulators, market analysts and academics.

The discussions were categorized into these three focus areas:

Emphasizing the importance of cohesive governance structures and collaborative efforts among stakeholders to ensure comprehensive oversight and effective management of cyber risks.

Promoting strategies and practices that enhance the overall resilience of supply chains against cyber threats, ensuring they can withstand and recover from disruptions.

Developing sophisticated risk assessment methodologies and mitigation strategies to proactively identify and address potential vulnerabilities within supply chains.

From these discussions, three key principles emerged, which are seen as essential for organizations to navigate supply chain cyber risk and resilience effectively:

Integrate resilience within the supply chain and deeply within organizational processes and culture across the different collaborative organizations, ensuring that it becomes a fundamental aspect of operational and strategic decision-making.

Utilize cutting-edge technologies to enhance cyber defences, streamline risk assessment and improve overall resiliency.

Cultivate an organizational mindset that is flexible and forward-thinking, enabling rapid adaptation to evolving cyber threats and proactive measures to mitigate risks.

These principles are crucial across all three focus areas, providing a comprehensive approach to managing cyber risk and enhancing resiliency in supply chains.

To lessen cyber risk and strengthen cyber resilience in supply chains companies should:

As organizations are embedded in a supply chain, the collective resources, knowledge and experience of the total supply chain goes beyond the capabilities of each individual organization, enabling coopetition. Coopetition allows competitors to collaborate in specific areas, like cyber resilience. They might, for example, share relevant threat information and best practices, perform joint cyber exercises within a value chain or sector, help each other with cyber risk mitigation and foster collaboration to strengthen business continuity and disaster recovery.

Also, large companies can have a key role in minimizing security inequality. Such a role can go far beyond the common gestures of providing implementation advice or awareness training. Small and medium businesses often lack the resources and funds to acquire certain essential security capabilities. Considering the deployment and resourcing of certain security capabilities at a supply chain level, rather than the level of individual organizations, fosters accessibility, increases economies of scale and strengthen supply chain resilience. This collaboration affects operational, tactical, and strategic levels of the cooperating organizations.

Emerging technology solutions with high levels of computing power, cloud technology and artificial intelligence allow us to capture the systemic structure and complex context of supply chains and distribute these effectively amongst participants. For instance, enterprise and industrial environments with multiple independent components can now be quantified and optimized from a resilience perspective.

Recent cyber risk analysis work at MIT based on data from over 40,000 companies empirically established that supply-chain features are important drivers of cyber risk, significantly enhancing indicators such as outside-in security scores. Supply chain data-backed algorithms following Graph Theory can pinpoint critical supply chain elements that threaten resilience to prioritize resources and efforts for strengthening resilience.

Asvin Labs demonstrated in its research that federated learning can significantly augment an organization’s individual cybersecurity insights and simultaneously strengthen overall eco-system insights. Data aggregation in collectively shared and trained AI models are key here. Widely accepted cyber risk quantification approaches can be easily adapted to complex environments where information technology and operational technology exist. Clearly, advances in AI will be essential for changing the cybersecurity arms race
and allowing for better decision making and defensive opportunities.

Adaptiveness and proactiveness affect architectural design and oversight of supply chains. Resilience requires an embedded endurance and system of systems thinking in an adaptive architectural design of the supply chain to absorb the impact of a cyber attack. Such a design embraces redundancy created by duplicate capacity and buffers that compensate for shortfalls, as well as diversity, as heterogeneity in people, processes and systems limits the spreading of particular cyber attacks. And, it must also encompass modularity so that compromised systems can be isolated, limiting their impact on the overall supply chain.

Oversight that contributes to resilience requires strong managerial foresight. Managerial foresight is the capability to foresee the future or explore possible future states of performance indicators relevant to the business environment to pre-empt and act accordingly. Managerial foresight can be improved through simulation-aided techniques. Simulation-aided techniques make a virtual strategic replica that captures the multi-dimensional complex environment, such as cybersecurity and supply chains. Such simulations can provide an interactive and exploratory environment that allows executives to find the best strategic options that strengthen supply chain performance and foster resilience, and enhance management dashboards and reporting to forecast the behavioural future trend of essential performance indicators.

In addition, supply chain-focused attacker – defender simulation games can raise managerial awareness and acquire managerial heuristics to strengthen decision-making that fosters resilience. In this way, simulations help to close the gap between attackers and defenders as they provide executive board members with more time to strategically anticipate possible future critical events.

Navigating cyber risk and resilience goes beyond the scope of individual organizations. Strengthening cyber resilience in global supply chains requires us to embrace these three key principles focused on strengthening collaboration, using advanced methods to strengthen measurement and assessment and becoming more adaptive and proactive towards emerging cyber threats.

The author would like to thank Sander Zeijlemaker (CAMS), Raphael Yahalom (CAMS), Ranjan Pal (CAMS) and Mirco Ross (Asvin.io) for their invaluable guidance, effort, leadership and support throughout this project.

https://www.weforum.org/stories/2025/04/three-key-directions-for-the-cyber-resiliency-crisis-in-global-supply-chains/