Mitigating supply chain risks

In June 2024, a ransomware attack on the pathology provider Synnovis disrupted clinical services across several major London hospitals. Operations were cancelled, pathology services were severely disrupted, and blood transfusions were delayed. The attack revealed a fundamental flaw with how organisations currently manage third-party risk: assessing suppliers on a strictly individual, organisation-to-organisation basis obscures the true scale of the systemic risks that could emanate from a single supplier, and which could threaten entire industries, and in this instance, even lives. Individual organisations, however, are unable to identify such systemic risks working in isolation. Only collaboration with peers provides an effective solution.

 

The Limits of Siloed Risk Management

Standard third-party risk management involves a single organisation auditing its direct suppliers. A hospital trust checks a supplier’s security controls, ensures compliance with regulatory frameworks, and approves the contract.

 

The inherent problem with this method is its limited scope. If ten different hospitals independently vet and approve the same pathology lab, each hospital’s internal risk register will likely show a manageable level of risk. However, none of their individual assessments will capture the fact that an entire region’s diagnostic capability might hinge on that one provider. Individual audits cannot detect such market concentration and what further complicates the situation is the fact that within individual Trusts themselves, different divisions and services might all rely on different and very specialised third-party tools that may be procured and managed in isolation. You simply cannot see a potential sector-wide “choke” point by looking only at your own supply chain.

 

Collaboration as the Mechanism for Discovery

Discovering these critical bottlenecks requires a broader perspective. The only mechanism capable of mapping systemic risk is cross-industry collaboration. When organisations share their supplier data and engage in collaborative supply chain mapping, the industry can actually see its shared dependencies and uncover the specialised third- or fourth-party suppliers that serve the majority of the market.

 

There is another benefit: instead of overwhelming shared suppliers with redundant, baseline compliance questionnaires, a consortium of peers can share the burden of reviewing by having multiple eyes on the same supplier. Together, they can demand higher standards, prepare for failovers, and coordinate mitigation efforts.

 

Shifting Focus to Sectoral Impact

The fallout from the Synnovis incident demonstrates that modern cyber threats do not respect organisational boundaries. Threat actors recognise that attacking a shared supplier is an efficient way to compromise an entire sector’s operational capacity.

 

Because attackers are increasingly targeting these shared dependencies, defending against them requires a collective approach. Organisations need to move past the traditional reluctance to share supply chain information or security postures with competitors. Establishing industry working groups, pooling supplier risk profiles, and sharing threat intelligence are necessary steps to build functional resilience.

 

An industry’s stability depends heavily on the security of its common suppliers. Continuing to treat supply chain risk as an exclusively individual matter leaves sectors vulnerable to the next bottleneck failure. Identifying these critical third parties is a task that no single organisation can achieve in isolation; it requires active, ongoing coordination among peers. 

 

---

 

Justin Kuruvilla is Chief Cyber Security Strategist at Risk Ledger

 

Main image courtesy of iStockPhoto.com and Suphanat Khumsap