With nearly 40 billion devices online globally, almost everyone and everything is connected. This new digital ecosystem empowers us to be more productive and efficient.
But how can we trust it?
The ongoing Digital Transformation has opened a whole new way of living and working. In the business world, because of the deeper performance insights, reduced costs from better asset reliability and other benefits new levels of connectivity provide, the world is becoming faster, more flexible and more efficient.
As we have seen over the last few years, more digital also means a broader range of services can be delivered through various channels and capabilities (cloud computing, edge devices through IoT), most of them involving third-party suppliers. It also means we have all become members of a global digital ecosystem, where the choices we make both affect and are influenced by the choices of others.
However, that ecosystem is only effective if we have trust in it. That trust is built on the digital technology that allows us to share ideas, collaborate on projects, manage production, monitor and control supply chains and otherwise be more productive with peace of mind.
Extended third-party relationships have introduced new cybersecurity risks that threaten the stability of the supply chain, and the manufacturing industry in particular continues to be a frequent target of cyber-attacks.
A study by Gartner finds that, in 2019, 60% of organizations work with more than 1,000 third parties, and those networks are only expected to grow. Other research by Deloitte shows that 40% of manufacturers had their operations affected by a cyber incident during 2019. And in 2018, the average financial impact of a data breach in the manufacturing industry was $7.5 million.
Against this backdrop, no one can be safe and secure on their own. On one hand, a company must manage its own supply chain with a host of suppliers; on the other, the same company is part of the supply chain of its customers. Thus, the digital ecosystem must collaborate to raise the bar when it comes to cyber defense.
Because taking on these new cyber threats can’t be limited to a single entity, Schneider Electric is committed to being as collaborative as possible, especially with our third-party suppliers. In our view, driving deeper collaboration with our suppliers is a critical step in raising the bar and to safeguarding global supply, as well as industry at large.
Managing third-party risk is integral to mutual success
In some ways, Schneider Electric is very similar to other multinational companies of our size and complexity. With approximately 140,000 employees in more than 100 countries, we source goods and services from five continents. In fact, in 2020, we manage more than 50,000 unique suppliers across multiple procurement and ERP systems.
As a leader of digital transformation in energy management and industrial automation, we are heavily focused on developing and delivering connected products and associated services through our EcoStruxure™ IoT-activated architecture and platform and Schneider Electric Exchange, our online community that allows our customers and partners to create, collaborate and scale by exchanging ideas, solutions, skills and business opportunities.
This means we are driving deeper interactions with existing partners, who are also becoming even more digital themselves, while simultaneously widening our ecosystem by bringing into our supply chain new hardware, software, technology and services providers from multiple industries and regions.
To help manage this complexity and the incumbent cybersecurity risks it presents to our assets, operations and customer environments, we continually analyze our expansive ecosystem, which includes customers, partners and suppliers, as well as digital channel and platforms and even wider enterprise OT and IT.
Our analysis reveals that suppliers could potentially introduce cyber risks within our supply chain, creating credible threats to customer assets, our business continuity, our ability to meet regulatory and other compliance and our intellectual property.
To mitigate these risks, Schneider Electric collaborates with suppliers who share our values and vision. As essential members of our digital ecosystem, we hold them to the highest possible standard when it comes to ensuring the security of our supply chain. This is consistent with our Principles of Responsibility, which resolve us to provide our customers with secure products, systems and services, while protecting the privacy of their and all our stakeholders’ data.
Laying the foundations with a robust program and a central policy
At the end of 2019, Schneider Electric established a cross-functional third-party risk management program under the direction and imperative of C-Level leadership, including the Chief Information Security Officer, Chief Procurement Officer, Chief Information Officer and Chief Product Security Officer.
In 2020, the company introduced a new policy to address and manage third-party cybersecurity risks from a broader scope of suppliers: product component manufacturers, e.g. OEM’s; technology providers, e.g., cloud and infrastructure hosting services; marketing and general services, e.g., facility management; customer-facing activities, e.g., field services subcontractor; and manufacturing and distribution, e.g., circuit board assembly manufacturers.
Our Third-Party Security Management Policy, built on three Core Principles, motivates collaboration with our suppliers, ensuring their compliance with the policy and helping them cascade best practices and guidelines to their own suppliers and providers. These Core Principles are:
- Risk-Based Approach
- Security and Privacy are Essential
- Ensuring Compliance
Not only does this allow our suppliers to better navigate our procurement processes, it helps them better understand improvement areas in their own security posture. Ultimately, collaborating with us will help them demonstrate their cyber resilience to their many other customers and stakeholders, which will contribute to their better business performance.
A risk-based approach: Cornerstone of the policy
First, we apply risk-measurement ratings tools and other trusted methodologies to identify and rank our third-party relationships by risk criticality.
Then, based on that risk profile, we put into place collaborative mitigation plans that help our suppliers mitigate the risks their overall cyber posture can introduce into our ecosystem.
Our suppliers are required to take steps to mitigate cybersecurity-related risks as part of their agreement with Schneider Electric. From there, we launch regular performance monitoring, which not only allows us to remain risk-aware, it also enriches a better collaborative and valuable outcome for our customers. By customizing suppliers’ mitigation plans, we improve our ability to provide our customers the trustworthy, secure, privacy-protective and resilient products, systems and services they need to protect their people, assets and operations.
Security, privacy and trust are essential to the procurement process and lifecycle
Once the mitigation strategy is deployed, as part of the ongoing performance monitoring, control gates are established to ensure critical risks are managed across the supplier’s lifecycle: sourcing, onboarding, execution and off-boarding. (Figure 3).
Control gates can be in the form of due-diligence, periodic or event-triggered assessments/audits (internal and/or performed by designated assessors), penetration testing (if the third party is accessing or administering a “crown-jewel” system) and/or the insertion of cybersecurity and privacy clauses or addendums into primary supply agreements. As always, the mitigations are commensurate with risk levels, i.e., the higher risk a third party introduces, the more stringent the contractual language becomes.
Other forms of control could also be continuous monitoring through security rating systems, which would allow Schneider Electric to better and more quickly understand the health of the portfolio and potential third parties.
Control gates are consistently applied across the supplier lifecycle with defined roles and responsibilities among the business, operations, cybersecurity and procurement teams.
Figure 3. During all five phases of Third-Party Security Management Lifecycle, cybersecurity control gates ensure the enforcement of the Third-Party Security Policy Principles
Schneider Electric supports and champions compliance with applicable laws, executive orders, regulations, directives and standards. Therefore, as a basic principle, we expect our third parties’ continuous compliance with all applicable regulations, as well as with Schneider Electric’s Third-Party Security Policy.
Our business success is tied directly to the confidence our customers and other stakeholders consistently have in the resilience and reliability of our products, systems and services, as well as their confidence in our ability to protect their data.
To ensure and protect that trust, our suppliers must agree to have their compliance to our policy assessed regularly. In fact, each primary supply agreement reserves Schneider Electric’s right to conduct audits and for suppliers to attest to the effectiveness and coverage of their security and privacy controls. Such assessments can take place throughout the lifecycle of the relationship, from early sourcing stages to execution.
Schneider Electric recognizes that the digital era calls for a new approach to performing supplier security assessments. As the digital ecosystem expands, so do supplier interactions, which makes managing the supplier-customer relationship additionally complex. And the complexity is compounded by the ever-growing scarcity of qualified cyber skills in almost every organization.
As a leading provider of technology to customers and markets in every corner of the globe, we face these complexities too. Requiring suppliers to complete hundreds and sometimes thousands of Excel or Word-based manual questionnaires is an outdated and outmoded form of supplier assessment.
Instead, we strive to employ a scalable, less-cumbersome third-party cybersecurity assessment program that will be more enriching than simply sending questionnaires to our suppliers. By working with independent security assessment organizations and with real-time cyber posture monitoring and scoring agencies, we more closely engage, cooperate and learn from our suppliers about how to strengthen our mutual trust.
Recent digital trends have changed the way companies do business. For better, it has brought speed, scale and functionality to all aspects of commerce and communication. For worse, it has brought the risks of data exposure, data breaches and financial losses related to business interruptions. The consequences of a cyber incident mean that managing cyber risk, especially third-party risk, is fast becoming a critical strategic initiative for many leading organizations.
Schneider Electric is confident that by working with us to adopt and meet the high standards established within our Policy.
“Our trusted third-party suppliers will realize countless business benefits.”
But more importantly, by building on the Core Principles established within it, together we can collectively and collaboratively reduce and even eliminate the cyber risks that threaten the global digital ecosystem.
 The link towards the External version of the policy signed by Christophe and Dan.