The most obvious types of fallout from supply chain cyber security threats are the impact on regulatory compliance or the damage to a business’s reputation.
But here’s another major consequence of supply chain security attacks that keep occurring despite dogged efforts to stop them: Losses on the stock market. When businesses are affected by supply chain cyber security threats – even if the threats originate from an external vendor, rather than the business’s own systems – their stock price usually takes a major hit.
Here’s why supply chain cyber security threats can wreak such havoc on stocks, and what to do to protect your business from watching its market value plummet due to supply chain vulnerabilities. Your goals should be to resolve the incident in a way that protects your operations, customers and reputation, while also demonstrating to partners that supply chain security is a key priority.
How supply chain security threats impact stock value
When a supply chain breach occurs, you’re at risk of losing share price for a variety of reasons.
Probably the most obvious is the hit you’ll take to your company’s reputation. Again, even if the breach originated in a third-party product, investors may still question your commitment to security, given that you were unable to detect and mitigate the breach quickly enough to prevent it from harming the organization.
Regulatory fines, too, could follow supply chain breaches if the breach leads to loss of regulated data. Those fines will impact quarterly earnings reports,that investors use to decide whether to buy or sell stock in your company.
In more extreme cases, supply chain security threats may become vectors that allow threat actors to take control of your systems. In turn, attackers could take actions like publishing fake news through your media channels or inject false price quotes into data feeds. Such activity may breed a sense among investors that you’ve totally lost control of your business operations, leading to a dramatic fall in market value.
Types of supply chain cyber security threats against stock markets
As the following image shows, supply chain breaches can target both suppliers and customers.
Either way, the fallout from a stock market perspective is likely to be negative for the companies involved. Any type of supply chain attack – from malware infection, to brute-force attacks, to vulnerability exploits and beyond – can undercut a business’s reputation among investors and lead to swift sell-off – which brings down stock prices.
Stock losses resulting from supply chain attacks
The risk we’re describing here is not just theoretical. Here are some of the most recent major supply chain cyber threat exploits. You’ll notice that they led to significant loss of company value on the stock market.
Nvidia cyber attack
When Nvidia was attacked by a ransomware group called Lapsus$, Reuters reported that Nvidia’s schematics, drivers, firmware and other sensitive intellectual property may have been compromised. The credentials of 71 000 employees were leaked, after which Lapsus$ made this information available to other hacking communities. The result was an immediate drop in Nvidia’s stock price by 7%. Although the drop was modest, and the stock quickly recovered, it was still a clear example of how supply chain cyber security threats can hamper stock value.
Mimecast is an email security and cyber resiliance platform. When the news was released in January 2021 that they had been hit by supply chain cyber security threats, this upset shareholders trust in the stock.
Mimecast stock lost more than 12 percent of its value following the disclosure of a compromised certificate. Moreover, because about 10 percent of the company’s customers were using the compromised certificate, this supply chain attack likely also impacted other businesses.
The Chief Information Security Officer, Terence Jackson at Thycotic, a Washington, D.C. based provider of privileged access management (PAM) solutions said,”The certificates that were compromised were used by Mimecast email security products. These products access customers’ Microsoft 365 exchange servers in order for them to provide security services (backup, spam, and phishing protection). Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications.”
The SolarWinds supply chain breach, in which attackers injected malware into SolarWinds’s source code, was associated with a huge selloff that took place just days before the breach was publicly disclosed.
While it has not yet been proven that the 35 investors who sold their stock right before public disclosure had insider knowledge of the breach, the timing of the selloff doesn’t seem to be coincidental.
Assuming it wasn’t, this is also an example of how a supply chain attack can trigger a major loss of stock value.
Staying on top of supply chain cyber security threats
Once a supply chain attack takes place, the damage to market value is done. The best way to contain supply chain cyber security threats, then, is to be proactive, so you can address risks before they turn into active breaches.
Start by gaining full visibility into your supply chain. This is the only way to know which vulnerabilities may impact you.
Then, take preventative measures – like application controls and network segmentation – that reduce the likelihood or mitigate the impact of cyber security incidents.
You should also educate your employees and partners about cyber security, and make it clear that finding and containing supply chain cyber security threats is a top priority.
Finally, have a crisis management plan for your supply chain security in place so that you can react swiftly if an attack does occur. Although managing your response won’t prevent all financial harm, it can reduce the total damage.
Supply chain cyber security threats aren’t bad just for your users or your IT team. They also pose a serious risk to your business’s market value. To prevent major financial losses, it’s critical to have a supply chain threat detection and mitigation solution in place.