Supply Chain Cybersecurity: Safeguarding Financial Integrity in a Global Network

In the trenches of today’s financial landscape, CFOs are no longer just number crunchers or strategists sitting behind spreadsheets. They are the defenders of their company’s financial stability, stewards of its future, and, crucially, the guardians of its supply chain. The world has become a complex battlefield, where supply chains—a network that once seemed sturdy and reliable—have become an exposed flank in the fight against cyber-attacks. Security in Depth’s CEO, Michael Connory shares more with CFO Magazine A/NZ.

The Unseen Battlefront: Cybersecurity in Supply Chains

Supply chains are no longer just logistical lifelines; they are complex webs of interconnected businesses, each representing a potential point of vulnerability. Cybercriminals know this, and they exploit the weakest links, aiming to disrupt operations, steal sensitive data, and ultimately, shake the financial foundations of companies. For CFOs across Australia, the question is not if their supply chain will be targeted, but when.

A recent example highlights the severity of these risks: the Latitude Financial data breach, one of the most significant in Australian history. In March 2023, Latitude’s systems were compromised, affecting approximately 14 million customers across Australia and New Zealand. Attackers exploited vulnerabilities in third-party service providers to gain access to employee login credentials, which they then used to steal information from two additional vendors. The compromised data included 7.9 million driver license numbers, 53,000 passport numbers, and records dating back as far as 2005. The ripple effects of this breach were felt throughout the financial ecosystem.

The Latitude Financial Breach: A Case Study in Supply Chain Disruption

When Latitude Financial was breached, it wasn’t just a data theft; it was a coordinated assault that disrupted their ability to provide critical financial services. The breach forced Latitude to pause customer-facing services for about six weeks, halting new originations and financial actions. This created a significant impact on businesses that relied on Latitude’s financing solutions, such as retailers offering Latitude-issued Coles credit cards and legacy clients from GE Money.

This disruption extended beyond Latitude’s operations, leading to cascading effects on businesses dependent on their services. Retailers, unable to facilitate consumer purchases that relied on Latitude’s financing options, experienced revenue losses. For CFOs managing such partnerships, this breach serves as a stark reminder of the financial vulnerabilities tied to cybersecurity. It highlighted how a single attack on one link in the supply chain could create a ripple effect across multiple industries, impacting revenue streams and customer trust.

The financial impact on Latitude was substantial. The company reported an estimated $76 million in direct costs related to the breach, including remediation, system restoration, and customer support expenses. These costs contributed to an overall pre-tax loss of $98 million for the first half of 2023. Latitude is working with insurers to recover some of these losses, but the long-term effects on its reputation and regulatory standing are harder to quantify. The Australian government and the Office of the Australian Information Commissioner (OAIC), along with New Zealand authorities, have initiated a joint investigation, placing Latitude under significant regulatory scrutiny.

Assessing Third-Party Risks: Understanding the Financial Stakes

CFOs need to start thinking like battlefield commanders—evaluating every angle, anticipating every threat, and taking proactive measures to defend their territory. The Latitude Financial breach underscored the critical importance of assessing third-party risks. For Latitude, and the many businesses that partnered with them, the breach showed how a single attack could disrupt entire supply chains, leading to both financial and reputational losses.

Latitude’s heavy reliance on third-party vendors for data handling became a point of vulnerability. Hackers accessed these vendors’ systems using stolen employee credentials and exfiltrated data, exposing gaps in Latitude’s vendor management practices. Experts criticised Latitude for not enforcing stringent security controls, such as multi-factor authentication (MFA), on its vendor systems. The breach also revealed how insufficient oversight and weak third-party security measures can create catastrophic consequences for the business ecosystem.

For CFOs, this serves as a call to action: demanding transparency and accountability from every third-party partner is no longer optional. Vendors must be assessed with the same rigor as financial partners, with cybersecurity audits, continuous monitoring, and stringent contractual terms becoming standard practice. A failure to do so may lead to not only direct financial losses but also broader disruptions to business operations and long-term damage to brand reputation.

Implementing Vendor Risk Management Programs: Aligning Financial Controls with Cyber Defences

Effective CFOs understand that financial and cyber risk management should go hand-in-hand. The battlefield analogy applies here—just as a military unit aligns its strategy and resources to ensure all sides are protected, a company must integrate its financial controls with its cyber defences.

Telstra, Australia’s largest telecommunications company, sets a benchmark for vendor management by mandating that critical parts of its partner network comply with the ASD Essential 8 Level 3 requirements. This standard provides a multi-layered approach to cybersecurity, covering areas such as application whitelisting, patch management, and access controls, ensuring that partners meet stringent security requirements. This proactive approach not only strengthens Telstra’s digital supply chain but also provides financial assurance to its CFO by minimising the risk of costly cyber incidents.

Additionally, the Department of Human Services (DHS) sets a high benchmark by requiring its suppliers to either align with or be certified under the ISO 27001 standard—a globally recognised framework for information security management. This mandate ensures that all vendors maintain a consistent level of cybersecurity maturity, reducing the risk of vulnerabilities in the supply chain. By integrating these rigorous standards into their vendor management programs, DHS demonstrates a proactive approach to safeguarding sensitive information and ensuring business continuity.

AMP has also adopted the CARR (Cyber Assurance Risk Rating) program to support its financial services partners. AMP’s program involves comprehensive risk assessments and regular audits, classifying partners based on their financial and operational impact if compromised. This ensures that vendors comply with the highest cybersecurity protocols and undergo frequent evaluations to maintain alignment, giving AMP’s leadership team a clear view of risks across its supply chain.

These examples highlight how Australian companies and agencies are leading the way in aligning financial oversight with cybersecurity best practices, ensuring that their supply chains are secure and resilient against emerging threats.

Lessons Learned: What Latitude Financial Could Have Done Differently

The Latitude Financial breach highlights several critical lessons for CFOs managing supply chains:

1. Comprehensive Vendor Assessment: Latitude could have enforced stricter vendor cybersecurity standards. Implementing rigorous, in-depth assessments of their partners’ cyber defences—going beyond compliance checklists—might have identified vulnerabilities before the attack occurred.
2. Enhanced Incident Response Planning: A robust incident response plan that includes third-party response coordination could have minimised downtime and service disruption. CFOs must ensure that their response plans account not only for their own operations but also for the broader ecosystem their supply chains depend on. Latitude’s delayed response and inadequate communication added to customer frustrations and compounded the financial impact.
3. Data Retention Policies: Latitude’s breach revealed that data dating as far back as 2005 was compromised. CFOs should work closely with IT and compliance teams to review and update data retention policies, ensuring that only necessary data is stored, and that outdated information is securely disposed of to minimise exposure in the event of an attack.
4. Diversification of Critical Services: Over-reliance on a single provider or partner is a known risk. Latitude’s disruption underscores the need for diversification strategies, where CFOs develop contingency plans, such as alternative financing solutions or backup providers, to maintain continuity if one partner is compromised.

Building a Culture of Cyber Resilience

The battlefield of business has changed, and CFOs must adapt. Financial integrity is no longer just about managing assets and liabilities—it’s about ensuring every piece of the supply chain puzzle is secure and resilient. It requires a shift in thinking, from viewing cybersecurity as a technical issue to recognising it as a critical element of financial risk management.

Australian CFOs are uniquely positioned to lead this charge, setting a standard for integrating financial oversight with cyber resilience. By taking proactive steps to assess third-party risks, implementing robust vendor risk management programs, and learning from examples like Telstra, DHS, and AMP, CFOs can transform their supply chains into secure and financially stable assets that drive growth and confidence.

In the end, much like a successful military operation, it’s all about preparation, adaptability, and the will to engage in the fight. CFOs who take up this mantle will not only protect their companies’ financial health but also build the resilience needed to thrive in an increasingly hostile and interconnected global network. The supply chain may be vast, but with the right strategy, it can be a fortress.

Author – Michael Connory, Chief Executive Officer | Security In Depth

Michael is an innovator, researcher and commentator recognised as one of Australia’s leading voices in cyber security advocating for better privacy protection for businesses and individuals. He is the CEO of Security in Depth, a global company founded on Cyber Security research providing Cyber risk management strategies and support to organisations around the world. In a previous life, Michael led teams at Oracle, Gemalto and Volante, to name a few, implementing global innovative technology changes across both government and private sectors.

To learn more visit – securityindepth.com.au