Report: The tech and tech supply chain risk factors you might be minimizing

Many firms underestimate the risks posed by technology and the tech-risk profiles of their suppliers.

Global law firm Hogan Lovells recently released its latest “Riskonomy” report which draws together intelligence on the most significant risks and challenges in today’s technology landscape, including cybersecurity, data management and generative AI.

The report was compiled following a survey seeking the opinions of 1,500 C-suite executives, general counsel (GCs) and compliance leaders globally, including leaders from the UK, US, China, Germany, and Brazil. Business leaders were surveyed across key sectors including financial services, tech and telecoms, energy, automotive and transportation, life sciences, lifestyle and consumer, and manufacturing. 

Key findings

Key findings include:

  • Most companies are revisiting, improving and urgently investing in their technology risk management practices.
  • 91% of companies are exposed to moderate or high levels of technology-related risk.
  • Two-thirds of business leaders report that their organizations could be taking more proactive approaches to these risks.
  • 43% of leaders who work at organizations that have banned the use of generative AI do not believe any additional policies are required. 
  • 38% of organizations that allow the use of generative AI have created their own bespoke generative AI system, perhaps to be more cautious while still innovative.

Internal vulnerabilities

The report’s data suggests that business leaders should be more attentive to internal risk factors – such as skills shortages and the misuse of technology – than they are right now.

“Running cybersecurity assessments can help build up a strong defense in case of an incident. Suppliers also need to improve any measures they have in place in order to prevent incidents.”

Detlef Hass, Partner at Hogan Lovells

That is not to suggest that the risk of outside cyber attacks and economic disruption is not worthy of significant attention, but internal processes might be leaving organizations vulnerable as well.

The internal risks cited in the report as those that businesses should revisit and consider mitigating include:

  • poor data management;
  • lack of employee training and digital skills; and
  • insufficient policies relating to new technology and outdated technology.

C-suite executives and general counsel admit that, when it comes to their data management capabilities, their organization reviews relevant policies just once a year (41%) or does not carry out regular reviews (8%). And more than half only undertake an internal audit of their data management capabilities once a year (51%) while a further 11% do not perform an audit regularly.

Graphic: Martina Lindberg

Updating and reviewing relevant data management policies to keep up with changing legislation and best practice can be time-consuming and costly, the report authors acknowledge, but the penalties for data privacy violations and reputational damage that attends instances of data mismanagement can be a pricier penalty to pay.

Supply-chain risk

When considering their network, 91% of C-suite and GCs state that they assess the technology risk profile of their relevant suppliers, confirming that they recognize the potential for risk exposure. But just 39% always assess the tech risk profile of relevant suppliers, while 53% only do sometimes.

Only 68% percent believe that their supply chain partners can identify and mitigate potential data management vulnerabilities, and two-thirds (66%) are confident that their supply-chain partners have adequate data management regulatory and compliance practices.

Graphic: Martina Lindberg

Fewer (63%) trust that their supply-chain partners are able to identify and mitigate potential cybersecurity vulnerabilities, and approximately the same proportion (61%) believe that their suppliers/partners apply adequate cybersecurity, regulatory and compliance practices.

Detlef Hass, partner at Hogan Lovells, had the following advice to offer in connection with cybersecurity and resilience: “Running cybersecurity assessments can help build up a strong defense in case of an incident. Suppliers also need to improve any measures they have in place in order to prevent incidents. Solutions can be put in place to create back-up systems in case of crisis.

“For example, in the retail sector, maintaining a back-up e-commerce platform enables businesses to switch to the other one in case of an incident. Another example is – where possible and economically feasible – diversifying your supply chain in order to be able to pivot in a crisis.”

The report also notes: “Not pursuing proper due diligence checks means that businesses can open themselves up to potential liability – especially if they are unable to supply their customers with the services or goods that have been promised. Essentially, you are only as secure as your most vulnerable supplier.”

Recommendations

Despite identifying data management, digital skills gaps and misuse of generative AI as top concerns, C-suite executives and GCs rank internal systems and processes below the macro factors, and their network as the biggest source of risk exposure, the report concludes.

“Just because data, skills and tools are within the remit of the organization doesn’t automatically mean they are being addressed,” the report states. “An important step in cybersecurity and minimizing other technology-associated risks is ensuring your own house is in order.”

That means having appropriate strategies and policies in place, along with taking proactive measures to anticipate and manage problem areas. Expected exposure to second-party risk must be accounted for, requiring policies, processes, communication, testing, auditing, refinement and learning. Employees must have the right skills to support the long-term sustainability of the business as it introduces new technology for its competitive advantage.

As the report states, whether certain technology is being promoted or discouraged in the business – depending on the technology and its use – it always has to be governed.

The report reminds business leaders to stay alert to the associated challenges and consider implementing policies or safeguards even for tech they are not yet adopting. And to remember that expertise is needed to be able to track and follow technology-related laws and regulations across jurisdictions and manage those risks.