How Eramet is driving Cybersecurity in the Supply Chain

Why is cybersecurity an important topic at Eramet, especially in the supply chain?

We’re as weak as our weakest link. Cybersecurity is a subject we don’t take lightly. We have teams dedicated 24/7 to monitor our systems and protect us from any threats. But all those efforts would be in vain if we were not careful about our suppliers too! External technical support connected to our system, providers dealing with our data, etc.: if we are not cautious, they could be the door for cyberpiracy. That’s particularly true since we decided to foster a cloud-first strategy, because now most of our information system is “outside the walls”.

Why assessing your suppliers is keeping your network secured?

Our goal is to ensure that the supplier is at a sufficient level of maturity to cover cyber risks. These risks are identified on a case-by-case basis, usually during the project phase. To assess maturity, we have implemented a pragmatic approach:

– If they are ISO 27001 certified, we ensure that the certification is valid and covers the service and conduct a quick analysis of the security measures in place.

– If they can provide a recent SOC2 Type 2 report (detailed report based on audits conducted over a 12-month period), and the analysis of the report is satisfactory, we consider them mature enough.

– If the service is neither ISO 27001 certified nor audited SOC2 Type 2, we ask the supplier to be evaluated by CyberVadis. The evaluation consists of a cybersecurity questionnaire and delivers a scorecard with a global maturity score between 0 and 1000, and a list of improvement points.

Maturity evaluations are repeated at regular intervals (every 3 years for ISO 27001 certification, every year for SOC2 audit and CyberVadis).

You recently assessed a key supplier, Tilkal, via CyberVadis. Why did you decide to evaluate this specific supplier?

Tilkal is a cutting-edge platform, offering traceability and transparency solutions. By combining a B2B blockchain with advanced analysis and scoring algorithms, Tilkal enables real-time end-to-end representation of the supply chain, providing unprecedented visibility to businesses and to companies’ customers. Eramet has enlisted Tilkal’s services to improve the traceability of manganese alloys from mines to metallurgical plants and final customers. The project aims to increase visibility of ore origin, refining process, quality and CSR indicators to demonstrate due diligence, and to create B2B product passports. Ultimately, the aim is to demonstrate Eramet’s commitment to responsible mining and to differentiate itself from other players in the sector. The service provided by Tilkal is essential to Eramet’s transparency strategy. Ensuring data integrity is crucial. In addition, some of the information used to build the traceability chain is sensitive. These two criteria are enough to justify a cybersecurity maturity assessment. Unfortunately, Tilkal is not yet ISO27001 certified. This is why we decided to rely on CyberVadis.

How did you help Tilkal to improve its cybersecurity posture, helping Eramet at the same time to be stronger?

Tilkal’s services are pretty unique, so we needed this collaboration to work. Their first score with CyberVadis was 592/1000: definitely not reaching Eramet standards… So, we made the strategic stand to offer our services to help them strengthen their cybersecurity. It is not something our teams usually do as we have more than enough on our plates, but the stakes were high enough to make an exception and ensure our data were secure with them. In a pragmatic approach, we used Tilkal’s CyberVadis assessment results to identify and prioritize crucial improvements. Our cybersecurity team guided them in understanding these areas and helped tailor implementation strategies to their resources and skills. Regular meetings allowed Eramet to offer security expertise, adaptably reviewing and proposing solutions to ensure success. Tangible enhancements, like improved user account management and drafting a security charter, significantly bolstered Tilkal’s security stance and client responses.

“This constant and benevolent support has allowed for the definition of appropriate, replicable, and sustainable procedures, and the production of associated documents such as charters (data, security). These documented procedures enable Tilkal to ensure compliance with state-of-the-art security rules.”
Sébastien Gaïdé – Tilkal Chief Technology Officer

Following the implementation of the improvement plan with the assistance of Eramet’s cybersecurity team, Tilkal’s CyberVadis score progressed to reach 857/1000 (Silver).

What are the outcomes of this “Cyber partnership” with this supplier?

By assisting Tilkal in improving its cybersecurity, Eramet transformed a supplier into a trusted partner, strengthening the bond between the two organizations. This collaboration not only ensures the security of Eramet’s data but also reinforces confidence in Tilkal’s services.
Our partnership with Tilkal exemplifies our commitment to promoting sustainable and ethical practices in our supply chain while ensuring the security of our operations in an ever-evolving digital world. We are proud of this collaboration and look forward to continuing our work together to achieve new heights in traceability and cybersecurity.

You have been key in driving the development and expansion of the Third party Cybersecurity management at Eramet. What advice would you give to other cybersecurity leaders who are just starting this process?

Summing up a good VRM process is not a simple task as it involves many topics and stakeholders. However, a pragmatic approach is key. Start by prioritizing the most critical suppliers and implementing a straightforward risk assessment methodology. Focus on developing a strong security contract appendix as the foundation to ensure suppliers maintain and improve their service’s security standards. Instead of creating custom questionnaires, leverage existing assessments or certifications like CyberVadis for efficiency. Resort to CyberVadis also benefits vendors by providing them with assessments not only valuable for your purposes but also in their broader customer engagements, fostering a win-win scenario. This strategy ensures a streamlined and efficient approach to enhancing the cybersecurity posture of your supply chain.

Eramet is dedicated to transforming the Earth’s mineral resources to provide sustainable and responsible solutions to the challenges of industry growth and energy transition. Across all countries of operation, Eramet’s employees are committed to this mission through their civic and contributory approach. Manganese, nickel, mineral sands, lithium, and cobalt: Eramet recovers and develops metals that are essential to the construction of a more sustainable world. As a privileged partner of its industrial clients, the Group contributes to making robust and resistant infrastructures and constructions, more efficient means of mobility, safer health tools and more efficient telecommunications devices. Fully committed to the era of metals, Eramet’s ambition is to become a reference for the responsible transformation of the Earth’s mineral resources for living well together.

Eric Kawka is a seasoned cybersecurity professional with 17 years of experience in the field. Currently overseeing Cybersecurity Governance, Risk, and Compliance at Eramet, Eric has played a pivotal role in implementing IT vendor risk management and IT project security within the organization. His prior role focused on Industry Cybersecurity, demonstrating his broad expertise across the cybersecurity landscape.