Post Capita and Zellis, how do you manage cyber supply chain risk?

The recent Capita, MOVEit and Zellis cyber attacks are another reminder of the importance of considering supply chain risk as part of your cyber preparedness plans.

Traditionally this has been a blind spot for many organisations. Few were monitoring their suppliers, particularly beyond those they have a direct contractual relationship with (the so-called ‘first tier’). However, recent government research suggests this is starting to change – at least in larger organisations. For the first time the UK Government’s Cyber Breaches Survey found that the majority of large businesses (55%) are reviewing supply chain risk. This is a big jump (up 44% from the previous year’s figures), and we would expect that number to continue to rise in light of the numerous headlines and high street names being hit by these recent supply chain attacks.

But what does ‘managing your supply chain risk’ mean in practice? Having recently helped a number of clients with supply chain breaches, here are a few tips that may help:

• It’s not just about them passing your security questionnaire: It is important to carry out due diligence on your suppliers, and may be a legal obligation (for example, where personal data is involved). However, in our experience, it is important that for key suppliers this review goes beyond just looking at security checks and probes the supplier’s processes and incident response plans, particularly their contingency and communication plans for when a large breach impacts multiple customers. The people involved in assessing suppliers (your procurement and security teams and any others involved) should also be trained to understand the cyber security risks facing your organisation and how their work fits into your larger preparedness and breach response plans – for example, do your contracts contain robust security, incident reporting, liability, confidentiality and audit obligations around your data (not just personal data)? And when a supply contract is agreed, who in your organisation keeps track of what data (particularly if it’s customer data) is being processed by that supplier?
  
  
• Use the guidance that’s out there: There is a range of guidance and expertise out there – whether it’s from a government body, regulators or even your insurers/brokers. For example, the National Cyber Security Centre (NCSC) has produced general guidance on how to assess and gain confidence in your supply chain cyber security (see also this PDF) and this year produced specific guidance on how to map your supply chain. This is important, as it helps you understand who your suppliers are, what they provide and how they provide it, which allows you to better manage the cyber security risks that can arise. Where managed service providers (such as those providing you with IT outsourcing services) are involved, further guidance may also be in the pipeline as legislative changes are planned to bring them into scope of the UK’s Network and Information Systems regime (see this blog, and this one on the EU's NIS2) and (to some extent) the financial regulatory regime (see this article on cyber risk for insurers).
  
  
• Embed cyber security controls throughout that supplier lifecycle: It is important that cyber security is considered throughout the whole contract lifecycle, not just at the DD/contracting stage. As mentioned above, the contract should contain express provisions relating to what happens in the event of an incident, and these should work with your internal incident response plans. However, it is also important that proper supplier audits are carried out in practice (and not just when something goes wrong), that governance processes ensure that you have an up-to-date awareness of the evolving threats and vulnerabilities facing your supply chain and that when you terminate a contract, you regain control of your assets (e.g. get confirmation that data has been deleted in line with the contractual provisions) and prevent any unauthorised or unintended access to your information and systems.
  
  
• Incorporate supply chain examples into your cyber simulations: We regularly discuss the importance of practising your cyber incident response plans as part of your preparedness activities, and in much the same way you may simulate a ransomware demand, it is important to practice how you would respond if you were impacted by a data breach at a key supplier, or if threat actors gained access to your systems through your supply chain. While you may never be able to fully anticipate how a breach response being run by a third party will impact your organisation, it is important to understand how your response plans hold up, what information you will need from your suppliers (and it may be helpful to have template questions ready to send to suppliers in the event of their breach to help you gain the information you will need) and that your team know their roles. For key suppliers, you should also consider whether it is possible/practical to involve them in your preparedness work.

The recent headlines suggest that suppliers and service providers continue to be a key target for cyber criminals, and it is not only the smaller suppliers with limited security budgets that should cause concern. Even large suppliers who have met your cyber due diligence requirements can be compromised, and they may struggle when faced with a breach impacting multiple customers. While you may not always be able to avoid a breach of this kind, it is therefore important to ensure as a customer that you have appropriate plans and processes in place throughout your whole supply chain lifecycle to help you manage this third party threat.