Cyber Liability – The Supplier Risk

A Cyber Security Breaches Survey, undertaken in support with the government's National Cyber Security Programme, reveals that whilst following the introduction of GDPR many businesses are demonstrating more robust protection around customer data, trade secrets and intellectual property most are ignoring the cyber security risk presented by their third-party suppliers.

The survey found that only 18% of businesses and 14% of charities require their suppliers to adhere to any cyber security standards. Some had simply not considered their suppliers as a potential source of cyber risk, while some others simply did not consider their suppliers’ cyber security to be their responsibility.

What risk do third-party suppliers pose?

Most organisations work with a wide range of third-party suppliers and partners, many of which have some degree of access to company data and internal systems. Cyber criminals are aware that the weaker security practices adopted by a business’s third-party suppliers can open a backdoor to sensitive systems and information, so if not risk managed, these relationships can expose significant security weaknesses.

The most infamous cyber breach that demonstrates this risk was suffered by US retailer Target which in 2013 had to pay a settlement of $18.5m after cyber attackers gained access to the customer payment card accounts of 41 million customers using credentials stolen from a third-party supplier.

How can businesses mitigate this vicarious cyber risk?

Reducing the chance of a data breach should form a fundamental part of the procurement process. Asking potential suppliers to confirm their cyber resilience and adherence to GPDR is a good starting point and appointing suppliers that meet with recognised standards, such as the ISO 27001 certification for IT security management, or government-endorsed Cyber Essentials accreditation is highly preferable.

Once the procurement process is complete businesses should map the flow, exchange and storage of critical organisational data by and with third-parties and confirm who has access to information. This enables the adoption of appropriate risk mitigation strategies, ranging from firewalling, malware protection and regular software updates, through to listing all users with admin rights and sharing best practice for staff training and health checks.

Throughout the course of an ongoing relationship, businesses should then continue to hold their vendors to account. This might include asking suppliers to complete self-assessments and regular audits and penetration testing of a vendor’s systems. The level of scrutiny will depend on the sensitivity of the data and systems shared.

The handling of sensitive data at the end of a commercial relationship is equally as important and businesses should establish what actions will be taken to delete, or safeguard, this data once a partnership has been terminated.


Cyber Incident Response Plan

With the number and size of cyber-attacks and data breaches increasing every year it is becoming more important that businesses build robust third-party data security approaches.  It is important to formulate a Cyber Incident Response Plan which factors in third-party risks aiming to minimise damage and expenses related to a breach and minimise disaster recovery time.

Prevention is always better than cure, but it is equally important that businesses should consider including Cyber Liability Insurance in their portfolio of insurance coverage.

Speak to your usual Wilby contact to see how Cyber Liability Insurance can provide valuable protection for your business.