The National Cyber Security Centre (“NCSC“) has published guidance for medium and large organisations on how to assess and improve cyber security in their supply chains.  The guidance is a supplement to the NCSC’s supply chain principles

Preliminary steps

The first step in the NCSC’s five-step plan is to take stock of your organisation’s current approach to cyber security risk management.  This involves understanding the potential threats to and vulnerabilities in your supply chain, identifying the key people in your organisation, and understanding your organisation’s risk appetite.

Develop an approach to assess supply chain cyber security

When developing an approach to assess the resilience of your suppliers’ cyber security measures, the NCSC notes that it is important that the process is repeatable and consistent.  The NCSC recommends creating multiple tiered supplier security profiles, with greater measures put in place for suppliers with access to critical aspects of your business.

Apply the approach to new supplier relationships

Once an approach is adopted, employees working with suppliers need to understand and be trained on your organisation’s new cyber security processes.  They can then begin to implement these controls into your supply chain, starting with new suppliers.

From the outset of the relationship, the NCSC recommends that you consider whether it is necessary to carry out a cyber security risk assessment and/or conduct supplier due diligence. New supplier contracts should include an obligation on the supplier to comply with your organisation’s cyber security controls, and compliance with such provisions should be monitored throughout the contract’s duration.  Once the contract reaches its conclusion, there should be an effective offboarding process which shuts down the supplier’s access to your organisation’s systems.

Integrate the framework into existing contracts

Integrating new controls into your existing relationships can seem like a daunting task.  To make the process easier, the NCSC suggests filtering out the relationships which: (i) require little or no data; (ii) are purely for the supply of goods; (iii) have very limited time left to run; and/or (iv) do not involve the IT elements typically associated with a cyber attack.  .

The NCSC also recommends carrying out a risk assessment, and ranking the remaining suppliers in accordance with the risk profiles you identified earlier in the process.  This will help you to prioritise and focus on high risk suppliers. When considering whether a vendor is high risk, the NCSC suggest you consider the following factors:

  • strategic position/scale of the supplier within the UK market;
  • quality and transparency of the supplier’s engineering practices/cyber security controls;
  • past behaviours and considerations relating to the ownership and operating location of the supplier; and
  • whether the supplier may be under investor or state influence and may follow domestic laws which conflict with UK law.

Continuous improvement

New cyber security threats and trends emerge on a regular basis. The NCSC advises keeping up to date with new developments and continuously reviewing your processes in order to reduce the likelihood of new risks being introduced into the business through your organisations supply chain. It also recommends taking a collaborative approach with your suppliers, to help them identify and cure any potential vulnerabilities.

How Reed Smith can help

Reed Smith routinely counsels clients on system security preparedness. From putting in place appropriate policies to establishing relationships with vendors, our lawyers take pro-active steps to put your organisation on the best possible cybersecurity footing. Our approach includes:

  • Executing data-mapping questionnaires to locate critical confidential and personal information;
  • Helping clients nominate appropriate forensic vendors to assess technical exposure;
  • Reviewing and updating current internal company policies, including incident response plans;
  • Evaluating vendor policies and contracts;
  • Evaluating contractual safeguards in third-party relationships that involve data security, including renegotiating agreements to enhance protections; and
  • Determining ongoing training programmes and practice exercises to test breach preparedness