Managing cybersecurity risk through supplier contracts

Post GDPR, making sure that your suppliers can guarantee that they have technical and organisational measures in place that meet appropriate standards is not just… Read more

Post GDPR, making sure that your suppliers can guarantee that they have technical and organisational measures in place that meet appropriate standards is not just good practice, but a legal requirement and one that the ICO (and the FCA[1]) is taking seriously. Your own cybersecurity may meet the highest industry standards but any vulnerability in your supply chain can expose you to the risk of cyberattack. A stark example of this is the Equifax data breach that affected the personal data of 143 million people, which was caused by a failure to patch a vulnerability in a third party web application and more recently, British Airways was issued with a notice of intention to fine from the ICO of £183 million (equivalent to 1.5% of its global annual turnover) for a data breach resulting from vulnerabilities in third-party Javascript used by its payments processor.[2]

When contracting with a supplier there are a number of provisions that you can include in your contract (and require be flowed down to any subcontractors that your supplier engages) to help bolster cyber and information security. The inclusion of some or all of these provisions will make your supplier realise the importance of cyber and information security to you as customer and help to eliminate weak links in the supply chain.

Warranties and security standards

Warranties are a good place in the contract to set out your expectations of the standard of security that you expect from the supplier. If the supplier pushes back on the inclusion of the warranties or attempts to qualify them, then this should trigger a dialogue between the parties about what security standards the supplier has in place, versus the level of security the customer expects. If you are operating in a regulated industry and the supplier will be processing personal or commercially sensitive data then you may have a higher threshold for what you would consider appropriate security or ‘Good Industry Practice’ than in situations where the supplier is providing a commoditised, internally facing, low-risk service.

As customers become more savvy about cyber and information security and it moves up the board room agenda, it is becoming increasingly common for customers to specify exactly what security standards they expect their suppliers to meet.  For example, Cyber Essentials or Cyber Essential Plus certification, PCI DSS compliance, compliance with ISO standards (such as 27001) and SOC 2 audit compliance and to request that the supplier complies with the customer’s own IT security policy. If this is a new area for you then resources such as the National Cyber Security Centre website can provide useful guidance[3].

Putting it to the test

As a customer it is important to establish not only the level of security within your suppliers, but also how frequently (if at all) they test themselves and push their security infrastructure to its limits.

It is increasingly common for customers to require their suppliers to undergo regular penetration testing with some contracts even requiring the supplier to disclose the results of the tests and reports to the customer.

Where the customer is satisfied that the supplier has robust security measures in place, then the customer should also ask the supplier to regularly put this to the test. Where the services are data heavy or being provided on a large scale, some customers may require the supplier to undergo thorough testing of the security policy by a third party service provider.

With 88% of UK data breaches resulting from human error[4], the customer should impose obligations on the supplier to ensure that its personnel receive adequate and regular training on cyber and information security with those members of personnel with more sensitive roles being subject to a more rigorous degree of training.

Audit and governance

Governance meetings are a good opportunity to make cyber and information security an important item on the agenda on a regular basis and to check-in with stakeholders in the relationship. Through governance provisions you can require people of relevant seniority and decision-making power to attend from both the customer and supplier and discuss any concerns on a recurring basis.

Audit allows you as customer to check up on the supplier’s performance of the services and where cyber and information security is of particular concern, you can include a specific right relating to security audits. As the supplier might be sensitive to this and reluctant to allow the customer to personally conduct an audit, the supplier may be more amenable to the use of a professional third party, that is subject to suitable confidentiality requirements.

A customer may require the supplier to undergo a SOC 2 audit to report on the supplier’s security, availability, confidentiality and/or privacy controls. A SOC 2 audit can report on the status of the supplier’s security on a specified date acting as a snapshot, or can be carried out over a specified period (usually over a minimum of 6 months). This gives the supplier incentive to maintain the appropriate security levels. This kind of audit originated in the US, but is becoming increasingly popular as an accompaniment to ISO 27001 certification.

Subcontracting

Finally, as an organisation is only ever as secure as the weakest link in its supply chain, you should include obligations in your supply contracts that give you oversight and control over any subcontractors that your supplier may appoint (for example requiring the supplier to seek your written consent before appointing a subcontractor). You can also include obligations that the supplier will ‘flow-down’ provisions from your contract into the subcontracts, so any subcontractor will be contractually bound by the same cyber and information security provisions as your supplier.

 

[1] https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/02/the-ico-and-the-fca-sign-updated-memorandum-of-understanding/

[2] https://www.wired.co.uk/article/british-airways-data-breach-gdpr-fine

[3] https://www.ncsc.gov.uk/

[4] https://www.verdict.co.uk/uk-data-breaches-human-error/

• Share this blog

• Twitter
• Facebook
• Linkedin