Author: Risk Ledger – riskledger.com
Managing risks and building cyber resilience in the supply chain has become a priority for organisations in every industry as the delivery of products and services increasingly relies on a growing network of third parties.
The FCA’s Cyber Coordination Group (CCG) has identified third parties and supply chains as one of three areas of particular concern for regulated organisations and recent high profile supply chain breaches have elevated this risk to the front of the mind for cyber security, compliance and procurement professionals who are jointly tasked with managing these risks.
A prominent supply chain risk domain is data protection. The introduction of specific supply chain risk management obligations in regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) means that firms need more visibility of the data protection practices of their third parties than ever before to avoid fines from regulators when breaches occur. The problem for the professionals responsible for managing data protection risks in the supply chain is the scale of the task. A finance organisation can have anywhere from several hundred to tens of thousands of third parties, each with their own data protection practices that must be reviewed to check compliance with the relevant internal policies and the complex regulatory environment.
IA Engine Innovator, Risk Ledger, has built a third-party risk management platform, used by notable organisations such as BAE Systems, Schroder’s Personal Wealth and First Sentier Investors, that facilitates the sharing of risk data between suppliers and their clients. This month, they launched the first report in their series of Supply Chain Risks Insight Reports, taking a close-up look at the implementation of risk controls across the supply chain ecosystem.
The report leverages anonymised data from the hundreds of companies currently using the Risk Ledger platform to share supplier risk assessment data with clients. This first edition of the report series takes a deep dive into data protection risks in the supply chain. Data analysed for the report has been collected from 600+ suppliers of all sizes representing a broad range of industries and is a strong reflection of the supply chain risks facing most enterprises.
- It is clear from the data that there is a small but consistent cohort of suppliers who have a dangerously cavalier attitude towards data protection. 5-20% of suppliers have not implemented multiple, basic data protection risk controls, increasing the risk of a data incident or breach that affects them and their clients.
- Suppliers who have Cyber Essentials certification lack basic data protection risk controls at the same rate as suppliers who do not have the certificate. This highlights how the certification is insufficient for building cyber resilience in the supply chain.
- Some firms could already be in breach of GDPR for the lack of data protection risk controls in their supply chain as reported directly by their suppliers. An investigation by the relevant Data Protection Authority tomorrow could land them with enforcement actions and a fine.
The report also links to two instances where organisations have been fined under Article 28 of the GDPR for inadequately ensuring their third parties implement appropriate data protection risk controls.
To get more insight into data protection risks in the supply chain, read the full report here and subscribe here to receive the full series of reports including the next edition on security governance risks in the supply chain.