Ian Harragan
Director at i-confidential
Many organisations continue to grapple with managing the security risks presented by their supply chain. The significance of this is only increasing, with an ever greater business reliance on outsourced services. This is against a backdrop of increasing cyber attacks resulting from supply-chain vulnerabilities.
There is good news though. The National Cyber Security Centre (NCSC) published guidance on supply-chain cyber security in 2022, and it is still valid today.
It provides useful information for organisations to assess themselves against and gain comfort (or not) on their level of effectiveness.
The Centre for Financial Professionals’ (CeFPro) Third Party Risk Management Report emphasised that effective oversight and understanding of supply chains are critical.
Within the industry, activity in the third-party space is dynamic. This presents an added challenge to organisations trying to keep up with changes in the threat landscape, regulatory expectation, and the potential approaches to deal with the risks posed.
Some of the top considerations in this area are:
Changes to home working and other practices brought about by the pandemic and what they mean for assurance activities. How much assurance and what form this takes are open points for discussion.
Determining the right approach to assessment. How many layers of supplier need to be considered? What level of oversight will be permitted?
Changes in the regulatory environment, including regulation in the UK relating to critical third parties – typically the big cloud computing providers. There is also DORA (Digital Operational Resilience Act) coming from the EU and covering similar ground.
The fact that organisations are keen to better analyse their supply chain to inform concentration risks that could impact key services or expose them to vulnerabilities.
The significant growth in recent years of ‘shared assurance’ style companies providing services to support supply-chain management – which one is right for you?
While third-party practices have matured in this area of risk management, progress across organisations still varies considerably. For example, a fundamental step that many still don’t get right is having a robust inventory of suppliers and then rating them based on what they do for the organisation.
An honest assessment is a key first step as you look to shape a third-party management improvement programme and gain Executive Board support for the investment required.
At i-confidential, we have been active in this area for many years and have a range of insights and experience to share. If you would welcome a chat please contact us.