You can use the search function to find a range of UK Finance material, from consultation responses to thought leadership to blogs, or to find content on a range of topics from Capital Markets & Wholesale to Payments & Innovation.
Whilst recent events have overwhelmed a significant number of organisations, there remain underlying risks that won't go away. Firms are now under acute stress and it is against this backdrop that we urge firms to think carefully about their arrangements with third-party suppliers. Any breach of your supply chain is potentially a breach of your own business. The 2019 eSentire survey found that 44 per cent of firms surveyed had experienced a significant data breach caused by one of their third-party vendors.
The whole outsourcing landscape has changed over the last decade. The growth of ?Software as a Service? (SaaS) has led to a proliferation of providers, many of them small and specialist, that can be signed up via a simple online process and credit card payment. We know from our experience that many internal business units are using SaaS providers without going through the company's formal onboarding process.
Many companies? methods for assessing third-party supply chain risk have not kept pace with this change. They may not be able to capture the entire risk but instead are looking at it in silos and as isolated risks. Security does not operate best in this divided fashion.
Some companies still rely on old style questionnaires completed by the suppliers themselves. What other area of security relies so heavily on the third party's honesty in identifying their own security issues to potential buyers?
Businesses must protect the most critical assets, data, services or systems behind the greatest layers of defence and that goes for third parties as well. It's worth remembering that not all vulnerabilities are created equal, and it is vital to understand and identify the actual risk and plan accordingly.
Where possible, assess your vendors for this risk before you enter a formal relationship. Sadly, we have seen too many businesses commit to a relationship, sometimes even beginning to share critical data, before considering the security implications.
With higher-risk relationships, consider adopting more intrusive tests and even the continuous monitoring of some of their security controls.
Using these measures, a business can adopt an approach whereby they incorporate appropriate risk management clauses into vendor contracts. One suggestion would be to insist that vendors maintain a certain security rating or risk losing the contract, or introducing specific new controls within specified time periods to mitigate certain identified risks.
We see real benefit in taking a collaborative approach with vendors. Treat them as your partners, share threat intelligence that they may not be privy to and generally work closely to support them in protecting your data
Free Webinar: Cyber Security and the Board - Working with third party suppliers: A webinar on this topic will take place on Wedneday 1 April at 11am. Click here to learn more.
Stephen Head, Senior Partner ? Cyber Security, Gadhia Consultants and Huntswood
Cyber criminals have now identified third party suppliers as a key vulnerability and attack vector in order to steal data, hold them to ransom or manipulate customers and steal funds. This webinar will help boards to understand the implications of entrusting another business with your key services and products, your customers and reputation, your finances and how to ensure that you have mitigated third party risk.
28.11.22
By downloading this document, you understand and agree that any sharing, distribution or republishing of the content, without prior written authorisation from the author or content managers at UK Finance, shall be constituted as a breach of the UK Finance website terms of use.