Supplier Risk Management

Supplier risk management is a central part of modern cybersecurity strategy. It ensures that suppliers and partners implement required cybersecurity practices and protects the business from external threats. Particularly with critical partners, third-party risk management is essential, as their operations can directly impact the organization’s security and business continuity.

Supplier risk management refers to actions through which an organization identifies, assesses, and manages risks posed by suppliers, such as IT partners, cloud services, or other subcontractors. Risks may relate to cybersecurity threats, data protection breaches, delivery disruptions, or issues with regulatory compliance. The goal is to protect the business and ensure supplier cybersecurity and reliability.
Good supplier risk management benefits cybersecurity in the following ways:
Securing business continuity. You ensure that the supplier has appropriate preparedness and recovery plans in case of cyberattacks or other disruptions to the service.
Preventing financial losses. By reducing risks in advance and choosing suppliers wisely, you can minimize risks to business interruptions and post-incident remediation.
Protecting reputation. Supplier cybersecurity problems can also adversely affect the client organization’s reputation.
Protecting information assets. You ensure that the supplier handles and protects confidential information appropriately.
Compliance with requirements, regulations, and standards. You ensure that the supplier meets your organization’s and your customers’ cybersecurity requirements and complies with legal requirements and industry frameworks.
Building trust. By taking care of supplier risk management, you demonstrate to your customers that you take cybersecurity seriously.

Supplier risk management is important for all organizations that have outsourced functions, such as cloud services, IT support, customer service, or logistics. Supply chain risk management is particularly important for organizations handling trade secrets, personal data, financial, or security-related information, as supplier cybersecurity breaches can lead to the leakage of critical data. On the other hand, small firms or growth companies can be highly dependent on their supply chain, where service disruptions or resource shortages from a supplier can halt business operations.
In some industries, sector-specific regulation requires investment in third-party risk management. For example, the Digital Operational Resilience Act (DORA) concerning the financial sector requires ICT risk management related to third parties. Similarly, the NIS2 directive concerning critical sectors sets requirements for understanding and assessing supply chain security. Cybersecurity management in supplier relationships is also part of the ISO/IEC 27001 standard.

What information and which premises can our subcontractors access? What if data from the cloud service maintained by our service provider leaks? If our service provider becomes the target of a data breach, can they also attack us through that? What if the supplier goes bankrupt? Questions like these can be used as a starting point for assessing risks posed by the supply chain. Risks should be assessed both when selecting new suppliers and regularly for existing suppliers.
Risk assessment helps determine how to bring risks to an acceptable level. For example, cybersecurity reporting obligations can be set for the supplier, or more frequent cybersecurity audits can be conducted to ensure compliance with cybersecurity requirements. Stricter restriction of data access, automatically expiring user credentials and other technical cybersecurity measures, as well as cybersecurity training for supplier personnel, can also help reduce risks.

When selecting a supplier, price often weighs heavily. In smart supplier selection, one should also consider the supplier’s cybersecurity practices and capacity to deliver the desired services.
Selection criteria should be written down as unambiguous requirements as possible, for which answers are sought during the procurement process. There can be criteria for both the supplier organization and the service offered by the supplier. For example, regarding the supplier, you may want to ensure that the supplier has the ability to scale their services according to the organization’s needs and that the supplier follows clear and documented processes, for instance, regarding service change management, secure software development, and incident management. Regarding a cloud service, you may want to ensure, for example, that users can log in with the organization’s own single sign-on, the access control solution enables restricting data visibility, backup retention time is sufficiently long, the service can continue uninterrupted regardless of regional disruptions, or that the service’s cybersecurity is regularly assessed through testing conducted by an independent party.
Whether the answers come from the supplier themselves or based on a cybersecurity expert’s assessment, there should be evaluation criteria and acceptance criteria for the requirements. Sometimes a supplier assessment, audit against an appropriate framework, or technical cybersecurity testing of software or an IT system may also be appropriate to make the selection with confidence.

Supply chain risk management is an ongoing process. A one-time risk assessment or cybersecurity audit is not sufficient; rather, the goal is to ensure that suppliers and subcontractors continue to comply with cybersecurity requirements. For example, in regular service monitoring meetings, in addition to service quality levels, possible changes affecting cybersecurity, cybersecurity incidents that have occurred, and cybersecurity risks can be discussed.
Additionally, the supplier’s cybersecurity assessment should be renewed regularly based on the supplier’s criticality. For less important services, a self-assessment or brief check of data currency may suffice. For critical services, a more thorough supplier assessment or cybersecurity testing may be warranted.
It is essential to note that supply chain risk management is not solely on the shoulders of cybersecurity or contract lawyers. Business units have the best understanding of supplier importance and what risks disruptions in service or cybersecurity problems could cause. Data protection expertise is also required to ensure proper handling of personal data and compliance with data protection legislation. If the service integrates with your other systems, IT team expertise is needed.

When a service provider is in a business-critical role, cooperation with the supplier should also be examined. How do you proceed if the supplier becomes the target of a data breach or there is a service disruption? Does the critical vulnerability announced by the National Cyber Security Centre also concern our service provider?
It is good to agree and document in advance who will be communicated with, who makes decisions, and which actions are the responsibility of the service provider and which of the client company. In addition to having incident management and continuity plans in order on paper, it is worth testing disaster management capabilities in practice through a joint cyber exercise. Don’t be nervous about including the supplier in the exercise – initially, you can start with a smaller-scale tabletop exercise and a simple scenario, and then progress to more complex cyber exercises.

Supplier risk management is best started by identifying the supply chain, assessing risks, and understanding supplier criticality to the business. The following steps will get you started:
1. List current suppliers, subcontractors, and other partners. Briefly describe the service provided by the supplier: do they deliver software, run a cloud service, or perhaps rent premises needed by your organization?
2. Consider which suppliers are critical to your business or handle confidential information. Document your assessment of the supplier’s importance.
3. Find out what you already know about suppliers’ cybersecurity levels. Do suppliers have, for example, cybersecurity certifications, or has their service been security tested by an independent party? Ask about cybersecurity from suppliers at the next meeting.
After this, you can start forming assessment criteria for suppliers in different criticality classifications, assessing suppliers’ cybersecurity maturity levels through, for example, self-assessment forms and interviews, assessing risks, reviewing the comprehensiveness of supplier contracts from a cybersecurity perspective, and forming a supplier risk management program that provides an up-to-date picture of supply chain risks and through which risks can be reported, for example, to senior management or customers.
Does your organization need to develop supplier risk management? 2NS has extensive experience in implementing supplier assessments and supply chain risk management programs as part of information security management system development as well as separate projects. We are happy to tell you more about our services, get in touch!