Supply chain cyber risk management. Best practice guidelines

5 minute read  29.08.2023 Tulin Sevgin & Natasha Basukoski

This article provides an overview of best practices regarding monitoring and managing your suppliers and service providers, and how following these recommendations can tie in with APRA requirements (CPS 234 and 230).

Key takeouts

  • Almost 60% of all data breaches experienced by organisations are caused by a third-party.
  • As organisations are utilising more third parties in their critical business activities, regulators have heightened their expectations regarding fourth party risk management and the risk posed to your organisation by your supplier’s vendors.
  • The third-party data privacy and regulation landscape is ever changing with 75% of the world being covered by at least one set of privacy regulations by the end of 2023.

As supply chains grow in complexity and vendors expand their own use of vendors to provide their services, it can be increasingly difficult to track who has access to your data and where it may be stored/transferred/accessed. As a result, the three biggest risks from your supply chain are:

  • Data breaches: Vendors often have access to sensitive data, such as customer Personal Identifying Information (PII) and financial information. If a third-party vendor's systems are compromised, this data could be exposed to unauthorized individuals.
  • Malware: Vendors can introduce malware into an organisation's systems through infected software or malicious code. This malware could then be used to steal data, disrupt operations, or take control of systems.
  • Unpatched vulnerabilities: Vendors may not have the resources or expertise to keep their systems up to date with the latest security patches. This can leave their systems vulnerable to attack.

In order to address and minimise supply chain risks, your organisation should implement the following best practices:

  • Assess regularly: Conduct annual risk assessments of third-party vendors against an industry standard (NIST CSF, ISO 27001), including reviews of certifications, audit/SOC reports and penetration test reports and seek remediation for any vulnerabilities identified.
  • Require minimum security controls: Require vendors to implement security controls, such as data encryption, antivirus/malware and access controls that are at minimum, equal to that of your organisation’s.
  • Create clear contracts: Make sure all agreements with third-party vendors include clear security requirements and obligations, including the requirement of prompt notification of any security incidents relating to your data as part of your MSA.
  • Communicate frequently: Regularly communicate with third-party vendors about security risks and best practices.
  • Monitor closely: Monitor third-party vendors for any signs of security problems, such as data breaches or malware infections.
  • Conduct due diligence: Choose your vendors carefully by evaluating their security practices and making sure they have a strong track record of security compliance before onboarding them and giving them access to your data.

Supply chain cyber risk management – Fourth parties

While third-party vendor risk management can be straightforward to assess with a strong third-party risk management (TPRM) process in place, the same cannot be said for fourth parties. As fourth parties are indirectly linked, a different approach is required.

To effectively manage fourth-party risk, it is best to establish a comprehensive and mature TPRM program, which in-turn will then ensure your third parties are effectively monitoring your fourth parties. This involves using surveys, performing due diligence, identifying risks, and implementing mitigating controls. By incorporating fourth parties into these TPRM practices and processes, organisations can better manage and minimise the risks posed by these indirect relationships.

In order to address and minimise the risks associated with fourth parties, your organisation should adopt the following best practices:

  • Research vendor relationships: Understand the involvement of key fourth parties in the delivery of contracts with your third parties, including how they may process/transfer/store your data and the locations in which this may take place. Create an inventory to track these details.
  • Perform due diligence: Examine your vendors’ TPRM programs to make sure they’re performing annual due diligence on their own vendor relationships and request evidence that they have done so.
  • Identify critical fourth parties: Identify high-risk, mission-critical fourth parties and insert a clause into your contract giving you the contractual right to assess the subcontractor directly if required.
  • Require prompt notification: Require your vendor to notify you if they materially change any aspect of their fourth-party relationships and if they become aware of any incident from the fourth party.
  • Require robust TPRM practices from your third parties: Consider language that compels your vendors to oversee fourth parties and make sure those parties comply with your vendor contract and any stipulations or requirements.
  • Monitor fourth parties for incidents: Add critical fourth parties to monitoring platforms so you can receive immediate alerts in the event of a breach.

Applicability to APRA CPS 234 & CPS 230

Due to the standards set forth by the Australian Prudential Regulation Authority (APRA), specifically CPS 234 and CPS 230, there is now an increased focus on entities regulated by APRA to evaluate the financial and other risks associated with their reliance on service providers. This includes assessing risks linked to the use of third and fourth-party service providers and implementing suitable measures to minimise these risks.

The Prudential Standard CPS 234, effective from July 1, 2019, mandates that APRA-regulated entities establish information security controls that match the lifecycle stage of their information assets. These controls extend to situations where a third party manages the entity's information assets. Notably, the CPS 234 Prudential Standard also applies to third parties whenever they manage information on behalf of an APRA-regulated organisation.

More recently, on July 17, 2023, APRA unveiled the Prudential Standard CPS 230. This new standard aims to address ineffective controls within APRA-regulated entities, a limited tolerance for disruptions, and the growing reliance of these entities on service providers. CPS 230 introduces additional obligations for overseeing entities in an APRA-regulated entity's supply chain, encompassing organisations engaged by third party material service providers to offer services to the APRA-regulated entity (referred to as 'fourth-party service providers'). These obligations involve obtaining assurance from service providers regarding their capability to manage significant fourth parties.

As recommended in this article's best practices, APRA suggests that regulated entities should conduct proactive audits of their list of direct and indirect service providers. This audit should identify providers that could be categorised as 'material service providers.' Subsequently, these regulated entities should review their agreements with such 'material service providers' to ensure alignment with the heightened requirements outlined in CPS 230. standard outlines several factors to consider when evaluating service providers and related agreements, including:

  • The extent of services and associated service levels.
  • The regulated entity's capacity to fulfill its legal and compliance obligations.
  • Notification by the service provider about its reliance on other significant service providers to serve the APRA-regulated entity.
  • Ensuring that the service provider does not hinder APRA in carrying out its responsibilities.

MinterEllison is a leader in cyber security, offering integrated legal, cyber risk, and technology consulting. This integrated capability enables us to advise and navigate our clients through the challenging and complex environment of your supply chain cyber risks. Should you or your organisation require any assistance with managing your supply chain cyber risks, please do not hesitate to reach out to the MinterEllison National Cyber Security Consulting Practice.