How to create a cyber resilient supply chain

In brief

What do the Australian Department of Defence, Target, Verizon and the Australian Red Cross Blood Service have in common? They all suffered massive data breaches linked to a failure in their supply chain. These breaches are a good reminder that with so much attention directed at securing your organisation, it can be easy to neglect the vulnerabilities that can be introduced by your suppliers and vendors, let alone their suppliers and vendors.

Third-party vendors are often the weakest link in the data management chain. In fact, it is precisely because many vendors have fewer security controls in place than host organisations that they can be easier to target. Once attacked or hacked, attackers can leverage these vendors’ access to penetrate their ultimate target.¹ A recent survey by Soha Systems found that 63 per cent of all data breaches are linked directly or indirectly to access via a third party vendor.²

Not only are the potential business operation and reputational risks significant, but failing to appropriately manage your third party suppliers could also be considered a breach of the obligation under the Privacy Act 1988 (Cth) to take reasonable steps to protect the security of personal information (as required by APP 11).

So, how should companies be thinking about securing vulnerabilities outside their perimeter? What assurances should you be requesting from vendors with respect to their cybersecurity investment, processes, people and systems? And what steps should you be taking to ensure that your compliance and notification obligations are met when your business relies on the products and services of multiple external providers?

Here are ten practical measures that you can take to strengthen the cyber resilience of your supply chain:

1. Implement robust, scalable and repeatable governance processes for IT procurements and embed cyber risk management practices within them. Limit the people who are authorised to enter into contracts with suppliers that hold critical data or access or connect to your infrastructure. Make sure that those people have been trained to understand and manage the cyber risk specific to your environment.
2. Embed supply chain risk management within your overall risk strategy. Ensure that your data breach response plan contemplates attacks or incidents involving (directly or indirectly) your supply chain (eg where the compromised asset belongs to the supplier or where the supplier is the source of the leak). Implement back-up and recovery systems.
3. Know your data. Understanding where your data is stored, and the data flows within and between your organisation and your various supply chain partners, is critical to helping you to identify, understand and manage any breach.
4. Know your third party service providers. Undertake due diligence and perform risk assessments on vendors. This includes reviewing the following vendor documents before engaging or permitting them to access your systems or data:
   • data security policies and incident response plan;
   • employee confidentiality/non-disclosure agreements;
   • information technology security training programs; and
   • template subcontractor agreements (to check for data security provisions).³

   Then, take reasonable steps to verify their security practices and procedures. In most cases, your supply chain vendors should have security policies that have been codified and certified or validated by a third party against reputable standards such as those from the International Standards Organisation or Standards Australia. The Office of the Australian Information Commissioner (OAIC) has repeatedly highlighted undertaking appropriate due diligence on third parties when considering your APP 11 obligations.⁴

5. Screen and educate your people. Conduct background checks and detailed screenings as part of your recruitment process and require your providers to do the same. Once on board, make sure that you equip your people with the right knowledge and conduct induction and regular training on data handling practices and their privacy and security obligations. This is even more important for personnel who may be regularly handling sensitive data.
6. Establish robust contractual protections…and enforce them. The assurances that you obtain from suppliers, and the obligations that you impose, should be relevant and proportionate to the risk faced. Generally speaking, your contract should cover:
   • Maintenance of safeguards and security to protect personal information and/or data from unauthorised use, disclosure, loss etc. – Consider whether it is appropriate to also include an obligation to continuously improve and update those measures.
   • Incident notification – Suppliers should be required to notify you of any data breach in a timely manner. Consider whether to require that the supplier notifies you of any breach suffered by the supplier, or only those affecting your data or infrastructure. You will also need to consider the implications of the incoming notifiable data breaches regime. Note that the OAIC's recent guidance on the incoming notifiable data breaches scheme indicates that where more than one entity holds personal information that was compromised in a data breach, the entity with the most direct relationship with the individuals should notify the affected individuals.⁵
   • Compliance with law, internal policies (including your organisation's privacy policy) and information technology security standards.
   • Audit rights – Audits and testing (including penetration testing) of security systems should be undertaken regularly. Where a supplier does not permit you to access their network for these purposes, you may be able to request a third party report certifying the results of an independent audit and/or testing. If the security audit finds that the systems are not best practice, the supplier should be required to take reasonable steps to improve them.
   • Data governance arrangements – Your agreement should define the acceptable use of any data that it receives or accesses.
   • Subcontractors – Third party vendors and suppliers should be required to ensure that their subcontractors are held to at least the same standard.
   • Cyber insurance – It is becoming increasingly common for customers to require that their suppliers take out cyber insurance policies. For vendors doing business in the US, this shouldn't be a stretch as this is often a non-negotiable requirement for US organisations.
   • Cooperation and mitigation – Suppliers should be required to cooperate in any investigation into the breach, contain and eliminate the cause of the breach, maintain records and evidence of what has happened and preserve and secure your data.
   • Rights to recover data in the case of supplier insolvency.
   • Warranties and indemnities – Consider what warranties and indemnities may be appropriate to protect your data and whether indemnities should be capped or uncapped.
7. Don't set and forget. Conduct regular and continuous monitoring of security mechanisms and ensure that anti-virus/malware programs are updated regularly. Your data breach response plan should also be regularly reviewed and updated to ensure that it stays relevant given the rapid pace of change in this space.
8. Ensure that you have a robust information security or cyber insurance policy as your last line of defence. For example, ensure that your coverage extends to situations where hackers obtain access to your systems using legitimate third party provider credentials or through your provider's network, theft of or access to data held by your third party suppliers and rogue or negligent disclosures by a provider's employees.
9. Restrict third party access to your infrastructure to what the third party needs to perform their job. Levels of access are likely to vary, depending on the role of the third party. Any access by supply chain vendors should be tracked, authenticated and audited to ensure the appropriate nature and extent of use.
10. Know your key contacts. In the event of a data breach, you'll undoubtedly need to act quickly and that might also mean that your third party providers need to do the same. Make sure you know who at your suppliers has the knowledge and authority to shut down systems and, if they are based overseas, who you can contact after hours.