Third parties, such as vendors, suppliers, and business partners, can introduce significant business risk to an organization simply due to the type and amount of sensitive information they receive and how they process174 and potentially share amongst themselves.
- Data breaches are increasingly being attributed to security failures in an organization’s supply chain.175
- The ‘flow down’ of contractual requirements to downstream organizations in the supply chain is a necessary but often insufficient approach to ensuring adequate due care or diligence.176
- The provision of satisfactory assurances through audit or assessment can often be a legal or regulatory requirement, depending on the type and nature of the data, resulting in additional liability.177
- An organization’s brand and reputation may still be affected by a breach in its supply chain.178
- Organizations may still be held accountable by customers and upstream partners for the failure of downstream third parties to protect the data they receive.179
174 See definitions for data and information processing in Appendix C.
175 For example, see New Jersey Cybersecurity & Communications Integration Cell, NJCCIC (2017, 20 Jul). Supply Chain: Compromise of Third-Parties Poses Increasing Risk (NJCCIC Threat Analysis Report) or Kohen, I. (2018, 8 Mar). Data Security Best Practices for Mitigating Supply Chain Risk (Blog), Supply & Demand Chain Executive.
176 For example, see Reed Smith (2017, 13 Sep). Mitigating Third Party Data Breach Risks (Reed Smith Client Alerts for a discussion around information risk in the supply chain or Trowbridge, M. (2017, 2 Nov). Five Techniques to Manage Supply Chain Risk (Blog). Supply Chain Risk Management Review for a broader discussion around managing supply chain risk.
177 For example, see De Groot, J. (2020, 1 Dec). What is the NYDFS Cybersecurity Regulation? A Cybersecurity Compliance Requirement for Financial Institutions (Blog). Digital Guardian for a discussion of third-party assessment requirements in Cybersecurity Requirements for Financial Services, 23 NYCRR 500 (2017).
178 See Petersen, H. and Lemke, F. (2015 Aug). Mitigating Reputational Risks in Supply Chains. In Supply Chain Management 20(5), pp. 495-510.
179 For example, see Guta, M. (2019, 2 Jul). Small Business Supply Chain Partners Aren’t Always to Blame for Cybersecurity Breaches (Blog). Small Business Trends or Samandari, H., Walsh, J., and Yueh, E. (2013, 1 Jul). Managing when vendor and supplier risk becomes your own. McKinsey & Company.