UK and global cyber threats require robust supply chain risk management

High-profile cyber attacks – and particularly those that affect large processors – continue to underscore the ongoing threat that supply chain vulnerabilities pose to UK and international business and are a further reminder that organisations need to properly assess supply chain security.

Last year, the MOVEit cyber security attack compromised the personal data of millions of individuals at client organisations of the payroll support services provider. Cyber criminals successfully exploited a zero-day vulnerability in the MOVEit file transfer tool, affecting thousands of organisations internationally, including many in the UK.

Despite the growing trend in cyber criminals exploiting supply chain weaknesses, many businesses continue to rely heavily on suppliers' cyber security. The 2023 Cyber Security Breaches Survey revealed that only about one in 10 businesses assessed the cyber risks posted by their immediate suppliers.

Regulatory catch-up

In the EU, the revised Network and Information Systems Directive (NIS2), which came into force on 16 January 2023, has represented a significant step towards implementing high-level cyber security standards. It has significantly extended the list of sectors within the scope of the regulation and obliges business to adopt appropriate technical, organisational and operational measures to ensure supply chain security. The directive places an increased emphasis on technical standards and the convergence between the standards and legal compliance.

International standards such as ISO 270001:2022, for example, also increasingly focus on the management of supplier and third party security controls to ensure the security of an organisation's supply chain.

For organisations in the financial services sector, the Digital Operational Resilience Act (DORA) introduces similar obligations to ensure supply chain resilience. DORA, which will apply from 17 January 2025, requires financial institutions and their ICT third-party service providers to monitor and manage risk within their ICT risk management frameworks. 

In the UK, the government published plans to improve the country's overall cyber resilience through the NIS Regulations 2018, following a 2022 public consultation launched by the Department for Digital, Culture, Media and Sport. The consultation expressed concerns over the potential for cyber criminals to leverage managed services to gain access to their clients, which include companies across multiple sectors and even critical national infrastructure.

By proposing to bring managed services within scope of the regulations, the government seeks to protect these digital supply chains and minimise the potential disruption to wider society and national security. In March 2024, the UK government indicated in its response to the Joint Committee on the National Security Strategy consultation on ransomware and UK national security that is still committed to delivering these changes as soon as parliamentary time allows.

It is therefore crucial for businesses to ensure that they assess where cyber risk is in supply chains to ensure compliance with regulatory requirements.

Action points

Comprehensive incident response planning can help mitigate the impact of a potential cyber incidents. A well-structured plan and crisis simulation or "war-game" exercises can help organisations minimise legal, operational and reputational exposure and financial costs of a cyber attack.

Regulated sectors should also take note of guidance from respective regulators. The Pensions Regulator, for example, has published guidance on the steps that trustees and scheme managers are expected to take to protect their members against cyber risk and additional reporting obligations following a significant cyber incident.

Board members should also be involved in discussions with suppliers and partners within an organisation's supply chain. Boards can encourage collaboration between organisations and use their influence to introduce minimum cyber security requirements which providers and suppliers need to demonstrate in order to bid on contracts.

Osborne Clarke comment

It is crucial to seek out expert advice to establish an effective incident response plan, implement a crisis communication strategy, manage any potential regulatory investigations and mitigate legal risk from follow-on claims brought by data subjects affected "further down the line".

We have a team of Osborne Clarke experts who can advise clients on how to manage cyber risk in supply chains from a contractual perspective, so please get in touch should you need assistance.

Sign up for our cyber risk and supply chains webinar on 30 April, where global risk consultancy S-RM's head of proactive cyber services, Katherine Kearns, will join Philip Tansley to discuss managing technical, legal and regulatory exposures.

Our horizon scanning Regulatory Outlook also takes a look at the regulatory developments in the UK and EU surrounding cyber resilience. Keep track of major digital regulation covering cybersecurity that is on the horizon, in the legislative process, or is coming into force soon with our Digital Regulatory Timeline.

This Insight was written with the assistance of Michelle Tong, paralegal at Osborne Clarke.