michelangelus - Fotolia

Mitigating third-party cyber risks in a new regulatory environment

GDPR and the NIS Directive increase the focus on managing cyber security throughout the supply chain. Organisations need to check their suppliers are compliant

The headlines are full of data breaches. A report in October from the UK National Cyber Security Centre revealed that the GCHQ offshoot had stopped almost 1,200 attacks in the past two years and is fighting off around 10 attacks every week. These numbers don’t account for the many more cyber attacks targeting private companies and their digital infrastructure.

Despite spending millions on cyber security enhancements and compliance around the General Data Protection Regulation (GDPR), organisations remain reluctant to address the weakest link in their IT security environment – their supply chain and associated third-party relationships.

Addressing third-party cyber risk is challenging and significant. For larger organisations, procurement decisions are usually made without input from those responsible for cyber security, and such agreements can provide access to critical systems via open application programming interfaces (APIs) and other interaction mechanisms.

Supplier relationships are also overwhelming without a standard process to manage cyber risk when the relationship is via an arms-length contractual arrangement. Many organisations are struggling to address their internal network security issues and have not sufficiently considered the risks beyond their own network. But third-party cyber security risk is too significant and too dangerous an issue for board members to continue to overlook.

NIS Directive

Current regulatory initiatives including the Networks and Information Systems (NIS) Directive and GDPR require organisations to take responsibility for ensuring that external suppliers have implemented adequate cyber security measures.

Both NIS and GDPR require notification to the Information Commissioner’s Office (ICO) no later than 72 hours after an organisation is aware of a data breach or a cyber incident having a substantial impact on its services.

Many data breaches affecting large organisations occur within a third-party service provider. Organisations that do not have the contractual provisions and processes in place with these suppliers to secure the necessary information surrounding the data breach are unlikely to meet the 72-hour deadline.

Missed deadlines and poor or inaccurate information reveal due diligence and contractual failures. These failures increase the risk of a regulatory investigation and significant financial penalties.

But regulatory fines are just the beginning. There are also civil liabilities, as well as loss of consumer trust and investor confidence that result from a cyber breach. Under GDPR, individuals can claim compensation for material and non-material damage.

A data controller is jointly and severally liable for the damage if it was in some way also responsible for a breach due to unlawful processing by a data processor.

To mitigate these risks, organisations that outsource cyber security functions should comprehensively review their third-party contractual arrangements and revise their internal procurement processes and procedures to include cyber security assessments. These reviews should, at a minimum, assess, document and monitor these agreements.


  • Develop a complete inventory of cyber security providers including details about their level of access to your network and their security provisions and communication obligations in case of a breach – who are you doing business with?
  • Review the risks associated with current contractual liability provisions with third-party providers – will they protect you if they are breached?
  • Review cyber insurance policies for third-party risk – what are the exemptions? How good is your coverage?
  • Review internal procurement procedures – are you performing cyber security due diligence on all new suppliers?


  • Ensure the necessary contractual provisions exist to allow the supplier to meet its regulatory requirements including incident notification within tight timelines.
  • Consider contractual clauses focused on security, stipulating responsibility for any compromise or data breach and contractually mandate that security clauses apply to the sub-contractor(s) in the supply chain.
  • Insist on incident response plans and procedures in the contractual agreement and include (if appropriate) the supplier in these plans and procedures.


  • Formalise a process to regularly monitor and manage all third-party cyber security relationships. Consider auditing mission-critical providers.
  • Revisit and revise your processes and procedures with regular cyber breach exercises or actual breach situations

Cyber threats are on the rise in both number and complexity. They are purposely attacking the supply chain. Recent regulatory approaches under NIS and GDPR require organisations to take an active role overseeing their third-party providers.

Failure to do so can result in regulatory fines, civil liabilities and reputational loss. Investing human and financial capital now to assess and mitigate risk can help significantly reduce these liabilities, protect an organisation’s reputation and strengthen consumer trust.

Cavan Fabris is senior manager in data and cyber law at EY.

Read more about cyber risk

Read more on IT risk management

Data Center
Data Management