This informal CPD article, ‘Cyber Attacks and Third-Party Risks‘, was provided by Jess Pembroke, Head of Data Protection at Naomi Korn Associates, a UK-based leader specialising in copyright, data protection and licensing.
The risk of cyber-attacks through Third-Parties
Several cyber-attacks have recently been reported on in the news, highlighting the disruptive impact that these attacks can have on organisations. These incidents highlight the longer-term impacts of reputational damage, and inability to access essential data for core operational requirements. They may also lead to legal action by those affected and potential regulatory action from the Information Commissioner’s Office (ICO) which may issue fines.
Suppliers pose a significant risk, particularly when dealing with smaller businesses. These smaller suppliers may lack the necessary knowledge and resources for robust data protection and information security practices. Limited budgets often mean they cannot afford in-house staff dedicated to these areas. Additionally, awareness of security priorities might not be as high for them as it should be.
Key checks during the procurement process
When considering your procurement process, it is essential that your organisation evaluates the data protection and cybersecurity maturity of your suppliers. Your organisation should consider whether any current or potential supplier demonstrates a good understanding of data protection and cyber security. For instance, it will be vital to check if their privacy policy is up-to-date and compliant with current legislation. You could ask them if they have appointed a Data Protection Officer or similar to oversee their data security practices.
It is also a requirement under the General Data Protection Regulations (UK GDPR) that you have reviewed contractual agreements with your suppliers. It is crucial to understand the terms outlined in your contracts, especially concerning data protection responsibilities and the actions to be taken in the event of a data breach. Your organisation can potentially protect itself from some if the financial impact of a data breach when the contract includes clauses that cover liability for legal or regulatory consequences if the supplier is responsible for a breach.
Organisations also need to consider compliance with international data transfers under the UK GDPR by asking the supplier whether data will be stored within the European Union or a country that offers adequate data protection safeguards. This is particularly relevant for suppliers of software as a service (SaaS) or cloud hosting platforms.
Due diligence should be done on long-term suppliers or contracts periodically not just when a new contract is signed. This could involve asking suppliers about any recent data security incidents, even minor breaches, to stay informed about the supplier’s current data protection status. Regular checks can help identify any changes that might affect the security of the data they handle on your behalf.
Importance of Continuing Professional Development
Ensuring your data protection personnel continue their personal development and keep their knowledge up to date is an important aspect of maintaining robust data security and therefore diminishing security and reputational risk. To further strengthen your organisation’s data protection capabilities, it would be beneficial to explore specialised training in contracts and data protection for your senior finance and procurement personnel.
We hope this article was helpful. For more information from Naomi Korn Associates, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.