We welcome this call for views as a means to secure further guidance and support where firms have limited knowledge or expertise to assess cyber risk from their suppliers including outsourced IT providers (Managed Service Providers).
BIBA shared information on barriers that brokers and their customers face when trying to assess cyber risks from their suppliers. How many firms ask their suppliers how they identify cyber exposures in their business and mitigate these risks, or even if they have purchased standalone cyber insurance, which would be another indication of best practise?
Some firms will ask their suppliers cyber security questions, but it depends on the resource available and knowledge in that firm, and how do they evaluate what is a good or poor response to the questions?
Here, there is good information from NCSC (National Cyber Security Centre) but it can be extensive and technical.
BIBA has asked if the 12 principles of Supply Chain Security Guidance could be condensed into a standard template suitable for all sized firms and types of contracts.
Consider an SME contracting with a digital agency to give their product/service an online presence. The agency may sub-contract to web developers and design freelancers not all of which might be UK based. How does the SME assess the cyber resilience for this supply chain risk? How does the SME reassure his larger retail client he has done this successfully?
There is help for firms from NCSC’s Supplier Assurance Questions but BIBA wondered if there could be a benchmark guidance score, even red, amber, green scale to gain confidence from suppliers’ responses.
Brokers and their customers may be aware of commercial offerings which can be effective in supporting organisations with supplier risk management? BIBA suggests if these were accredited by Government more firms may be incentivised to use them. Of course, some cyber insurance policyholders have access to App based products that deliver targeted cybersecurity alerts for their own businesses, access to critical security tools, and free expert advice; e.g. BIBA cyber insurance scheme provider CFC Underwriting
BIBA could not support regulation that makes procuring organisations more responsible for their supplier’s cyber security risk management. Forms of statutory compulsion can have inadvertent consequences especially when costs and access to resource for smaller businesses are factored in. Would this mean that smaller firms are competitively disadvantaged? And, would insurers provide the additional professional indemnity insurance given the hard market?
There is a perception among some firms that an outsourced IT provider (managed service provider) “takes care of” cyber security, but is the extent of the IT provider’s liability clear? How much responsibility falls to the procuring firm in the event of a cyber incident? For this reason, BIBA has suggested there is clarity in contracts. BIBA supports the view that establishing certification or an assurance mark for managed service providers would be very effective in managing cyber security and resilience.
It may help firms to compare managed service providers if they were required to offer a table pre-contract scoring themselves against the NCSC Cyber Assessment Framework Principles.
BIBA trusts its contribution will help inform and support the aim of the consultation to find, “policy solutions (and) additional support or direction required from the government to enable organisations of all sizes and sectors to become increasingly secure online.”