Don't worry if you missed 'Cybersecurity and digital transformation - the supply chain challenge' during Tech Week 2020. We've provided below a summary of the key points and a link to the full recording. Any questions do get in touch.

Summary

While third party risk is not new it will become more of a challenge as businesses grow and adapt in response to increased digital transformation and digitalisation.

We are seeing digital transformation being undertaken with less risk assessment and due diligence than we would usually expect.  At the same time, integration and implementation are being done faster than normal.

Market update - Shared by Piyush Jain (Accenture)

  • New technologies and business models have increased the amount of third parties (and beyond) involved within value and supply chains.
  • These third parties may not as secure as they could be where security has not caught up with the pace of expansion. This leads to a higher risk of data breaches, malware attacks, ransomware and similar issues.
  • Third party risk assessments are made more difficult and less efficient by minimal standardisation, a reliance on manual processes and the expectation that the service can be performed well under tight timeframes.
  • A very significant proportion of supply chain cyber risk often comes from a limited number of third parties.  Correctly identifying and focusing on those third parties makes the process more manageable.
  • One possible solution is Managed TPRaaS (Third Party Risk as a Service), which allows for a fully managed service, scalability at speed, integration with security rating and threat intelligence, built in analytics with automated reporting and centralised remediation management.

Legal and commercial update - Shared by David Halliday and Paul Glass (Baker McKenzie)

  • "Soft law" and guidance comes from many sources, including CSIRT, ENISA, NCSC, national CERTs and industry standards such as NIST.  Understanding and applying that guidance is key.
  • Article 25 GDPR requires controllers to focus on security and privacy when implementing new services and technologies which necessitates some level of risk assessment. Article 28 GDPR mandates due diligence and understanding of the third party you are dealing with; this may go beyond their credibility for security to establishing how they are implementing their solutions. Article 28 also needs to be incorporated into contracts to show specific consideration of the different security outcomes you are looking for as a buyer.
  • ICO guidance shows it is essential to document the thought process around third party selection and risk due diligence, along with testing and assurance.
  • NCSC principles make clear that good security within the supply chain is the result of dialogue and a shared responsibility model.
  •  Where payments are involved, regulators are placing more focus on PCI-DSS compliance, and this is often not dealt with well in contracts.

BA (£20m fine reduced from proposed £183m)

  • Access to around 400,000 individuals' data was obtained through a third party provider that used a Citrix gateway to access BA data; through this gateway hackers were able to obtain much wider access to IT infrastructure.
  • The ICO criticised BA for not enabling multifactorial authentication on the Citrix gateway, which could have stopped the data breach and was common practice for BA's internal security standards.
  • The ICO highlighted that risk assessments need to be completed regularly. Significantly, they are citing all of the regulatory positions that are set out above, and quoted extensively from third party guidance and standards.
  • The ICO also highlighted that contractual security and compliance obligations are not, on their own, enough for a data controller to comply with its security obligations under GDPR, and should not be relied on as an effective security measure.

Ticketmaster (£1.25m fine)

  • The data of around 1.4m UK nationals was compromised, including a much smaller subset of credit card data. 
  • Ticketmaster used a third party chat bot on its website.  That chat bot  was compromised with malware which skimmed personal data and credit card information. 
  • The ICO  determined that Ticketmaster's assessment of the risk of integrating the third party software with its own infrastructure and ongoing verification of security measures was inadequate, particularly as the chat bot was active on Ticketmaster's payment page.
  • The ICO considered that Ticketmaster had failed to discharge its own PCI-DSS obligations, as it used a vendor that was not PCI-DSS certified.
  • The ICO decided that there was clear market knowledge of the risks of using chat bots on payment pages that Ticketmaster should have put in place additional defences rather than relying on contractual obligations that the chat bot was free from malware.