Risk Ledger publishes supply chain and data protection security report //05.03.21
Managing risks in increasingly connected supply chains and facilitating trust between businesses has become a priority for organisations in every industry. And high-profile supply chain breaches have made cybersecurity, compliance and procurement professionals sit up and pay more attention.
LORCA’s member Risk Ledger has built a third-party risk management platform that facilitates the sharing of risk data between suppliers and their clients. The startup has just launched a report that takes a deep dive into data protection and supply chain security.
The introduction of specific supply chain risk management obligations in regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) means that firms need more visibility of the data protection practices of their third parties than ever before to avoid fines from regulators if breaches occur.
The report looks at two instances where firms have been fined under the GDPR for inadequately ensuring their third parties implement data protection risk controls.
Key insights from Risk Ledger
- There is a small but consistent cohort of suppliers who have a dangerously cavalier attitude towards data protection. 5-20% of suppliers have not implemented multiple, basic data protection risk controls. This increases the risk of a data incident or breach that affects them and their clients.
- Suppliers who have Cyber Essentials certification lack basic data protection risk controls at the same rate as suppliers who don’t have the certificate. This highlights how the certification is insufficient for building cyber resilience in the supply chain.
- Some firms could already be in breach of GDPR for the lack of data protection risk controls in their supply chain as reported directly by their suppliers. An investigation by the relevant data protection authority could land them with enforcement actions and a fine.
Risk Ledger’s latest report is the first in a series. To make sure you get all future reports (including the next edition on security governance risks in the supply chain), subscribe here.