Why supply chain cyber risk matters
A breach at a supplier can expose your data, disrupt your operations, and create regulatory and reputational risk. Regulators and insurers increasingly ask about third-party risk—who you share data with, how you assess them, and how you document due diligence. A short checklist helps procurement and IT align and gives you evidence for auditors and insurers.
What to ask key suppliers
Security posture — Do they hold Cyber Essentials, ISO 27001, or equivalent? When was it last reviewed? Ask for evidence (certificates, assessment summary); don't rely on "we're compliant."
Data handling — Where is our data processed and stored? What are their breach notification obligations? How quickly would they tell us?
Access — Who has access to our systems or data? How is access reviewed and revoked? What happens when a contract ends?
Incidents — Have they had a material security incident? How was it handled and communicated? (Past incidents are not necessarily a disqualifier—how they responded matters.)
How to document due diligence
Keep a register of key suppliers: name, scope (what they do for you), security posture (certification, last assessment date), contract terms (expiry, liability, breach notification), and next review date. Tie to contract terms (e.g. right to audit, liability cap, breach notification). Update at least annually; more often for critical or high-risk suppliers.
Red flags
No certification or "we're working on it" with no timeline; vague or absent breach notification terms; data stored in jurisdictions you cannot accept; refusal to provide evidence or answer security questions.
Strengthen your third-party risk approach—we help organisations assess and manage cyber risk in their supply chain. Or run a Vendor Security Check on a supplier's domain.