Government regulation could be on the way to force improvements in supply chain security after industry feedback and new research pointed to gaps in protection.
Feedback from the government’s call for views in May 2021 confirmed several key barriers for organizations: low recognition of supplier risk; limited visibility into supply chains; insufficient tools to evaluate supplier risk; and “limitations to taking action due to structural imbalances.”
The government trailed several possible “interventions” to improve the situation, including providing more advice and guidance, improved access to a skilled workforce and the right products, and regulation — which was reportedly described as “very effective” by more respondents than any other respondents other option.
IT service providers could in the future be required to follow cybersecurity rules such as the National Cyber Security Centre’s (NCSC’s) Cyber Assessment Framework as part of possible regulation.
The NCSC offers specific Supply Chain Security and Supplier Assurance guidance at present, which could also be built into future requirements.
In addition, the government mooted the prospect of new procurement rules to ensure the public sector buys services from firms with good cybersecurity standards.
The news comes on the day that the government released a new study of chairs, CEOs and directors of Britain’s top companies. It revealed that nearly a third (31%) do not actively manage cyber risks in their supply chain.
A similar number (35%) don’t keep the board informed of such risks or include supply chain risks in written documentation (32%).
A third (34%) of respondents also called for greater awareness-raising, education and training for board members to enhance decision-making on cyber resilience issues.
A quarter (24%) suggested more engagement with third-party experts, while a fifth (21%) claimed regular updates and reports would help.
Supply chain security has become a headline risk in 2021 following significant ransomware attacks, including those on IT software company Kaseya, and state-backed operations such as the SolarWinds compromise.