NIS2 is Coming – How Should You Handle the New Supply Chain Cyber Security Requirements?

June 20, 2024 | 7 min read

Alisdair McLaughlin

Technical Solutions Architect

Al Mc Laughlin Square Calcite Duotone

The new NIS2 directive for cyber security is set to start becoming law in October and brings with it new cyber security requirements. Our first blog on NIS2 coming shared how to get ready for new incident response reporting incidents and this one will delve into another important topic, supply chain risk, or third-party risk management.

Supply chain risk is a hot topic with many enterprises getting breached through a weakness in a third party. Regulators are paying new attention to these attacks. 

As mentioned in my first blog, I’ve been involved in a number of NIS2 webinars with Microsoft, and reoccurring themes and questions have emerged during these different sessions. Let’s dive into the most asked topics. 

Supply chain risk, or third-party risk management (TPRM), is a key requirement emanating from the latest NIS directive. For heavily regulated industries, some organisations will be in a sound place, but there will be many who are not. Third-party risk is relatively new territory for many organisations, and some are completely lost as to where to start.  

There has been a plethora of media activity over the past couple of years relating to supply chain attacks. Supply chain breaches are occurring more frequently and there are new zero days announced nearly every week. Couple that with new legislation and adjustments to old regulations and it is no wonder this is a widely discussed issue. However, as this has largely been considered a procurement or Governance, risk management, and compliance (GRC) issue, it seems to have only recently, more widely, landed with security teams and the CISO office. 

BlueVoyant recently held a round table with several CISOs and supply chain risk soon became the main topic, with particular questions being raised: 

  • Is third-party risk management still primarily a GRC challenge or does the need for real-time insights particularly around data breaches and zero days, push it towards operations teams?  
  • How regulated industries might work together to gain better insights into the largest (and most opaque) suppliers?  
  • Where and when should coverage extend to fourth parties and beyond?  
  • As suppliers mature and supplier ecosystems develop, is the challenge of third-party cyber risk management getting harder or easier? 

Why Now? 

Every week it seems there is a new supply chain incident / breach that hits the news. According to a cost of data breach report done last year - supply chain compromises cost 11.8% more and take 12.8% longer to identify and contain than other breach types. BlueVoyant’s survey of c-level executives found the number of cyber breaches targeting organisations’ supply chains continues to rise, with an average 4.16 breaches reported to be negatively impacting operations this year — a 26% increase from the mean number of 3.29 breaches in 2022. Gartner anticipates, by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, corresponding to a threefold increase since 2021.  

Organisations have for a long time been assessing their own internal risk posture and assets with internal security assessments, implementing policies, teams and technology to prevent, detect, respond and recover from cyber attacks and deal with cyber security risk in general. A comparable level of effort does not typically exist to address supply chain risk, despite many critical suppliers being part of an organisation’s core attack surface. There is now some momentum both from a regulation point of view and from a board level, to focus on how to address the problem and organisations are implementing or elevating their current practices.    

Reflecting on Other Regulations and Frameworks 

Recently, we’ve seen many of the more prominent compliance and maturity frameworks bolster requirements around supply chain. With new legislations on the near horizon, such as DORA and NIS2, some organisations will not be able to avoid putting things in place. 

Within the latest ISO27001 (the international standard for information security management) we see requirements to ensure that organisations have the right policies in place including some form of third-party security assessment program. It stipulates that security requirements are agreed and documented within contracts, that satisfactory due diligence is untaken, and that more focus on monitoring and review the service is given (which includes that cyber security requirements are being met). How organisations do this is mostly left open to the organisations themselves.  

NIST CSF 2.0 covers these requirements in a similar fashion, and further stipulates some technical areas, GV.SC-04: Suppliers are known and prioritised by criticality is implemented to address tiering of vendors by criticality. Requirement GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are identified, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship is seen to look at risks associated with fourth parties. 

For financial organisations operating in the EU that are subject to both DORA and NIS2, DORA will supersede NIS2. Whilst, this will feel more specific to requirements around incident handling and the reporting obligations, the supply chain risk management requirements in the two legislations will be complimentary. 

What Was Once Best Practice is Now Standard Practice 

A programme’s maturity was once considered excellent if they were just doing basic third-party risk management — now, to score highly across standards, or achieve baseline certifications or compliance, third-party risk management is a basic principle. 

Periodic assessments of suppliers have value when executed properly as part of a risk programme, and they provide an insight into the organisation’s approach and appetite to security. But to meet new obligations, there is clear need to move towards continuous monitoring and a real-time approach to assessment validation.  

Taking what the above referenced frameworks are looking for, we can build on some best practices. Understanding risk pre-procurement enables organisations to understand the risk they are taking on, not just so the risk is known, but can managed or avoided if necessary before the vendor is onboarded. Tiering vendors enables organisations to know where the inerrant risk is and what controls need to be understood and tested. Periodically assessing vendors will help to determine that that the right controls are in place aligned to the inherent risk from the vendors and continuously monitoring vendors will help to not just determine exposure to critical vulnerabilities and security gaps but help to mitigate them and ultimately reduce risk in the ecosystem. A robust off-boarding plan will ensure technology connections are appropriately severed and data is removed or conclusively managed where necessary. 

Incidents and Zero Days 

A common challenge for organisations when looking at supply chain risk, is reacting to cyber incidents and data breaches within the supply chain or dealing with zero-day vulnerabilities. Understanding where the true impact lies is often difficult determine and can be a very time-consuming activity for operational teams.  

For cyber incidents, context is key. A lot of buzz hits the mainstream media and can cause quite a stir. Take the recent reported Snowflake incident. When initial incident accounts circulated, which were then later retracted, organisations were left wondering what had actually happened, and what mitigation action was required. Time is of the essence and accurate intelligence reporting enables organisations to take appropriate responses where required. 

Whilst with something like the string of Progress MOVEit vulnerability disclosures that started last summer, organisations must be, under new directives, able to determine who might be impacted within their critical supply chain, communicate observations, and proactively track remediation activities through continuous monitoring. 

Conclusion 

Wherever you are on your third-party risk management journey, there is an abundance of guidance and support tooling that will ensure you not only meet obligations set out within the approaching legislation, but will provide you the platform and coverage required for to comprehensively manage risk associated with your extended attack surface.  

As we evolve and better understand this problem space, and adapt to the ever-changing technological ecosystem, whatever controls are put into place will no doubt have to evolve and mature with them. 

Are you ready to explore how NIS2 will impact your cyber security strategy? We’re partnering with Microsoft security solutions to bring you best in class recommendations to get ready for October. BlueVoyant’s Cyber Defense Platform has a comprehensive solutions portfolio to help you turn on and operationalize Azure, Microsoft 365, and hybrid cloud for risk reduction and cost takeout. Find out if your organisation is ready by leveraging our automated NIS2 assessment today.  

Related Reading