Cyber risks in your supply chain – where is your weakest link?

According to the UK Government's cyber security breaches survey 2025 ("2025 Survey"), 45% of large businesses reviewed the cyber security risks posed by their immediate suppliers (in comparison to 21% of small businesses).  This is a drop from 55% in 2023.  Only 25% reviewed the risks of their wider supply chain.

Cyber threats from outside your organisation are likely to be more difficult to detect and control. Knowing who your direct and indirect suppliers are, what they provide, how they provide it, and what data they hold and have access to will help you to identify which are your critical providers and better manage the cyber security threats to your business.  Mapping your supply chain will also help you to determine what measures can easily be enforced via contracts and put you in a position to respond more rapidly to supply chain related cyber incidents and regulatory requirements.  The National Cyber Security Centre (NCSC) has provided guidance on mapping your supply chain.

You will need to assess whether your suppliers have an appropriate level of cyber resilience and data hygiene – if personal data are being processed by the supplier, conducting due diligence is a legal requirement under UK GDPR.  Your suppliers should complete a security questionnaire, which your security and procurement personnel need to be trained to fully assess, so that vulnerabilities can be addressed.  If your systems are to be integrated with a supplier's, how easily can a threat be contained? How regularly are systems checked for vulnerabilities and what is the back-up plan if those systems are compromised?

It may be appropriate for suppliers to provide independent third-party assessments, audits, or certifications depending on your requirements and the level of risk.

In addition to compliance with law and data protection provisions, contracts with your suppliers should include (according to the risk profile):

• commitments to minimum security measures, security SLAs and maintenance of security accreditations
  
  
• obligations to maintain disaster recovery and business continuity plans
  
  
• rights to carry out audits on businesses in the supply chain to test resilience, including, where appropriate, penetration testing (there are alternative oversight options, e.g. for cloud services providers)

• cyber incident reporting, cooperation and response requirements, including timeframes
  
  
• exit strategies with obligations to delete and return data on termination
  
  
• provisions to allocate risk and cost for cyber incidents and data breaches and set requirements for cyber insurance.

To help manage your wider supply chain, there must be appropriate controls over subcontracting, including, where necessary, mandatory flow-down of contractual requirements.

Having in place and testing a Cyber Incident Response Plan is crucial, but do you have a clear understanding of how your suppliers' processes and incident response plans, particularly their contingency and communication plans for when a critical incident impacts multiple customers, fit with your organisation's plans?  

In our Mitigating a Data Breach: Insider Threats podcast series, we discussed the importance of "war-gaming" your cyber incident response plans.  As part of that exercise, it is important to practise how you would respond if a data breach originated at a key supplier, or if cyber criminals gained access to your systems through your supply chain.  This will help you establish how your response plans hold up, what information you will need from your suppliers and that your response team understand their roles and steps they should be taking. For key suppliers, consider involving them in your planning and training.

New cyber legislation and legislative proposals, both in the UK and the EU, and existing international standards, such as ISO 270001:2022, focus on management of supply chain cyber risk.  New cyber legislation generally targets financial services, critical national infrastructure or essential services, rather than the retail sector (apart from the EU's NIS2 Directive, which applies directly to EU-based online marketplaces and retailers involved in food production, processing and distribution over a certain size threshold).  However, new obligations in respect of cyber resilience either already apply (under NIS2) or will soon apply (pursuant to the UK's forthcoming Cyber Security and Resilience Bill) to IT managed service providers.  These legislation-backed minimum standards should help protect against cyber criminals leveraging managed services to gain access to retail sector clients. 

According to the 2025 Survey, there has been a drop in large businesses seeking external information or guidance on cyber security (51%, down from 67% in 2024).   There is a broad range of guidance and codes of practice out there, e.g., DSIT's new Cyber Governance Code of Practice (April 2025) designed to support boards and directors with governing cyber security risks, as well as NCSC's 12-principle-based Supply chain security guidance, Cyber Essentials and its blog setting out technical recommendations following the most recent attacks on the retail sector.  The Government's diagram below shows how the various cyber codes of practice (or similar) apply:

From a data protection perspective, in addition to general data breach guidance, the ICO in its blog, "Learning from the mistakes of others", comments specifically on  supply chain attacks. 

The ICO has also recently demonstrated that it will take direct enforcement action in relation to supply chain vulnerabilities, fining Advanced Computer Software Group £3.07m following a ransomware attack for security failings, including gaps in multi-factor authentication – the first data processor to be fined by the ICO.

As at the time of writing (June 2025), Marks & Spencer continues to count the cost of the recent attack – it estimates that it will hit this year's profits by around £300m.  For all sectors, especially retail, it is a stark reminder that even large, security-conscious companies are susceptible to vulnerabilities arising from compromised external partners.  Supply chain attack preparedness and incident response integration should be treated as board level priorities to limit the significant business disruption, cost and impact on customer confidence which these incidents can entail.