Effective cyber risk management should include cyber risks arising from an organization’s supply chain – suppliers of products and services used by the organization for its internal purposes or integrated into the organization’s products or services, and business partners with access to the organization’s systems or who might otherwise be a risk to the organization’s cyber security posture.
Guidance for supply chain cyber risk management may be found in the National Institute of Standards and Technology (NIST) Cybersecurity Framework Draft Version 1.1 (“CSF Update”), which was published for comment in January 2017 as a proposed update to the NIST Framework for Improving Critical Infrastructure Cybersecurity. The NIST Cybersecurity Framework was originally developed in 2014 to help manage cybersecurity risks to U.S. critical infrastructure, but has since been widely adopted or endorsed as a foundational resource by many kinds of organizations around the world, including Canada. For example, see Canadian Securities Administrators Staff Notice 11-332 Cyber Security, Investment Industry Regulatory Organization of Canada Cybersecurity Best Practices Guide, Mutual Fund Dealers Association of Canada Compliance Bulletin – Cybersecurity and Public Safety Canada Fundamentals of Cyber Security for Canada’s CI Community.
The CSF Update emphasizes and explains the importance of managing cyber risks arising from an organization’s suppliers and business partners. The CSF Update provides details to help organizations manage those risks in balance with other enterprise risks, and lists a number of recommended activities and outcomes for effective supply chain cyber risk management, including determining cybersecurity requirements for suppliers/partners, requiring suppliers/partners to contractually agree to comply with those requirements, and verifying supplier/partner compliance with those requirements. The CSF Update also recommends cyber incident response and recovery planning and testing with critical suppliers/partners.
The CSF Update is consistent with supply chain cyber risk management guidance issued by Canadian regulators and self-regulatory organizations. For example, see Getting Accountability Right with a Privacy Management Program (Privacy Commissioners of Canada, Alberta and British Columbia), Cyber Security Self-Assessment Guidance (Office of the Superintendent of Financial Institutions) and Cybersecurity Best Practices Guide (Investment Industry Regulatory Organization of Canada).