Tech & Sourcing @ Morgan Lewis


The United Kingdom’s Department for Digital, Culture, Media & Sport (DCMS) is requesting views on supply chain cybersecurity, which it will look to incorporate into its new National Cyber Security Strategy.

This follows a trend in increased focus on national cybersecurity (in particular in relation to supply chains), including President Joseph Biden’s executive order to improve the United States’ cybersecurity, which we covered in our earlier posts of June 1 and June 4.

Research by DCMS indicates that only 12% of organizations and 36% of large firms formally review cybersecurity risks coming from their immediate suppliers, and, even lower, only 5% address vulnerabilities in their wider supply chains.

UK Digital Infrastructure Minister Matt Warman claims that “[i]t’s essential organisations protect themselves and secure their mission critical supply chains” as they “cannot outsource risk.”

Due to the increasing movement of operations online, especially in light of COVID-19, cybersupply chains and third-party IT service providers are becoming even more essential to the continuation of numerous businesses. Cybercriminals may leverage vulnerabilities in suppliers’ systems to gain access to businesses throughout the supply chain, potentially affecting hundreds of businesses. The UK government has recognized this and wants to ensure that supply chain cybersecurity is a key part of its new National Cyber Security Strategy.

The National Cyber Security Centre (NCSC) already offers various support to organizations in order to help assess their suppliers’ security risks. This includes advising on how to identify cybersecurity risks and vulnerabilities that impact the whole business, such as through the Cyber Assessment Framework, as well as supply chain specific guidance. However, the UK government wants to understand what more it can do to support UK firms with their supply chain cybersecurity.

The call for views comprises 19 key questions, which are split across two parts:

  • Part 1 is focused on supply chain risk management and how the UK government can intervene to help manage risks in the future.
  • Part 2 concerns the suitability of a proposed cybersecurity framework for managed service providers.

The proposed framework could require managed service providers to meet the current Cyber Assessment Framework principles, which are 14 cybersecurity principles designed for organizations that play a key role in day-to-day matters of the United Kingdom. The framework also sets out measures that organizations ought to take, including ensuring data is protected in rest and transit as well as training staff and ensuring a positive cybersecurity culture.

The call for views is open until July 11, 2021.