Provide support for security incidents

It’s reasonable to expect your suppliers to manage security risks according to their contracts. But be prepared to provide support and assistance if necessary. For example, when security incidents could potentially affect your business or the wider supply chain.

Make requirements clear in supplier contracts

In your contracts with suppliers, clearly set out requirements for managing and reporting security incidents or breaches.

Clarify their responsibilities for advising you about incidents. For example, make it clear how soon after an incident they need to report to you, who the report should go to, and so on. It’s particularly important to ensure your service providers report incidents or suspected incidents that affect:

• their ability to deliver their contracted services
• your organisation’s information (when they’re holding or transporting it).

You should also clearly state what support your suppliers can expect from you following an incident. For example, support with clean-up and handling losses.

Consider clarifying how your supplier will manage security incidents or breaches.

Consider including contract conditions that require providers to report to you about breaches of ICT security that involve other clients’ information.

Communicate lessons learnt

When you’ve learnt lessons from security incidents, communicate them to all your suppliers. Help to stop them becoming victims of ‘known and manageable’ attacks. 

Page last modified: 4/05/2022