In today’s bulletin, Charlie discusses how to manage a cyber attack involving a supplier and explains the importance of planning for a potential issue.

This week I was on site with a client. On Monday we conducted a half-day training session for their Silver Team and then their Gold Team, while on Tuesday, led by our consultant Stuart, we conducted a tabletop exercise. The scenario for the exercise was an attack on one of their key suppliers which would have a major impact on the delivery of service to their customers. So, I thought I would share some of my research and the issues involved in managing an attack on one of your key suppliers.

Statistics

One of the statistics which caught my eye was that in Verizon’s 2025 Data Breach Investigations Report, “the percentages of breaches where a third party was involved doubled, going from 15% to 30%”. [1] This shows that the risk is increasing, both as the volume of cyber attacks rises and as the importance of suppliers in delivering goods and services to many – perhaps most – organisations, continues.

Example Attacks

I have written a bulletin about several attacks on suppliers that have significantly affected their customers’ service delivery. Synnovis, a major provider of pathology services, experienced a cyber attack in June 2024, which disrupted services to multiple hospitals in London. In November 2023, CTS, which offers IT management and case management services to legal firms, suffered a cyber attack that impacted 80 of their 200 customers. This attack resulted in their customers losing access to IT systems and telephony, while others lost access to their case management systems, greatly affecting lawyers’ ability to deliver services. The SolarWinds attack and the Kaseya incident also involved cyber attacks on security providers that acted as entry points, allowing attackers to access the organisations they served and gain entry to their systems.

With suppliers, we must also remember that not all incidents are cyber-related. Events like the failure of the new logistics supplier to KFC led to the chain running out of chicken. The insolvency of the construction firm ISG in September 2024 left organisations with unfinished building projects, and the OVH data centre fire in Strasbourg in 2021 took approximately 3.6 million websites offline. Therefore, when assessing supplier risk, we must consider the impact of both ‘conventional incidents’ and cyber-attacks.

The Nature of Suppliers

Suppliers can provide a variety of goods and services to your organisation. They might supply an item, raw material, or product that is a crucial component in delivering your products to customers. They could be a service provider, processing information or offering services such as an outsourced call centre, which is essential to your service delivery. They may also be a Managed Service Provider (MSP), managing parts of your organisation like all your IT or specific areas such as development, helpdesk, or providing backups as a service. SaaS and cloud service providers may also deliver vital services to your organisation, the failure of which could have significant impacts.

Four Supplier Impacts

There are four major ways that the loss of a supplier can impact your organisation. First, the operational dependency risk, where losing a supplier can lead to failure in delivery to your customers or severe disruption to your internal systems. Second, suppliers may hold or process sensitive data on your behalf, so if this data is compromised, either accidentally or through a cyber incident, it remains your organisation’s responsibility to manage the incident. Third, a supplier might have privileged access to your systems to perform their role, and an attack could exploit that access to infiltrate them. Lastly, there is the business and ecosystem risk, where a supplier serving multiple clients in the sector could, if lost, destabilise the entire sector.

Planning Issues

What are some of the issues when managing a supplier cyber attack?

1. Have you discussed and planned with the supplier how you will jointly manage a cyber attack so that both parties understand their role and the incident is coordinated? Managing an incident can be very challenging if it is caused by the supplier and they are at fault, but the two organisations need to present a united front.
2. If the supplier is a large organisation, it may be difficult to know how to escalate an issue to them, especially outside of working hours. You may have an account manager, but they might not be the right person to speak to. Having documented protocols within the contract for emergency and out-of-hours incidents is advisable. The last scenario is having a major cyber attack that you believe may have originated from the supplier, and the only contact number available is the IT help desk, who, when you call, say that they ‘have logged the incident and someone will get back to you within the next 2-3 days.’.
3. Top management in your organisation might have limited contact with the senior management of the supplier organisation, so they may not know each other. If, at the start of an incident, this is the first time they meet, it can be difficult during a very stressful and potentially catastrophic situation for both teams to become familiar with each other and to build rapport and trust.
4. Have you exercised with the third party where some of the issues that both organisations may have can be played out and resolved before there is the pressure of a real organisation?
5. Building trust is crucial, as there is often some element of secrecy involved, whether it concerns declaring the incident to stakeholders or sharing the technical details of what occurred. Frequently, the supplier controls the technical account of what happened and the extent of the compromise, and they may be limited by their own legal advisors, insurers, and investigators. Building trust, in advance of an incident, can help the supplier feel more comfortable sharing technical information, impacts, and incident details that they might otherwise hesitate to disclose if they believe there is a risk of leaks.
6. Has there been discussion on how external communications will be coordinated and written, including the sign-off of statements? Conflicting statements or the customer blaming the supplier do not present a good optics externally, and are likely to impact the reputation of both organisations.
7. Have communications between both organisations been discussed? It is likely that if one party experiences a cyber incident, their APIs and data flow will be cut off, as well as their communications, such as video conferencing and email domains, which could prevent the two organisations from communicating. This could be discussed, and protocols could be agreed upon.
8. I feel it is unlikely that the crisis teams from both organisations will meet at the same location to manage an incident, but this could happen if agreed in advance. There should be a discussion with key suppliers on how the incident will be handled and which teams will communicate with each other. This could also include how communications will be coordinated. In the army, if we worked with a headquarters, each subordinate unit provided a liaison officer who could contact their unit and connect the headquarters with the right person to resolve an issue or answer questions on their behalf. I think the idea of a liaison officer from the supplier is that they should visit the organisation locations where they are managing the incident, so they can relay information or answer questions. They could be virtual, as long as they have been designated and are available when needed.
9. Sometimes, the supplier may be more powerful than your organisation, especially if they are big like Salesforce, AWS, or Microsoft. A major incident for you could be a minor issue for them, or they might have multiple incidents occurring simultaneously. In such cases, the affected customers might be more important than your organisation. Therefore, having discussions with the supplier beforehand is crucial to understand your position and how you will coordinate with them.
10. The technical response and forensic procedures could be agreed upon in advance. You might have the same third-party organisation responsible for responding to the incident as well as conducting the forensics, or you could employ different companies for each service. This introduces an extra layer of complexity, especially if the attack originates from a supplier that has used them to gain access to your organisation. Technical standards, joint working, and coordination of the technical efforts, can all be discussed beforehand, allowing relationships to be established.

Loss of a supplier always poses a risk, and organisations should identify their key suppliers as part of their risk management process and implement mitigation measures if they fail. It is also crucial to consider how both the supplier and customer would manage a joint incident if a cyber attack affects either or both parties. Like all business continuity actions, now is the time to explore these issues, build trust, and establish protocols, before an incident occurs.

References

[1] Verizon (2025), 2025 Data Breach Investigations Report