Post by Susanne Alfs

Supplier cyber risk is too important to sit in procurement alone. The governance question is not simply whether suppliers have been assessed. It is whether the organisation knows which suppliers matter most, and how those dependencies align with strategy and risk appetite. In the first of a two-part series on cyber third-party risk management, Joanna HARDING and I look at how to strengthen the governance foundations of Cyber Third-Party Risk Management. The article provides practical board-level prompts on: • classifying suppliers by business criticality, data access, connectivity, regulatory exposure and exit difficulty • integration with enterprise risk management and procurement processes • aligning contracts, security requirements and incident obligations with risk Part 2 will look at the assurance evidence and board metrics. Do you know which supplier failure could cause the greatest disruption? Cyber4Directors #CyberResilience