Understanding the impact of industry and government regulations on your supply chain is essential for reducing risk to your business and providing assurance to your customers. This article unpacks several compliance requirements to consider addressing as part of your broader supplier risk management program.
While companies have been subject to information security and data privacy regulations for years, several mandates have recently evolved to increase their focus on supplier relationships. At the same time, we’re seeing the introduction of ESG compliance requirements with significant implications for supply chains. In this post, we will cover the categories of supplier compliance requirements, review key regulations that directly address supplier risk, and discuss how they factor into your SRM program.
Three principal types of compliance requirements apply to third-party suppliers:
It’s no secret that information security compliance is a core consideration when working with software companies, SaaS service providers, and other IT vendors. However, it’s critical to ensure that your non-IT suppliers also incorporate information security standards into their business practices.
Any supplier can pose data breach risks if they have access to your organization’s sensitive information, systems, or facilities. Consider the following examples:
Environmental, social, and governance (ESG) practices in the supply chain are increasingly crucial to many organizations. Several countries are establishing regulations requiring organizations to conduct ESG due diligence throughout their supply chains proactively. Examples of ESG issues impacting supply chains include:
Data privacy is also a significant concern when working with suppliers. Regulations such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the New York SHIELD Act set standards for how consumer data can be acquired, processed, and shared. Supplier data privacy concerns can arise from situations like:
Discover Best Practices for Supply Chain Resilience
Expand your knowledge of supplier risks and get prescriptive guidance for maturing your supplier risk management program.
Even suppliers outside the IT industry may have access to PII, PHI, intellectual property, or other sensitive information that could pose compliance risks for your organization. Here are a few major information security requirements to consider when working with suppliers:
The Health Insurance Portability and Accountability Act (HIPAA) requires organizations to implement information security controls that secure patients' protected health information (PHI). HIPAA requirements govern several types of organizations, including healthcare providers, health plan providers, and healthcare clearinghouses.
Under the HIPAA Business Associate Rule, third-party vendors and suppliers that store or process PHI also fall under HIPAA oversight. While HIPAA business associates tend to be IT vendors, this isn't always the case. Business associates can also include suppliers such as:
HIPAA's Business Associate Rule applies to any third party that stores or processes PHI. According to the Department of Health and Human Services, a business associate is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."
The Cybersecurity Maturity Model Certification (CMMC) is a framework created by the U.S. Department of Defense (DoD) to improve the security of its supply chain, known as the Defense Industrial Base (DIB).
Under CMMC 2.0, organizations seeking to work with the Department of Defense will be required to meet specific information security standards and be certified against one of three CMMC levels, depending on the type of data they handle and the scope of their access to classified information:
The CMMC will apply to all DoD prime contractors, subcontractors, and suppliers in the DoD supply chain. The DoD anticipates that over 300,000 organizations will be impacted by CMMC regulations. Organizations that fail to comply with CMMC can lose the ability to bid on contracts with the U.S. Department of Defense. The final rulemaking on CMMC 2.0 is in progress, with phased implementation set for later this year and into 2025.
The National Institute of Standards and Technology (NIST) publishes cybersecurity frameworks containing best practices for building effective information security programs. All U.S. federal agencies, contractors, and subcontractors working with federal agencies must comply with NIST security mandates.
NIST documents are not legally binding, but several regulations are based on NIST controls and standards. Many public and private organizations require third-party certifications based on NIST guidance. Several NIST special publications outline controls that require organizations to establish and implement processes to identify, assess, and manage supply chain risk. These include:
NIST requirements related to third-party suppliers include:
NIST is not a regulatory body, so there are no direct legal penalties for non-compliance unless required by regulations like HIPAA, which uses NIST SP 800-66. However, if your organization works with U.S. government agencies, compliance with NIST standards is necessary. Non-compliance with NIST standards for third-party suppliers can still pose risks and harm customer relationships.
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
Regulations designed to address environmental, social, and governance (ESG) concerns are increasingly requiring organizations to proactively identify and address ESG issues in their extended supply chains.
Early ESG regulations, such as the UK Modern Slavery Act and the California Transparency in Supply Chains Act (CTSCA), primarily require organizations to report on their efforts to mitigate unethical practices in their supply chains. However, newer and more stringent ESG regulations demand actions such as conducting routine audits of supplier ESG practices, terminating contracts with unethical suppliers, and proactively monitoring supply chains for potential ESG risks.
ESG compliance requirements fall into two main categories:
Existing and upcoming ESG regulations for your supplier risk management program include the Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act, the UK Modern Slavery Act, the German Supply Chain Due Diligence Act, and the EU Corporate Sustainability Diligence Directive.
The Fighting Against Forced Labour and Child Labour in Supply Chains Act, also known as S-211, is a law that requires Canadian government institutions and select private sector entities to "report on the measures taken to prevent and reduce the risk that forced labour or child labour is used by them or in their supply chains." The Act also provides for an inspection regime to enforce its provisions. As with the UK Modern Slavery Act, Australia Slavery Act, and similar laws, the Act aims to contribute to the global fight against forced labor, child labor, and other forms of modern slavery.
All Canadian government organizations that produce, purchase, or distribute goods in Canada must comply with the Act. In addition, commercial entities must comply if they are either a) listed on a stock exchange in Canada or b) do business in and have assets in Canada that are at least $20 million, generate at least $40 million in revenue, and employ an average of at least 250 employees.
The Modern Slavery Act of 2015 is a UK law that requires organizations to publicly communicate their practices to ensure that forced labor, human trafficking, and other forms of involuntary servitude are not taking place in their businesses or supply chains.
The "Transparency in Supply Chains" section of the Act (Part 6, Section 54) defines what information organizations must disclose, including:
The UK Modern Slavery Act applies to organizations operating in the UK with annual sales of £36 million or more.
The German Supply Chain Due Diligence Act mandates organizations to implement human rights due diligence in their supply chains. This law requires businesses to take all necessary steps to prevent human rights risks, report on their efforts, remediate risks, and retain documentation for seven years.
Covered companies must update their processes for supply chain due diligence and align their activities with the Act's provisions, which cover the following areas:
As of 2023, all companies operating in Germany with at least 3,000 employees are subject to the German Supply Chain Due Diligence Act. In 2024, the law will extend to companies with over 1,000 employees.
The Corporate Sustainability Due Diligence Directive, or CSDDD, outlines specific obligations for companies to perform due diligence on their operations and supply chains to identify, prevent, mitigate, and account for adverse environmental, labor, and human rights impacts. The European Parliament released the final draft in January 2024. If adopted, the law will go into effect in phases starting in 2027.
If the law is enacted, it will require organizations to:
If adopted, Corporate Sustainability Due Diligence Directive rules will apply to EU companies and parent companies with over 500 employees and a worldwide turnover higher than 150 million euros. The obligations will apply to companies with more than 250 workers and a turnover exceeding 40 million euros if they generate at least 20 million euros in one of the following sectors:
Data privacy requirements are another central concern for organizations that work with third-party suppliers. Regulations such as GDPR and CCPA limit how personal data can be shared, stored, and processed between companies, and significant fines are imposed for compliance violations.
The General Data Protection Regulation (GDPR) is a privacy law that governs the use, movement, and protection of data collected on European Union (EU) citizens. The GDPR applies to any organization that collects, stores, processes, or transfers personal data on individuals in Europe, regardless of its location.
Because third parties are often responsible for managing personal data on behalf of their customers, organizations must ensure that their suppliers and vendors have data protection controls and governance in place. This process involves conducting data privacy control assessments, analyzing the results for potential risks, and requiring third parties to remediate risks to avoid regulatory, financial, and reputational exposures.
In fact, the GDPR requires organizations to conduct risk assessments to identify privacy risks—both internally and at third parties that handle, process, or store personal data on behalf of the organization. Recital 76—Risk Assessment states that “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”
The GDPR applies to any organization that stores or processes data belonging to residents of the European Union.
The California Consumer Privacy Act regulates businesses’ collection and sale of consumer data to protect California residents’ sensitive personal information and provide consumers with control over how companies use that information.
The CCPA applies to consumer data collected from any resident of California, whether by a company headquartered there or just doing business there. Organizations need to monitor suppliers with access to data belonging to California residents and implement proactive measures to ensure that data subject to the CCPA is handled properly.
The CCPA was expanded in 2023 with the California Privacy Rights Act (CPRA), adding new compliance obligations that mandate strict third-party agreements to ensure the secure collection, use, and disposal of consumer information.
The CCPA applies to businesses that collect personal information from California residents, service providers, and third parties to which businesses transfer that information. While the CCPA is a state law, it applies to any for-profit entity – anywhere – that does business with California consumers and:
Build a More Proactive Supplier Risk Management Program
Our best practices guide delivers a prescriptive outline for staying on top of supplier risk from onboarding to offboarding.
Today’s third-party risk environment is complex and constantly evolving. Your supplier risk management program should, therefore, be able to meet regulatory compliance requirements and ensure business resilience throughout your supply chain.
With Prevalent’s supplier risk management solution, you can automate your supplier risk assessment, monitoring, analytics, and reporting activities with a single, unified platform. At the same time, you get built-in coverage for dozens of compliance regulations and best-practice frameworks. See how you can streamline your supplier risk compliance, schedule a demo today.
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024