Supplier Compliance: Key Regulations to Consider for Your SRM Program

Information Security Requirements for Suppliers

Even suppliers outside of the IT industry may have access to PII, PHI, intellectual property, or other sensitive information that could pose compliance risks for your organization. Here are a few major information security requirements to consider when working with suppliers:

HIPAA for Suppliers

The Health Insurance Portability and Accountability Act (HIPAA) requires organizations to implement information security controls that secure patients’ protected health information (PHI). HIPAA requirements govern several types of organizations including healthcare providers, health plan providers, and healthcare clearinghouses.

Under the HIPAA Business Associate Rule, third-party vendors and suppliers that store or process PHI also fall under HIPAA oversight. While HIPAA business associates tend to be IT vendors, this isn't always the case. Business associates can also include suppliers such as:

• Consultants that process healthcare claims
• Suppliers that perform utilization and efficiency reviews for a hospital
• Medical transcriptionists

Which suppliers must comply with HIPAA?

HIPAA’s Business Associate Rule applies to any third party that stores or processes PHI. According to the Department of Health and Human Services, a business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

What are the penalties for non-compliance?

HIPAA penalties vary depending on the severity of the violation, and there are four tiers to the financial penalty structure: No Knowledge, Reasonable Cause, Willful Neglect (corrective action taken), and Willful Neglect (no corrective action taken). Fines are adjusted for inflation and currently max out at close to $2 million per violation. In the case of PHI theft, there are also criminal penalties of up to 10 years in jail.

CMMC for Suppliers

The Cybersecurity Maturity Model Certification (CMMC) is a framework created by the U.S. Department of Defense (DoD) that is designed to improve the security of its supply chain, known as the Defense Industrial Base (DIB).

Under CMMC 2.0, organizations seeking to work with the Department of Defense will be required to meet certain information security standards and be certified against one of three CMMC levels, depending on the type of data they handle and the scope of their access to classified information:

• Level 1: This level is for suppliers managing Federal Contract Information (FCI) that is not critical to national security and requires self-assessments against 17 controls.
• Level 2: Suppliers handling controlled unclassified information (CUI) fall under Level 2 and will require certification against an additional 110 controls from NIST SP 800-171. Though some suppliers will be able to conduct self-assessments at this level, most will require assessments by certified third-party audit organizations (C3PAOs).
• Level 3: An expert level for the highest-priority DoD suppliers, this level requires a subset of NIST SP 800-172 controls in addition to the controls required for Level 2. The federal government will conduct the audits for Level 3 suppliers.

Which suppliers must comply with the CMMC?

The CMMC will apply to all DoD prime contractors, subcontractors, and any supplier in the DoD supply chain. The DoD anticipates that over 300,000 organization will be impacted by CMMC regulations.

When does the CMMC go into effect?

The CMMC is scheduled to be enacted in May 2023, when the DoD is set to release its Interim Rule on the framework. CMMC requirements will then be incorporated into DoD contracts starting in July 2023, or 60 days after the Interim Rule is published.

What are the penalties for non-compliance?

Organizations that fail to comply with CMMC can lose the ability to bid on contracts with the U.S. Department of Defense.

NIST for Suppliers

The National Institute of Standards and Technology (NIST) publishes cybersecurity frameworks containing best practices for building effective information security programs. All U.S. federal agencies, as well as contractors and subcontractors that work with federal agencies, are required to comply with NIST security mandates.

NIST documents are not legally binding requirements, but several regulations are based on NIST controls and standards – and many public and private organizations require third-party certifications based on NIST guidance. Several NIST special publications outline controls that require organizations to establish and implement the processes to identify, assess and manage supply chain risk. These include:

• SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations
• SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• Cybersecurity Framework v2.0: Framework for Improving Critical Infrastructure Cybersecurity

Which NIST requirements apply to supplier relationships?

Broadly speaking, NIST requirements related to third-party suppliers include:

• Assess if security controls are implemented correctly, operating as intended, and meeting requirements
• Monitor security controls to determine their effectiveness on an ongoing basis
• Determine cybersecurity requirements for suppliers
• Enact cybersecurity requirements through formal agreements (e.g., contracts)
• Communicate to suppliers how cybersecurity requirements will be verified and validated
• Verify that cybersecurity requirements are met through assessment methodologies

What are the penalties for non-compliance?

NIST is not a regulatory body and there are no direct legal penalties for failing to comply with NIST standards, unless they are incorporated into a regulatory requirement that applies directly to your organization. For instance, HIPAA-regulated organizations use NIST SP 800-66 to enable compliance with the HIPAA Security Rule.

With that said, keep in mind that your organization will need to comply with NIST standards if it does business with U.S. government agencies. Whether or not your company is directly subject to NIST, failing to meet NIST standards regarding third-party suppliers can expose your organization to unnecessary risk and jeopardize your customer relationships.

ESG Compliance Requirements for Suppliers

Regulations designed to address environmental, social and governance (ESG) concerns are increasingly requiring organizations to proactively identify and address ESG issues in their extended supply chains.

Early ESG regulations such as the UK Modern Slavery Act and the California Transparency in Supply Chains Act (CTSCA) largely required organizations to report on their efforts to mitigate unethical practices in their supply chains. However, newer, more stringent ESG regulations require actions such as conducting routine audits of supplier ESG practices, ending contracts with unethical suppliers, and proactively monitoring supply chains for potential ESG risks.

ESG compliance requirements fall into two main categories:

1. Disclosure Requirements, which dictate that organizations report on efforts to address ESG concerns in their supply chains
2. Due Diligence & Control Requirements, which require organizations to evaluate supplier ESG practices and ensure that suppliers implement ESG-related controls

Existing and upcoming ESG regulations to consider for your supplier risk management program include the Canadian Fighting Against Forced Labour and Child Labour in Supply Chains Act, the UK Modern Slavery Act, the German Supply Chain Due Diligence Act, and the EU Corporate Sustainability Diligence Directive.

Fighting Against Forced Labour and Child Labour in Supply Chains Act (S-211)

The Fighting Against Forced Labour and Child Labour in Supply Chains Act, also known as S-211, is a law that requires Canadian government institutions and select private sector entities to, “report on the measures taken to prevent and reduce the risk that forced labour or child labour is used by them or in their supply chains.” The Act also provides for an inspection regime to enforce its provisions. As with the UK Modern Slavery Act, Australia Slavery Act, and similar laws, the Act aims to contribute to the global fight against forced labour, child labour and other forms of modern slavery.

Who must comply with the Fighting Against Forced Labor Act?

All Canadian government organizations that produce, purchase or distribute goods in Canada must comply with the Act. In addition, commercial entities must comply if they are either a) listed on a stock exchange in Canada, or b) do business in and have assets in Canada that are at least $20 million, generate at least $40 million in revenue, and employ an average of at least 250 employees.

What are the penalties for non-compliance?

If an organization fails to comply with the Act’s provisions, it could be liable for a fine of not more than $250,000.

The UK Modern Slavery Act

The Modern Slavery Act of 2015 is a UK law that requires organizations to publicly communicate their practices to ensure that forced labor, human trafficking, and other forms of involuntary servitude are not taking place in their businesses or supply chains.

The "Transparency in Supply Chains" section of the Act (Part 6, Section 54) defines what information organizations are required to disclose, including:

• organizational structure, including information about its business and its supply chains
• corporate policies that address slavery and human trafficking
• due diligence processes for revealing potential slavery and human trafficking in its business and supply chains
• specific business areas where there is a risk of slavery and human trafficking taking place, and the steps it has taken to assess and manage that risk
• performance in ensuring that slavery and human trafficking does not occur in its business or supply chains
• information about staff training on slavery and human trafficking topics

Who must comply with the UK Modern Slavery Act?

The UK Modern Slavery Act applies to organizations operating in the UK that have annual sales of £36 million+.

What are the penalties for non-compliance?

The current version of the UK Modern Slavery Act does not impose penalties for non-compliance. In fact, you can satisfy the current reporting requirement by simply publishing a statement indicating that your organization has not taken any steps to address human trafficking in its supply chain. Given that, the Queen’s Speech 2022 announced a new Modern Slavery Bill, which would impose civil penalties on organizations for non-compliance.

The German Supply Chain Due Diligence Act

The German Supply Chain Due Diligence Act requires organizations to proactively detect and eliminate forced labor and modern slavery, employee exposure to hazardous waste, and environmental contamination in supply chains.

Covered companies must update their processes for supply chain due diligence and align their activities with the Act's provisions, which cover the following areas:

• Environmental damage
• Minimum wages
• Child labor and forced labor
• Unlawful seizure of land and waters
• Torture
• Discrimination
• Freedom of association
• Problematic employment and working conditions
• Occupational health and safety

Who must comply with the German Supply Chain Due Diligence Act?

Companies that operate in Germany and have more than 3,000 employees will be subject to the German Supply Chain Due Diligence Act starting on January 1, 2023.

What are the penalties for non-compliance?

Penalties for violating the German Supply Chain Due Diligence Act include fines of up to €8 million for organizations with under €400 million in annual revenue and up to 2% of annual revenue for organizations with over €400 million in revenues.

The EU Corporate Sustainability Due Diligence Directive

A proposal for a Directive on corporate sustainability due diligence is currently working its way through the EU parliament. The Directive would enforce a “due diligence duty” whereby organizations would be responsible for “identifying, bringing to an end, preventing, mitigating and accounting for negative human rights and environmental impacts in the company’s own operations, their subsidiaries and their value chains.”

If the law is enacted, organizations will be required to:

• Integrate ESG due diligence into corporate policies
• Identify actual or potential adverse human rights and environmental impacts
• Prevent or mitigate potential impacts
• End or minimize actual impacts
• Establish and maintain a complaints procedure
• Monitor the effectiveness of the due diligence policy and measures
• Publicly report on due diligence activities

Who must comply with the Corporate Sustainability Due Diligence Directive?

If enacted, Corporate Sustainability Due Diligence Directive rules would apply to any company that falls into one of the following categories:

• EU-based, any sector, 500+ employees, and net €150 million+ turnover worldwide
• EU-based, high-impact sectors (e.g., textiles, agriculture, mining), 250+ employees, and net €40 million+ turnover worldwide
• Non-EU based, any sector, 500+ employees, and net €150 million+ turnover generated in the EU
• Non-EU based, high-impact sectors, 250+ employees, and net €40 million+ turnover generated in the EU

Note that the Directive is still in draft, so the final legislation will likely include changes in application and/or scope.

What would the penalties be for non-compliance?

As currently written, the Directive indicates that EU member states would set their own fines and penalties for non-compliance. It also allows civil lawsuits to be brought against companies that violate the rules of the Directive.

Privacy Requirements for Suppliers

Data privacy requirements are another major area of concern for organizations that work with third-party suppliers. Regulations such as GDPR and CCPA place strict limitations on how personal data can be shared, stored and processed between companies and impose significant fines for compliance violations.

GDPR for Suppliers

The General Data Protection Regulation (GDPR) is a privacy law that governs the use, movement, and protection of data collected on European Union (EU) citizens. The GDPR applies to any organization that collects, stores, processes or transfers personal data on individuals in Europe, regardless of the organization’s location.

Because third parties are often responsible for managing personal data on behalf of their customers, organizations must ensure that their suppliers and vendors have data protection controls and governance in place. This involves conducting data privacy controls assessments; analyzing the results for potential risks; and requiring third parties to remediate risks to avoid regulatory, financial and reputational exposures.

In fact, organizations are required by the GDPR to conduct risk assessments to identify privacy risks – both internally and at third parties that handle, process or store personal data on behalf of the organization. Recital 76 – Risk Assessment states that, “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”

Who must comply with the GDPR?

The GDPR applies to any organization that stores or processes data belonging to residents of the European Union.

What are the penalties for non-compliance?

GDPR penalties can reach up to €20 million or 4% of the violating organization’s annual turnover from the previous year, whichever is higher. The top 3 largest GDPR fines to date are Amazon (€746 million), WhatsApp (€225 million) and Google Ireland (€90 million).

CCPA for Suppliers

The California Consumer Privacy Act regulates business’ collection and sale of consumer data to protect California residents’ sensitive personal information and provide consumers with control over how that information is used.

The CCPA applies to consumer data collected from any resident of California - whether by a company headquartered there or just doing business there. Organizations need to monitor suppliers with access to data belonging to residents of California and implement proactive measures to ensure that data subject to the CCPA is handled properly.

Who must comply with the CCPA?

The CCPA applies to any for-profit business that does business in California and meets one of the following criteria:

• Have a gross annual revenue of over $25 million
• Buy, receive or sell the personal information of 50,000 or more California residents, households or devices
• Derive 50% or more of their annual revenue from selling California residents’ personal information

What are the penalties for non-compliance?

Currently, companies can be fined up to $2,500 for each unintended violation of CCPA provisions or $7,500 for each willful violation. The CCPA will be updated in 2023 with greater enforcement penalties through the California Privacy Rights Act.

Supplier Compliance KPIs and KRIs

Measuring key performance indicators (KPIs) and key risk indicators (KRIs) is essential to effective supplier compliance reporting and your broader third-party monitoring approach. Here are four supplier compliance KPIs and KRIs to get you started:

Supplier Compliance KPIs

• Number of suppliers that are categorized as in scope for each compliance program: A high number of suppliers requiring specific compliance assessments will show how much scrutiny should be paid to the regulation at hand, for example, data privacy.
• Quality of compliance returns from suppliers by Tier (1,2,3,4): A high percentage of unanswered or mis-answered questions (e.g., low quality) can extend assessment timelines and remediation. May require supplementary assessments requiring specific evidence or controls validation performed by an outside auditor.

Supplier Compliance KRIs

• Number of suppliers outside of Tier 1 with compliance obligations: A greater level of scrutiny is typically applied to Tier 1 suppliers, but a large number of non-Tier 1 suppliers with compliance obligations may require supplementary regulatory-specific assessments to measure adherence to requirements.
• Number of suppliers within all tiers that have outstanding threat intelligence or control deficiencies not under effective management: A large number indicates a high level of risk. Outstanding control deficiencies and threat intelligence findings should be addressed according to priorities and risk tolerance thresholds.

Automate Supplier Compliance Management with Prevalent

Today’s third-party risk environment is complex and constantly evolving. Your supplier risk management program should therefore be able to not only meet regulatory compliance requirements, but also ensure business resilience throughout your supply chain.

With Prevalent’s supplier risk management solution, you can automate your supplier risk assessment, monitoring, analytics and reporting activities with a single, unified platform. At the same time, you get built-in coverage for dozens of compliance regulations and best-practice frameworks. See if Prevalent is a fit for you by requesting a demo now.