Policy paper

Cyber Essentials Supply Chain Commitment: joint statement

Published 23 October 2024

Joint statement

The Department for Science, Innovation and Technology and the National Cyber Security Centre (NCSC) are supporting Barclays, Lloyds Banking Group, Nationwide, NatWest, Santander UK and TSB to expand the role that Cyber Essentials plays in their supply chain risk management processes. The group aims to raise the level of cyber security in critical national supply chains, spanning all sectors, by promoting and incorporating the scheme in supplier requirements. This builds upon robust third party risk management processes already in place across the banks and building societies.

High-profile, damaging cyber attacks have demonstrated attackers’ intent and ability to exploit security vulnerabilities in supply chains across the UK. Without basic cyber hygiene, through a programme like Cyber Essentials, suppliers will continue to be vulnerable as threat actors hone their focus on unprotected businesses.

Despite this threat, just 6% of UK businesses reviewed the cyber risk of their wider supply chain in the last 12 months. There are a number of reasons for this, including a lack of capacity, capability and tools within businesses. Encouraging organisations to manage their supply chain cyber security risk more effectively is a government priority. Wider adoption of the Cyber Essentials certification scheme as a supply chain assurance tool can play a significant role in addressing barriers that organisations face in managing their supply chain risk effectively.

What is Cyber Essentials?

Cyber Essentials is a government backed cyber security certification scheme that helps organisations, regardless of size, improve their cyber resilience through the effective implementation of five key technical controls. These controls provide protection from the majority of common cyber attacks. Cyber Essentials certified organisations are 92% less likely to make a claim on their cyber insurance than those without it. Through Cyber Essentials, organisations gain confidence that they meet the minimum cyber security baseline and can demonstrate this to customers and other third parties.

Cyber Essentials in the supply chain

A requirement for suppliers to be Cyber Essentials certified provides a tangible way for businesses to manage their supplier cyber risk. It provides them with confidence that fundamental cyber security controls have been implemented effectively, which is in turn increasing the overall resilience of supply chains across the wider UK economy.

By expanding the role of Cyber Essentials in their supply chains these leading UK banks and building societies intend to:

• Increase efficiency for their procurement teams who can more easily see that suppliers meet a minimum level of cyber security, streamlining the due diligence process;
• Increase efficiency for suppliers who will be able to provide evidence that they meet certain standards to multiple customers, thus improving existing, time-consuming assurance processes;
• Raise minimum cyber security standards across the wider economy, increasing the overall resilience of UK plc;
• Ensure consistency across suppliers that minimum standards have been met;
• Spread greater cyber insurance coverage across supply chains through the provision of free cyber insurance, and incident response services, included with Cyber Essentials certification to qualifying organisations.

The government and participating banks encourage other businesses to follow this example and incorporate Cyber Essentials into supplier requirements. This will raise cyber security expectations across the UK, enhance the security posture of the economy and make it a safer place to do business.