☛ Want the latest procurement and supply chain news delivered straight to your inbox? Sign up for the Supply Management Daily
6 November 2013 | Will Green
More than two thirds of buyers are yet to make changes to contracts to address the threat of cyber crime, according to an SM poll.
Just 32 per cent of purchasers have amended contracts in light of the risk, compared with 68 per cent who have not, according to the latest SM100 survey.
The finding comes despite warnings that firms are vulnerable to attacks, which are on the rise and increasingly involve hackers targeting companies through their supply chain.
Police commissioner for the City of London Adrian Leppard, national lead for economic crime, has urged buyers to beef up contracts with suppliers to tackle the risk, while the Kroll Global Fraud Report 2013/14 said hacking attacks had doubled and, of firms affected by information theft, almost a fifth had suffered an attack on a supplier.
John Milne, procurement consultant at Hampco, said: “Beyond taking the normal steps to safeguard IT systems, nothing has been done. That is down to relatively low involvement in e-trading. This will be an area of desperate concern for FMCG buyers, but is less so for SME engineering contractors.”
Mike Flanagan, CEO at Clothesource, said: “This is an IT function and we in procurement are normally not involved in it by policy.”
Natalie Henfrey, principal consultant at Crimson and Co, said amending contracts was not enough. “Many procurement organisations ask for supplier’s policies on contractual areas such as CSR and these policies go largely unread, unaudited and unanalysed,” she said. “Unless procurement is prepared to up the understanding and resource behind managing such clauses, their inclusion does not add protection or value.”
Shaun Evans, head of procurement at Lifestyle Services Group, said risk assessments of each supplier were conducted. “We are also looking at the introduction of an information security schedule to relevant contracts as they are renewed or reviewed, which commits the supplier to an agreed approach to information security in compliance with our own and client requirements,” he said.
“This would make a material failure both reportable and ultimately a breach of contract enabling us to look at termination of the agreement as a solution of last resort if necessary.”