Expert Insight: Alan Calder on Supply Chain Security

A DORA Regulation overview – part 3

Alan Calder is the Group CEO of GRC International Group PLC, the parent company of IT Governance, and is an acknowledged international security guru. He’s also a leading author on information security and IT governance issues – his recent book Cyber Resilience – Defence-in-depth principles won the Best Cyber Book of the Year award.

Alan has also been involved in developing a wide range of information security management training courses, has consulted for clients across the globe, and is a regular media commentator and speaker.

Recently, he has been focused on developing a range of products and services to support organisations with their DORA (Digital Operational Resilience Act) compliance. So, we sat down with him to talk about the third core requirement – supply chain security – and get his general views on DORA.

For more details on the first and second core requirements, risk management and incident management, see our interviews with Andrew Pattison, head of GRC (governance, risk and compliance) consultancy Europe, and Cliff Martin, head of incident response within GRCI Law, respectively.


What do you make of DORA?

DORA is really interesting. It effectively makes ISO 27001, ISO 22301, the GDPR [General Data Protection Regulation], supply chain management and possibly the PCI DSS [Payment Card Industry Data Security Standard] a legal requirement for financial entities. And not just financial entities, but their suppliers too, particularly MSPs [managed service providers].

More interestingly still, DORA mandates board and senior management involvement in creating and maintaining a GRC framework that explicitly covers cyber and privacy threats, both today and in the future.

And, as we’ve seen with the GDPR, where the EU goes, the rest of the world follows!

Let’s dive straight into supply chain security. Why is it so important?

Quite simply, if one ICT service provider suffers a disruption – regardless of whether it’s caused by a cyber attack – that can have a knock-on effect on all its clients.

To give an example, suppose that you had a piece of software that an attacker successfully exploited a vulnerability in. Maybe even a zero-day vulnerability, like with MOVEit, so that no patch is available yet. Then any organisation – or individual – using that software could be hacked too. As we’ve seen with MOVEit, that can amount to thousands of organisations.

It can be challenging to secure your supply chain – organisations tend to simply trust that the products and services they use are safe. But where they aren’t, every organisation that uses them can be at risk, with potentially far-reaching consequences.

Those consequences aren’t just hypothetical, are they? IT Governance’s research found that nearly half [48%] of all incidents in November 2023 originated from the supply chain – 227 incidents in total.

Correct, and most of those 227 incidents had nothing to do with MOVEit, showing that it wasn’t a black swan event.

As for the financial sector specifically, as a recent Trustwave report pointed out, the businesses in this sector are extremely interconnected, even by the modern world’s standards. That interconnectedness makes the sector even more susceptible to supply chain attacks.

So how can organisations secure their supply chain?

Financial entities must review ICT security across their supply chains, deploying audit and compliance teams to ensure that third-party ICT service providers are secure and compliant. That means looking for certifications like ISO 27001, ISO 22301 and Europrivacy.

Where critical suppliers are concerned, you should look at their resilience, including:

If they fall short of your standards or requirements, you need to find alternative suppliers.

Will taking these actions be enough to meet DORA’s ICT third-party risk management requirements?

These steps should be thought of as the minimum necessary to achieve DORA compliance across the supply chain, yes.

However, in reality, financial entities will need to work ever more closely with their key suppliers to ensure they are genuinely resilient. That will include, for instance, running large-scale cyber attack simulations that involve significant elements of the supply chain, to test and improve the depth of their resilience.


We hope you enjoyed this week’s edition of our ‘Expert Insight’ series – the third (and last) of a multi-part interview with our experts about the three core DORA Regulation requirements.

If you missed it, check out part 1 on the general cyber landscape and the risk management requirements, and part 2, on the DORA incident management requirements.

Also, if you missed it, check out last week’s blog, where Louise Brooks, the head of consultancy at DQM GRC, gave us her expert insights into the ICO’s (Information Commissioner’s Office) recent ultimatum on cookies.

We’ll be back next week, chatting to another expert within the Group.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.