On average, UK Water companies rely on over 300 third parties to deliver their water and sewage services. Even the esteemed readers of the Water Industry Journal who work in the industry or the supply chain would find it difficult to identify all the different third parties involved. Telecommunications providers, credit ratings agencies, billing and payment service providers, payroll management software and HR systems are just a few examples of the third parties who are essential to the delivery of this crucial service. They all have one thing in common – privileged access to their clients’ networks, systems, and the personal data of customers and staff.

Using innovation to secure the water industry supply chain

The Risk Ledger platform gives organisations all the tools to run a cyber security-led, third-party risk management programme at speed and at scale for a low, per-supplier cost. It has been adopted by Northumbrian Water, Welsh Water, Affinity Water and South East Water and many others in the past year to address this challenge. Both Information Security and Procurement teams at these water companies are getting value from the platform.

Our innovative approach to the supply chain risk management challenge has consistently been recognised with awards and competition wins including recently being a finalist in the ‘Most Innovative New Technology of the Year’ category at the 2021 Water Industry Awards.

Over 60% of organisations have experienced a breach caused by a third party and supply chain cybersecurity and data protection risks are such a big issue for authorities that active management of the risks is a requirement in two major pieces of regulation applicable in the water industry – the GDPR and the NIS Directive as operators of an essential service. The Risk Ledger platform enable clients to comprehensively comply with both pieces of regulation and provides an auditable trail to be able to show regulators in the case of an incident.

UK water companies face a double challenge of limited internal security resources because of price regulation and hundreds of third parties to review – both legacy suppliers and those onboarding every week. Our clients are reducing the time and cost spent assessing the cyber security maturity of their suppliers by up to 80% compared to traditional spreadsheet and email-based programmes. More importantly, we have redefined the process by moving away from point-in-time assessments to a continuous monitoring model, allowing organisations to quickly identify, measure and mitigate risks once and then reap compounded benefits year after year as the platform eliminates the need for repeat reviews.

We put clients and their suppliers at the centre of what we do

Traditional methods for managing supply chain security risks are slow and costly for all parties involved, including third parties, so they are not scalable beyond a small percentage of the supply chain or easy to implement for many organisations beyond those with large security budgets. To combat this scale issue, the Risk Ledger platform operates like a network providing the data pipe for clients and suppliers to share risk data securely. Clients can connect with all their suppliers in one place, while suppliers are able to share a single risk control profile with multiple clients to reduce their burden of work – in a ‘do once, use many model’. Every time a supplier connects with a new client, their risk control profile is reviewed again, creating a continuous, commercial incentive for suppliers to maintain and improve their risk management regime over time.

Third parties who complete the Risk Ledger supplier assessment do so for free and get access to a range of support options to help them easily and efficiently respond to all future client due diligence requests.

The real innovation of the platform is that every organisation can be both a supplier, responding to due diligence requests, and a client, running a third-party risk management programme, at the same time. This allows our clients to gain visibility of their supply chain risks beyond third parties to fourth, fifth and sixth parties. In practice, this means a supplier to one of our water clients, like a payment services provider, can run their own third-party risk management programme on the Risk Ledger platform, providing visibility of supply chain risks beyond third parties to their clients, and pushing good cyber hygiene down the supply chain – making the entire water industry more resilient to cyber breaches.

The Risk Ledger platform is industry agnostic so whether you work for one of the few water companies who aren’t already considering the platform, or you work in the water industry supply chain and recognise the need to better manage third-party risks, visit riskledger.com to find out more about what we do or contact Alex Lyma-Young on 020 3488 5800 or alex@riskledger.com to organise a short demonstration of the Risk Ledger platform in action.