Critical National Infrastructure Case Study - Affinity Water & Risk Ledger
Third-party risk management for Critical National Infrastructure
About Affinity Water
Affinity water is the largest water-only supplier in the UK - providing nearly 1 billion litres of water every day to approximately 3.6 million customers in and around London, UK.
As an Operator of Essential Services, Affinity Water have to comply with the EU's Network and Information Systems (NIS) Directive which requires them to scrutinise the security controls of their third parties. They also have to comply with the GDPR as the data controller for millions of customers' Personally Identifiable Information.
Affinity Water have hundreds of third parties ranging from long-term legacy suppliers to those onboarded recently for fixed-term projects.
How Risk Ledger works for Affinity Water
The Risk Ledger platform allows Affinity Water to identify, measure and manage supply chain risks by running a semiautomated, security-led, third-party risk management programme at scale for a low per supplier cost.
Using the platform and the Risk Ledger supplier framework, Affinity Water are able collect data about how their suppliers implement over 200 risk controls, supported by verifiable evidence of implementation. The controls cover 12 risk domains and suppliers only need to provide information about the controls relevant to them.
Affinity Water's suppliers are continuously monitored by the Risk Ledger platform and each supplier must re-attest to the accuracy of the data at least every 6 months. Additionally, Affinity Water are informed if a supplier's risk controls fall below the approved level of implementation.
What do Affinity Water say?
"What I love about using Risk Ledger to manage our third-party security risk management programme, is that it does exactly what it says on the tin. It is so easy for us to engage our suppliers for a security review at the click of a button if they are already on the Risk Ledger platform. Even if a supplier isn't already on the platform, I just need a contact email to get started.
When it comes to reviewing suppliers, I can't overstate how much time Risk Ledger saves us by avoiding spreadsheets and countless emails going back and forth. The workflows are simple and it is really useful to have assessment responses, discussions, contextual notes and compliance scores all in one place so the whole process is smoother and more efficient. Our whole team, including colleagues from other departments like procurement and legal, can be added as users to collaborate on the process which also makes it easier to project manage.
Overall, using Risk Ledger has helped us to run an efficient third-party security risk management process and frees up my time to focus on other security priorities."
- Existing third-party security risk management process conducted via spreadsheets and emails was time consuming.
- It took months for suppliers to fully complete their reviews and be approved.
- Output from existing process was a point-in-time assessment focused on data protection.
- Security team has multiple security obligations and required a more efficient solution.
- Hundreds of suppliers to review and new suppliers being onboarded every week.
- As an Operator of Essential Services the team must comply with the supply chain security element of the NIS Directive and the GDPR.
The Head of Information Security wanted to:
- increase the scope of third-party risk assessments to more risk domains;
- reduce the per-supplier time, financial and human resources required for each review;
- continuously access up-to-date information about supply chain security maturity;
- be prepared to demonstrate comprehensive compliance with the NIS Directive and the GDPR to regulators;
- and improve the security maturity of the supply chain to minimise the risk of an incident.
- Fast, comprehensive security assessments: Affinity Water can now collect and review a comprehensive supplier security risk assessment covering 12 risk domains, within 2 weeks.
- Low, per supplier costs: This allowed Affinity Water to expand their third-party security risk management programme to a broader range of third parties.
- Fully compliant with regulations: The platform creates a full audit log of activity so Affinity Water can demonstrate compliance with the supply chain elements of UK data protection and cyber resilience regulations.
- No more spreadsheets or long email trails: The security team can engage, review, remediate, discuss and approve suppliers in-platform, cutting admin work and procurement cycles.
- Saving time on annual security reviews: Suppliers are regularly updating the data in their supplier assessments, drastically reducing the time taken to complete annual re-assessments.\
Questions & Answers
What is Critical National Infrastructure?
Critical national infrastructure (CNI) are the assets, systems, and networks deemed essential for the functioning of a country and its economy by its government with direct national security implications.\
What are the Critical National Infrastructure sectors?
Critical national infrastructure is commonly defined to encompass the following sectors: Energy, transportation, telecommunications, water supply, emergency services, government, health services, and financial services.\
Why is cyber security important to critical national infrastructure?
Ensuring the cyber security of critical national infrastructure is important because these assets, systems, and networks are often targets of attacks by hackers, which could cause significant disruptions to the functioning of a country and its economy. Attacks can undermine critical services, cause damage to infrastructure, compromise sensitive data or even lead to serious economic and financial crises and worse.