Skip to content

Procurement in a nutshell – Procurement and information security

Cyber security has been headline news in the past few weeks. The global ransomware attack which affected the NHS has served as a reminder for many contracting authorities (CAs) to ensure that they protect themselves from online threats which could potentially costs thousands of pounds

This week’s update provides an overview of the importance of “information security” (which includes but is not limited to cyber security) in the context of public procurement practices.

Information security in procurement

Information security encompasses the strategies for managing the processes, tools and policies to prevent, identify, document, and counter threats to both digital and non-digital information. Procurement practitioners must be aware of the potential risks of information breaches in their day-to-day business. The nature of public procurement demands that measures to protect information security are an integral part of the process throughout the cycle of the procurement, including at the point of service delivery. The handling of sensitive information and the sharing of information with suppliers makes the topic a key concern for procurement officials. Information at risk includes:

  • bid information;
  • financial information;
  • organisation information, such as intellectual property; and
  • service user information.

As well as protecting the information handled within the organisation, a CA must ensure there are safeguards in place to protect the sensitive information shared with organisations by virtue of its supply chain.

Things to consider

Stages of the procurement cycle

Specification

  • By making an assessment of information security risks in the specification, a focus on information security can be built into the invitation to tender and the evaluation documents.

Invitation to tender

  • All security requirements must be effectively communicated at the invitation to tender stage to ensure that these are adequately dealt with in the bid submissions and appropriately assessed in the evaluation stage.

Contract award

  • The information security requirements which have been identified by a CA must be built into the contract with the inclusion of relevant security clauses.

Service performance and review

  • Auditing of processes and practices should be used by CAs to ensure that there is ongoing compliance by suppliers with the security arrangements.

Supply chain

An information attack is likely to target weak links in the supply chain. Therefore, CAs should focus on supply chains in their entirety, rather than just prime contractors. A CA may have safeguarded information shared with prime contractors but it could be their relationships with their own suppliers which could prove to be the dangerous link.

Size doesn’t matter

It would be a mistake to think that there is less risk when dealing with small companies. Suppliers, and indeed contracts, of all sizes carry risks. The riskiest contract may not necessarily be the most obvious. Where CAs have multi-supplier approaches, they must avoid the temptation to focus on those which appear to carry the most risk.

Protection schemes

A CA should have the assurance that a supplier will protect its information as well as it safeguards its own information. While certification schemes are a helpful indicator, for high risk projects, it is sensible to investigate further to ensure that the principles are embedded into all working practices and systems.

Why is this important?

An information security breach comes with unwanted costs such as forensic investigation, fixes, equipment replacement, legal costs and possibly claims for damages. By implementing precautionary measures, CAs can lessen the reputational and financial exposure which comes as a result of an information security attack. This topic is brought squarely into focus when considered in light of the need for CAs to move towards fully electronic procurement by 18 October 2018. Information security should feature prominently in CAs’ plans to progress and implement electronic procurement systems.

At a time of increased cost pressures on CAs, decision makers are faced with the challenge of balancing difficult investment choices. It is important nevertheless that the correct priority level is afforded to mitigating information security risks in order to ensure long-term sustainability of services by safeguarding essential infrastructure required for effective service delivery.

How can I find out more?

If you have any queries on the issues raised or on any aspect of procurement, please contact us via our procurement hotline on 0191 204 4464.

Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.

This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.

Follow us on LinkedIn

Keep up to date with all the latest updates and insights from our expert team

Take me there