Third-Party & Supply Chain Breach Reporting Obligations: The Next Hidden Layer
When organisations think about breach reporting, the focus is usually on direct obligations: regulators (GDPR, NIS2, DORA, SEC, etc.) and, for those with more mature processes, their client contracts as well. But increasingly the transition to SaaS and cloud services means that the third party supply chain is now very much part of the equation and when your suppliers suffer a breach, it may quickly become your reporting problem.
When Your Supplier’s Breach Becomes Your Breach
Modern organisations rely heavily on third parties: cloud providers, managed service partners, SaaS platforms, outsourcers. These relationships extend business capabilities, but they also extend the risk surface.
If a supplier suffers a cyber incident involving your business data, client data or impacting services critical to your operations:
You may be required to notify regulators (e.g., GDPR personal data breach, DORA major incident).
You may be required to notify your clients, even though the breach originated in your supply chain.
You may face reputational fallout if the incident isn’t disclosed transparently.
The problem? Suppliers are not always motivated to tell you quickly but in the most part you will be on the clock with a 24-72 hour (or faster) deadline from the moment the supplier notifies your organisation of the potential breach, irrespective of when they notify you, which could well be outside of normal business hours.
Shared vs. Delegated Responsibility
Regulators increasingly make it clear: outsourcing services doesn’t outsource accountability.
Under GDPR, a data controller must still notify even if the data processor suffered the breach.
Under DORA, financial institutions remain responsible for ICT third-party risks and incident reporting.
Under NIS2, critical entities must ensure that essential service providers report significant incidents promptly.
This means you can’t simply point at your supplier and say “not our problem.”
Building the Reporting Chain
The challenge is timing. If your supplier takes days to confirm a breach, you could already be in violation of your own obligations. Even if the reporting obligation clock only starts ticking once they notify you, the method of notification could result in delays to the incident being escalated, especially if the notification comes through as an email late on a Friday evening! To better manage this consider the following actions:
Contract Clauses: Ensure supplier agreements include clear, time-bound breach notification obligations (e.g., “notify within 12 hours of detection”).
Notification Methods: Make sure that the supplier is aware of your own reporting obligations and that appropriate direct communication methods (E.g. phone calls to a pre-agreed call tree) based upon breach type are in place.
Due Diligence: During vendor onboarding, assess not only their security but also their incident response and reporting processes.
Monitoring: Use contractual rights to audit or request incident statistics to confirm obligations are being met.
Playbooks: Include third-party scenarios in your incident response plans, with escalation paths for supplier-driven breaches.
Practical Steps for CISOs and Risk Leaders
Maintain a register of supplier breach reporting obligations (mapped against your own).
Test reporting chains during tabletop exercises that simulate a third-party breach, and see how quickly information flows.
Engage procurement and legal early to avoid obligations being “hidden” in supplier contracts negotiated without security input.
Tier suppliers by criticality and focus effort on those that hold sensitive data or deliver core services.
Supply Chain Transparency is Non-Negotiable : Third-party and supply chain breaches are no longer rare occurrences; they are at the centre of many of today’s most high-profile incidents. Organisations that fail to anticipate the reporting dimension risk not just fines, but erosion of client and regulator trust.
The reality is simple: if your suppliers fail, you will almost always still be accountable. The best approach therefore is to be prepared by embedding supplier breach reporting obligations into contracts, monitoring compliance, and integrating supplier scenarios into your playbooks.
👉 This article continues my series on breach reporting obligations. In earlier posts, I explored regulatory requirements and client contractual obligations. In the next instalment, I’ll tackle the cross-border complexities of breach reporting.