0
02

Due Diligence with Third Parties

In this topic, you’ll learn how CBA’s suppliers also need to be operating within the same guardrails. You’ll also hear about some case studies where information security was compromised.

Doug’s dilemma

Doug’s starting to get across his service and is working on a project that will require the engagement of an external supplier. He’s very experienced in working with third party providers, and is adhering to CBA’s sourcing and supplier governance frameworks as he commences the project. However, as Doug knows that his supplier will be required to handle our Group and customer information, he wants to know how he can better understand their security controls.

We’re a large organisation. We engage many suppliers as part of our regular business operations to assist with the provision of:

  • Infrastructure
  • Telecommunications
  • Applications
  • Other services

In December 2013, hackers were able to get access to US company Target’s network through a third-party supplier, resulting in the breach of the personal details of over 70 million customers.

This led to enormous reparations, loss of jobs, loss of reputation and 140 lawsuits against Target alone.

Doug understands that it’s essential that our Group and customer information is protected. Any supplier accessing our information must have robust controls for protecting it.

It is essential that everyone at CBA conducts due diligence on suppliers, both before and during onboarding, and then on an ongoing basis.

This means that there are many suppliers in our ecosystem that are required to handle our Group and customer information.

Suppliers are attractive targets for malicious cyber attacks as their security defenses are often perceived to be weaker and therefore a potential gateway to valuable information.

Click play to learn about a data breach impacting US company Target.