Supply Chain Third-Party Risk and Security Management | CloseProtectionHire

Supply chain security is often understood as physical cargo protection: preventing theft in transit, screening containers, securing warehouses. That physical dimension is real and significant, but the regulatory and legal risk in supply chain management has grown to a scale that makes it a board-level concern in its own right.

James Whitfield, Senior Security Consultant, approaches supply chain third-party risk as a convergence problem: the physical security of the supply chain, the legal compliance obligations connected to it, and the cyber security of supplier relationships all require a coordinated response.

The insider threat in supply chain security

The most effective cargo theft methodology does not involve breaking into a warehouse or intercepting a vehicle at random. It involves insider intelligence: someone within the supply chain, a warehouse operative, a dispatch coordinator, a driver, or an IT system administrator, who provides information about shipment timing, route, cargo value, and vehicle details to criminal networks.

BSI Supply Chain Intelligence estimated global cargo theft costs at USD 22 billion annually in its 2024 report. The TAPA (Transported Asset Protection Association) annual crime report consistently identifies insider facilitation as a factor in high-value theft events. In Brazil, Mexico, Nigeria, and South Africa, organised theft networks have demonstrated sustained ability to acquire shipment intelligence faster than cargo theft prevention measures can respond.

The supplier vetting framework that addresses insider threat is the same framework that addresses competitive intelligence leakage, corruption, and cyber intrusion: background screening of staff with access to sensitive information, access control proportionate to information sensitivity, and regular audit of data access logs.

Bribery Act Section 7: the adequate procedures requirement

Section 7 of the Bribery Act 2010 creates a strict liability offence: a commercial organisation fails to prevent bribery if an associated person bribes another person to obtain or retain business or an advantage for the organisation. Associated persons include third-party agents, distributors, and supply chain partners acting for the organisation.

The only defence is demonstrating that the organisation had adequate procedures in place. The Ministry of Justice guidance on adequate procedures sets out six principles: proportionate procedures, top-level commitment, risk assessment, due diligence, communication, and monitoring and review. Due diligence on third-party supply chain partners in high-risk markets is a specific requirement of the adequate procedures framework.

In practice, this means: conducting a corruption risk assessment for each significant third-party relationship, with enhanced due diligence for relationships in markets identified as high-risk (Transparency International CPI scores are the standard reference), obtaining anti-bribery representations and warranties in supplier contracts, and monitoring supplier behaviour through audit and reference checks.

The Serious Fraud Office has brought successful prosecutions under Section 7 against companies whose agents in P1 city markets paid bribes that the company either knew about or failed to prevent through adequate procedures. The personal liability for directors involved in or aware of the conduct extends beyond the corporate penalty.

Modern Slavery Act: supply chain transparency requirements

The Modern Slavery Act 2015 requires commercial organisations with annual turnover of GBP 36m or more and a business connection to the UK to publish an annual Transparency Statement. The statement must confirm steps the organisation has taken to address slavery and human trafficking in its supply chains and business.

The UK Government’s Modern Slavery Statement Registry allows public scrutiny of statements. Civil society organisations, journalists, and investors review statements and publicly identify inadequate disclosures. Several major listed companies have faced significant media coverage for statements assessed as boilerplate or insufficiently substantive.

The US Uyghur Forced Labor Prevention Act 2021 (UFLPA) creates a rebuttable presumption that any goods with a nexus to Xinjiang or produced by entities on the UFLPA Entity List were made with forced labour and are therefore prohibited from entry into the United States. This extraterritorial effect requires UK and EU companies supplying the US market to audit their supply chains for Xinjiang nexus, particularly in cotton, polysilicon, aluminium, and tomato products.

The EU Corporate Sustainability Due Diligence Directive (CS3D), adopted in 2024, goes further: it requires in-scope companies to conduct due diligence on adverse human rights and environmental impacts across their entire value chains, including Tier 2 and beyond. UK companies with EU subsidiaries or significant EU customer relationships need to monitor the extraterritorial application of CS3D to their supply chain requirements.

Cyber supply chain risk: the SolarWinds lesson

The December 2020 SolarWinds attack, attributed to the Russian SVR by the US government, compromised the build environment of SolarWinds’ Orion software product and inserted a backdoor into a software update distributed to over 18,000 customers, including US federal agencies and major financial institutions. The attack vector was the supply chain: not the end organisation’s systems, but the software they trusted from a supplier.

CISA Advisory AA20-352A and subsequent NCSC guidance identified software supply chain integrity as a primary risk area. The practical implications for commercial organisations extend beyond the software dimension: any supplier with a direct connection to the buyer’s IT network, access to the buyer’s systems, or the ability to deploy software or updates into the buyer’s environment is a potential lateral movement vector.

Supplier IT access should be governed by a third-party access policy: role-specific access only, time-limited credentials, VPN and multi-factor authentication requirements, access audit logging, and revocation procedures when the supplier relationship changes. This is not a theoretical risk: NCSC’s 2024 guidance on managed service providers and third-party access specifically identifies this as a high-frequency intrusion vector.

Tier 2 and Tier 3 supplier visibility

The regulatory direction of travel across multiple jurisdictions is clear: companies are increasingly expected to have visibility of their supply chains beyond Tier 1. The challenge is practical: a manufacturer may have fifty direct suppliers, each of whom has their own supply base of fifty, creating a potential map of thousands of entities.

Risk-based prioritisation is the practical response: focus deep supply chain assessment on the categories and markets where the risk is highest. For Modern Slavery Act purposes, the highest-risk categories are those with documented forced labour prevalence in specific geographies: garment manufacturing in Southeast Asia, electronics assembly in specific Chinese provinces, agricultural products from P1 city markets. For Bribery Act purposes, the highest-risk relationships are those where the supplier is acting as an agent in markets with low CPI scores.

SEDEX (Supplier Ethical Data Exchange) and similar third-party audit databases allow buyers to leverage existing audit data rather than commissioning fresh assessments for every supplier. SMETA (Sedex Members Ethical Trade Audit) is a widely accepted audit methodology. These tools provide a scalable layer of Tier 1 and Tier 2 assessment that is not achievable through bespoke audit for every supplier.

Due diligence in P1 city markets

Supplier relationships in P1 city markets carry elevated Bribery Act, sanctions, and supply chain security risks that require enhanced due diligence beyond what is proportionate for low-risk markets.

Beneficial ownership verification is the starting point. In Nigeria, Colombia, Mexico, and several other P1 city markets, corporate ownership structures are frequently opaque and may not reflect the true beneficial owners who control the entity. A supplier that appears independent may be connected to a government official, a criminal network, or a sanctioned individual through layers of corporate ownership that are not visible in company registry filings.

PEP and sanctions screening of the supplier entity and its principals uses commercial screening tools (Refinitiv World-Check, LexisNexis Bridger, LSEG) against OFAC SDN, OFSI, and UN consolidated lists. In markets where business-government relationships are close and often undisclosed, PEP screening captures a broader risk than pure sanctions compliance.

On-the-ground assessment, conducted by a qualified third-party assessor, provides verification that the supplier operates as represented. In P1 city markets, this assessment also covers the security infrastructure the supplier has in place for cargo handling, which is relevant both to cargo security and to the quality of the supplier as a partner.

See the related guidance on security for supply chain and logistics operations for the physical cargo security framework, and security due diligence for business partnerships for the counterparty due diligence process that applies when establishing new supplier relationships.

Sources: BSI Supply Chain Intelligence Report 2024; TAPA Annual Cargo Crime Report 2024; Bribery Act 2010; Ministry of Justice Guidance on Adequate Procedures 2011; Serious Fraud Office Enforcement Action 2023; Modern Slavery Act 2015; UK Government Modern Slavery Statement Registry 2024; Uyghur Forced Labor Prevention Act 2021; EU Corporate Sustainability Due Diligence Directive (CS3D) 2024; CISA Advisory AA20-352A (SolarWinds); NCSC Managed Service Providers Guidance 2024; SEDEX and SMETA Audit Methodology 2024; Transparency International CPI 2024.