Supplier security incident management
Babcock is committed to maintaining a robust security posture and as part of this, we rely heavily on a strong partnership with our supply chain. This is particularly prevalent in the context of actual or suspected security incidents.
Babcock expects any supplier that experiences a security incident (including near misses) to notify them:
- Within 24 hours, for any incidents affecting or with potential to affect Babcock data.
- Immediately, where the incident poses a risk to Babcock systems or infrastructure.
Incidents should be reported via the Supplier Incident Phone Number – (+44) 20 8963 7030
Frequently asked questions
A security incident is any event that could compromise the confidentiality, integrity, or availability of systems, data, or services.
Examples of incidents that should be reported include (but are not limited to):
- Unauthorised access to systems or data
- Data loss, leakage, or corruption
- Ransomware or malware infections
- Compromise of user accounts or credentials
- Disruption to services supporting Babcock
- Physical incidents, such as a premise break in
- Personnel incidents, such as a disgruntled employee attempting to bypass security controls
If in doubt, report it.
When reporting an incident, the Babcock team will gather key details to understand the situation and take appropriate action. You should be prepared to provide:
- Your name and contact details
- Organisation name
- Relevant contract(s) or services provided to Babcock
- Description of the incident
- Date and time the incident was identified
- Systems or data potentially affected
- Actions already taken
Providing accurate and timely information will help Babcock assess risk and respond effectively.
Following notification, Babcock will:
- Assess the potential impact to Babcock and customer data
- Take any necessary internal actions to contain risk
- Maintain communication with you throughout the process
- Where appropriate, provide guidance or support to assist with incident recovery
Our aim is to work collaboratively with suppliers to minimise impact and restore normal operations as quickly as possible.
Once the incident has been stabilised, Babcock may carry out a follow-up review or audit. This is intended to:
- Understand the root cause of the incident
- Confirm appropriate remediation actions have been implemented
- Gain assurance adequate controls are in place to prevent recurrence
Suppliers are expected to cooperate fully with any post-incident activities.
Following identification of an incident, suppliers are expected to take prompt and effective internal action to contain, eradicate, and recover from the issue. Dependant on the type and severity of the incident, this could include:
- Following agreed Incident Management/Business Continuity/Disaster Recovery Plans
- Isolating affected systems to prevent further impact.
- Preserving evidence to support investigation.
- Identifying the root cause of the incident.
- Implementing appropriate remediation measures, such as patching vulnerabilities, resetting compromised credentials, restoring systems from known clean backups, and enhancing monitoring controls.
- Maintaining a clear record of timelines, actions taken and decisions made.
- Reporting to other regulatory bodies, such as NCSC and the ICO.
- Please note that for all suppliers working on MOD contracts, Babcock expects suppliers to report the incident to WARP in line with MOD issued guidance. This should be conducted in addition to reporting the incident to Babcock.
Following an incident, suppliers are expected to:
- Review existing security controls and processes to identify any gaps, implementing improvements where necessary to reduce the likelihood of recurrence.
- Identify lessons learnt and use these to drive continual improvement, such as updating policies and processes and improving technical controls.
Additional resources
If you would like to learn more about strengthening your security posture, please check out the below links:
