Cyber Credentials Have Become a Procurement Threshold

As a relatively small housing association operating in the centre of Cardiff, we sit in an interesting position when it comes to procurement and cyber resilience. Taff Housing manages around 1,500 homes and runs a number of projects including hostels and specialist support schemes. We provide services, we commission services, and we work with multiple public bodies. That means we are both a supplier and a customer. Increasingly, cybersecurity sits at the centre of those relationships.

We handle sensitive information every day. From tenancy data to support services for vulnerable individuals, the information we manage is not something we can afford to lose or have exposed. Over the past few years, we have moved much of our infrastructure to the cloud, relying more heavily on suppliers and external platforms. That has improved flexibility, but it has also shifted the risk profile. Phishing attempts and social engineering are now as much a concern as perimeter attacks.

There has been a clear change in how cyber is viewed within organisations like ours. A few years ago, it would largely have been seen as an IT responsibility. That is no longer the case. Our board now takes a direct interest, prompted in part by high-profile cyber incidents elsewhere in the housing sector. It is not just about whether the technology team feels confident; it is about whether the business as a whole understands what would happen in the event of an attack and whether we could continue delivering services.

We now vet all incumbent and new suppliers from a supply chain perspective and the shift has been even more pronounced. When I first arrived, we did not have a clear register of IT suppliers. We thought we had a dozen. The reality was closer to 60. As we became more digital, we realised how dependent we were on third parties, not only for data but for critical services.

Cybersecurity, data protection and business continuity are treated together because they are interlinked. For many suppliers, the starting point is whether they hold Cyber Essentials or Cyber Essentials Plus, depending on the level of service they provide. Beyond that, we ask about cyber hygiene, patching, multi-factor authentication and resilience. We send out questionnaires and, depending on the risk profile, go into more depth.

What has changed most significantly is that cyber is now a pre-qualification question. In procurement exercises, alongside financial standing and insurance, we ask about cyber resilience. If a supplier cannot demonstrate an appropriate level of maturity, we may not proceed to the next stage. That is not because we want to exclude businesses; it is because we are either sharing data with them or relying on them to deliver a critical service. We cannot take unnecessary risks.

We are seeing the same from our own partners. As we work with multi-agency frameworks and government bodies, they are asking us those questions. We need to show not just that we have policies, but that we are maintaining them. There was a time when organisations might obtain certification and then revisit it 11 months later. That is no longer sufficient. We have moved to a more regular “drumbeat” approach to ensure that controls are being maintained, not simply documented.

There is a positive side to this shift. For SMEs willing to invest in their cyber posture, there is a clear opportunity. Procurement frameworks increasingly include cyber resilience as a threshold requirement. If you can demonstrate compliance and provide evidence quickly, you shorten the sales cycle and remove friction from due diligence. If you cannot, you may not even be considered.

Smaller organisations often assume that this level of rigour is beyond them. In practice, their size can be an advantage. They can move quickly. Turning on multi-factor authentication, improving patching routines or formalising incident response processes is often less complex than it appears. The key is to be honest about where you are and to find the right partner. We have learned that it is not enough to be told that vulnerabilities exist; you need support in prioritising and addressing them.

Cyber readiness is no longer about avoiding threats alone. It is about being able to answer questions confidently when they arise. When a procurement document asks about resilience, data protection or continuity, you need to be able to respond without hesitation. That builds trust and allows conversations to move forward.

For organisations like ours, serving communities and handling sensitive information, this is about protecting people and services. But it is also about ensuring that we can work with the right partners. The bar has risen. Those who prepare for it will find that it opens doors rather than closing them.