The hidden cyber threat lurking in your supply chain
More than half of large UK financial services firms experienced at least one third-party supply chain attack in 2024, with nearly a quarter facing three or more incidents, according to new research from Orange Cyberdefense. The findings underscore the increasing vulnerability of financial institutions to cyber threats stemming from their vendor ecosystems.
A survey of 200 UK CISOs and senior security decision-makers revealed that many firms still rely on outdated risk assessment models. Nearly half (44%) assess third-party risks only during initial onboarding, while 41% conduct periodic reviews. Just 14% take the most proactive approach—continuous monitoring supported by dedicated risk management tools.
The impact of these different strategies is stark. Among firms that assessed risk only at onboarding, 68% suffered an attack. That figure dropped to 57% for those conducting periodic reviews and 32% for those with continuous monitoring. The data suggests a clear correlation: the more frequently firms evaluate their suppliers, the lower their risk exposure.
Cybersecurity professionals argue that regulatory frameworks can drive better risk management. Across the European Union, financial services firms must comply with increasingly stringent rules, including the Cyber Resilience Act, NIS2, and the Digital Operational Resilience Act (DORA). In contrast, UK regulations remain fragmented following Brexit, leading to concerns that the country is falling behind.
A majority of UK cybersecurity leaders (92%) believe that the UK should implement its own version of DORA to strengthen digital resilience. Nearly three-quarters (74%) say the EU’s security policies are more robust than those of other economic regions.
There is also unease about regulatory gaps emerging between the UK and EU:
Despite these concerns, sentiment toward UK cybersecurity regulation remains mixed. More than half (55%) of respondents describe their outlook as optimistic, confident, or excited about the country’s evolving regulatory landscape.
Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, notes that while regulatory compliance is often seen as a burden, it can also enhance digital resilience.
“Despite the confusing tangle of regulations and laws currently in – or being brought into – effect across the EU, the UK’s cybersecurity professionals seem to recognise that the juice is worth the squeeze, and are buoyed by the opportunity to make a positive impact on UK management of cyber risk,” Lindsay said.
He added that, given the growing frequency of supply chain attacks, financial institutions may benefit from aligning UK cybersecurity policies more closely with EU standards.
“Only by keeping pace with our closest neighbours and trading partners can we all benefit from improved digital resilience,” he said.
As financial institutions look to strengthen their defenses, the debate over regulation continues. For now, firms that fail to assess their third-party risks frequently and comprehensively may find themselves at the highest risk of attack.