A recent study conducted by Orange Cyberdefense reveals that over half (58%) of large UK financial services firms experienced at least one third-party supply chain attack in 2024. Furthermore, nearly a quarter (23%) of these firms were targeted three or more times by such attacks.
The research pointed to notable gaps in the third-party risk management strategies employed by financial services institutions. Approximately 44% of firms admitted that they only assess third-party risk at the initial supplier onboarding stage. A similar percentage (41%) conduct periodic risk assessments, while just 14% continuously evaluate risk using dedicated third-party risk management tools.
The study found a clear correlation between the extent of risk management practices and the likelihood of experiencing a supply chain attack. Among firms that only assessed risk during the onboarding phase, over two-thirds (68%) suffered a supply chain attack in 2024. This figure decreased to 57% for firms that conducted periodic assessments and dropped further to 32% for those that assessed risks continuously and employed risk management technologies.
Concerns Over Brexit and Regulatory Alignment
The report also highlighted concerns among Chief Information Security Officers (CISOs) and security decision-makers regarding the alignment of UK cybersecurity regulations with those of the EU. This concern follows the recent introduction of major EU regulations affecting the financial services sector, including the Network and Information Systems Directive 2 (NIS2), the Cyber Resilience Act (CRA), and the Digital Operational Resilience Act (DORA).
Approximately 74% of respondents rated the EU’s security posture and policies more favorably than those of other economic regions. Furthermore, 77% of respondents felt that there is a gap in the regulatory deterrent between the UK and the EU, with 74% expressing concerns about diminishing confidence in UK regulations. Additionally, 72% were concerned about the growing comprehensiveness gap in UK regulations, and 76% felt that UK authorities were not providing sufficient regulatory support and guidance.
As a result, 92% of respondents expressed support for the UK adopting a country-wide regulation similar to DORA to strengthen digital resilience in the financial sector.
Cybersecurity Bill and Industry Outlook
In response to these concerns, the UK government introduced the Cyber Security and Resilience Bill in July 2024, which seeks to align UK rules more closely with the NIS2 provisions. Despite the challenges, over half (55%) of cybersecurity professionals surveyed in the report expressed optimism about the current state of UK cybersecurity regulation.
Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, commented, “As our research shows, the threat landscape remains volatile, with supply chain attacks posing a growing challenge for many businesses, including UK financial services. It is clear that cybersecurity professionals in the UK would benefit from closer alignment with EU policy to enhance digital resilience across borders.”
Get comprehensive supply chain report news updates at The Supply Chain Report. For international trade tools, see ADAMftd.com.
#ThirdPartyRisk #RiskManagement #UKFinance #ComplianceFailures #FinancialRegulation #OperationalRisk #SupplyChainRisk
