Over half of UK financial institutions suffer third-party supply chain attacks
New research from Orange Cyberdefense shows that 58 percent of large UK financial services firms suffered at least one third-party supply chain attack in 2024, with 23 percent being targeted three or more times.
The research suggests that firms must re-evaluate how they assess third-party risk. 44 percent of FS institutions only assess third-party risk during the initial supplier onboarding stage, while a similar proportion (41 percent) perform periodic risk assessments. Crucially, just 14 percent follow the gold standard of continuously assessing risk and using dedicated third-party risk management tools.
These different approaches have an effect on resilience 68 percent of those who only assessed risk during the onboarding phase had suffered a supply chain attack, dropping to 57 percent for those who periodically assessed and 32 percent for those who assessed continuously and employed risk management technologies.
In the past few years, the EU has introduced a raft of new cybersecurity regulations, including the Cyber Resilience Act, EU AI Act, Network and Information Systems Directive 2 (NIS2), and, most recently, the Digital Operational Resilience Act (DORA). Although these can often pose challenges for businesses, most UK FS cybersecurity professionals (74 percent) say the EU’s security posture and policies rank better than many other economic regions. 92 percent of respondents to the survey would like the UK to adopt a country-wide regulation similar to DORA to ensure digital resilience in the financial sector.
Richard Lindsay, principal advisory consultant at Orange Cyberdefense, says:
Despite the confusing tangle of regulations and laws currently in -- or being brought into -- effect across the EU, the UK's cybersecurity professionals seem to recognise that the juice is worth the squeeze, and are buoyed by the opportunity to make a positive impact on UK management of cyber risk.
As our research shows, the threat landscape is especially volatile, with supply chain attacks a growing issue for many businesses, UK financial services included. Against this backdrop, it's clear that, despite the UK's relative freedom from EU regulation, cybersecurity professionals here would rather see UK policy hew closer to the EU's in the near term. Only by keeping pace with our closest neighbors and trading partners can we all benefit from improved digital resilience.
You can find out more on the Orange Cyberdefense site.
Image credit: Acnalesky/Dreamstime.com