Over Half of UK Financial Services Institutions Have Suffered at Least One Third-Party Supply Chain Attack in 2024

New research from Orange Cyberdefense, Orange’s specialist cybersecurity business unit and a leader in cybersecurity services in Europe, reveals that nearly six in 10 (58%) large UK financial services (FS) firms suffered at least one third-party supply chain attack in 2024, with 23% being targeted three or more times.

Supply chain attacks continue to be one of the most critical and challenging areas in cybersecurity today. A Censuswide survey of 200 UK CISOs and senior security decision-makers, commissioned by Orange Cyberdefense, reveals that most FS firms must reevaluate how they assess third-party risk. 

Just under half (44%) of FS institutions only assess third-party risk during the initial supplier onboarding stage, while a similar proportion (41%) perform periodic risk assessments. Crucially, just 14% follow the gold standard of continuously assessing risk and using dedicated third-party risk management tools. 

The impact of these different approaches on digital resilience is clear. In 2024, 68% of those who only assessed risk during the onboarding phase suffered a supply chain attack, dropping to 57% for those who periodically assessed and 32% for those who assessed continuously and employed risk management technologies. These data points indicate a clear cause-and-effect relationship: the more frequently  FS organisations assess risk, the less frequently they suffer supply chain attacks. What then needs to change to encourage more FS organisations to employ more robust risk assessment practices?

Regulation for resilience

In the last few years, the EU has introduced a host of new cybersecurity regulations, including the Cyber Resilience Act, EU AI Act, Network and Information Systems Directive 2 (NIS2), and, most recently, the Digital Operational Resilience Act (DORA). 

Despite the compliance difficulties that new regulations often pose for businesses, most UK FS cybersecurity professionals (74%) say the EU’s security posture and policies rank better than many other economic regions. Subsequently, 92% of respondents to our survey would like the UK to adopt a country-wide regulation similar to DORA to ensure digital resilience in the financial sector.

In fact, many UK cybersec professionals are concerned that, following Brexit, gaps are emerging between the UK and the European Union on cybersecurity regulation:

• Over three-quarters (77%) perceive a gap between the effectiveness of regulatory deterrents
• Similarly, 74% are concerned that confidence in UK regulation is dropping 
• 72% worry that UK regulation is becoming less comprehensive
• And 76% are concerned that UK authorities (e.g. government and regulatory bodies) aren’t providing enough support and guidance

 Despite concerns that the UK could struggle to keep pace with the EU on regulation, senior cybersecurity professionals are currently taking an optimistic stance.  Over half (55%) are encouraged, excited, confident or optimistic about the current state of UK cybersecurity regulation. 

Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, said: “Despite the confusing tangle of regulations and laws currently in – or being brought into – effect across the EU, the UK’s cybersecurity professionals seem to recognise that the juice is worth the squeeze, and are buoyed by the opportunity to make a positive impact on UK management of cyber risk. 

“As our research shows, the threat landscape is especially volatile, with supply chain attacks a growing issue for many businesses, UK financial services included. Against this backdrop, it’s clear that, despite the UK’s relative freedom from EU regulation, cybersecurity professionals here would rather see UK policy hew closer to the EU’s in the near term. Only by keeping pace with our closest neighbours and trading partners can we all benefit from improved digital resilience.”