Almost six in 10 (58 per cent) large UK financial services firms fell victim to at least one third-party supply chain attack in 2024, according to new research from Orange Cyberdefense, Orange’s European cybersecurity business unit.
Supply chain attacks remain a significant cybersecurity challenge, with 23 per cent of UK financial services firms being targeted by them three or more times, Orange Cyberdefense reveals. In a Censuswide survey of 200 UK CISOs and senior security decision-makers, the company finds that most financial service providers must reevaluate how they assess third-party risk.
Just under half (44 per cent) of financial institutions only assess third-party risk during the initial supplier onboarding stage, while 41 per cent perform periodic risk assessments. Just 14 per cent follow the gold standard of continuously assessing risk and using dedicated third-party risk management tools.
These varying approaches to digital resilience appear to have significantly different impacts. In 2024, 68 per cent of those who only assessed risk during the onboarding phase suffered a supply chain attack, dropping to 57 per cent for those who periodically assessed and 32 per cent for those who assessed continuously and employed risk management technologies.
Unsurprisingly, these data points reveal that the more frequently these financial firms assess risk, the less frequently they suffer supply chain attacks. But even with these seemingly obvious findings, a significant number of firms will fail to employ more robust risk assessment practices.
Are UK regulations falling behind?
In the last few years, the European Union has introduced a host of new cybersecurity regulations, including the Cyber Resilience Act, EU AI Act, Network and Information Systems Directive 2 (NIS2), and, most recently, the Digital Operational Resilience Act (DORA).
In light of these, most UK FS cybersecurity professionals (74 per cent) say the EU’s security posture and policies rank better than many other economic regions. Ninety-two per cent of respondents to the survey want the UK to adopt a country-wide regulation similar to DORA to ensure digital resilience in the financial sector.
Many UK cybersec professionals are concerned that, following Brexit, gaps are emerging between the UK and the EU on cybersecurity regulation:
- Seventy-seven per cent perceive a gap between the effectiveness of regulatory deterrents
- Seventy-two per cent worry that UK regulation is becoming less comprehensive
- Seventy-six per cent are concerned that UK authorities aren’t providing enough support and guidance
Richard Lindsay, principal advisory consultant at Orange Cyberdefense, said: “Despite the confusing tangle of regulations and laws currently in – or being brought into – effect across the EU, the UK’s cybersecurity professionals seem to recognise that the juice is worth the squeeze, and are buoyed by the opportunity to make a positive impact on UK management of cyber risk.
“As our research shows, the threat landscape is especially volatile, with supply chain attacks a growing issue for many businesses, UK financial services included. Against this backdrop, it’s clear that, despite the UK’s relative freedom from EU regulation, cybersecurity professionals here would rather see UK policy hew closer to the EU’s in the near term. Only by keeping pace with our closest neighbours and trading partners can we all benefit from improved digital resilience.”
