• 58% of large UK financial firms suffered a supply chain cyberattack in 2024.
• 23% of affected firms were targeted three or more times.
• Surveyed CISOs and security leaders indicate firms lack strong third-party risk management.
• 44% assess third-party risk only during onboarding, 41% do periodic checks, but only 14% conduct continuous monitoring.
• Firms assessing risk continuously had fewer attacks (32%) than those reviewing risk periodically (57%) or just at onboarding (68%).

New research from Orange Cyberdefense reveals that nearly six in ten large UK financial services firms suffered at least one third-party supply chain cyberattack in 2024, highlighting a growing threat to the sector. Of those affected, nearly a quarter experienced three or more attacks, raising serious concerns about digital resilience and third-party risk management.

A survey conducted by Censuswide on behalf of Orange Cyberdefense questioned 200 UK CISOs and senior security decision-makers. The findings indicate that many financial institutions are failing to implement robust third-party risk management strategies, leaving them vulnerable to cyber threats.

Just 44% of financial firms assess third-party risk only during the initial onboarding phase, while 41% conduct periodic assessments. However, only 14% continuously monitor risk using dedicated third-party risk management tools. The research found a direct correlation between the frequency of risk assessments and the likelihood of experiencing a cyberattack.

Among firms that only assessed risk at onboarding, 68% fell victim to supply chain attacks. This dropped to 57% for those conducting periodic reviews and 32% for firms employing continuous risk monitoring and dedicated management tools. The findings suggest that more frequent assessments could significantly reduce the likelihood of cyber incidents.

Regulatory frameworks play a crucial role in strengthening cybersecurity defenses. In recent years, the European Union has introduced regulations such as the Cyber Resilience Act, the EU AI Act, and the Digital Operational Resilience Act (DORA) to enhance digital security. Despite Brexit, a majority of UK cybersecurity professionals believe the country should adopt a similar regulatory framework to protect financial institutions.

The study found that 92% of UK financial sector cybersecurity professionals support the introduction of a DORA-style national regulation to bolster digital resilience. Additionally, 74% of respondents believe EU security policies are more effective than those in other economic regions.

There are growing concerns that the UK's regulatory approach is falling behind that of the EU. More than three-quarters of cybersecurity professionals believe UK regulatory deterrents are weaker compared to those in the EU. Similarly, 74% expressed concerns that confidence in UK cybersecurity regulations is declining, while 72% worry that UK regulations are becoming less comprehensive.

A further 76% believe UK authorities, including government and regulatory bodies, are not providing sufficient guidance and support to financial firms. However, despite these concerns, over half of industry professionals remain optimistic about the future of UK cybersecurity regulation.

Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, acknowledged the challenges of navigating complex regulatory frameworks. He emphasized that while UK firms are no longer bound by EU regulations, many cybersecurity professionals recognize the benefits of aligning UK policy with European standards.

“Despite the confusing tangle of regulations across the EU, the UK’s cybersecurity professionals see the value in maintaining strong cyber risk management,” Lindsay said. “As our research shows, supply chain attacks are an increasing threat, particularly in financial services. Given this landscape, it’s clear that many professionals would prefer UK policy to closely follow EU regulations to strengthen digital resilience.”