UK financial firms hit by rising supply chain cyber attacks

New research from Orange Cyberdefense indicates that a significant proportion of large financial services firms in the UK experienced third-party supply chain attacks in 2024, with nearly a quarter facing multiple incidents.

The study, commissioned by Orange Cyberdefense, surveyed 200 Chief Information Security Officers and senior security decision-makers. It revealed that 58% of large UK financial services firms reported at least one third-party supply chain attack during the year, with 23% being targeted three times or more.

According to the findings, the current assessment of third-party risk within these institutions is predominantly carried out during the initial supplier onboarding stage. Specifically, 44% of the institutions limit their risk assessment to this phase. Continuous assessment, which is considered a gold standard, is performed by only 14% of the surveyed institutions.

The data highlighted a notable correlation between the frequency of risk assessments and the occurrence of supply chain attacks. Firms that only assessed risk during the onboarding phase had a 68% chance of suffering an attack. This dropped to 57% for those with periodic assessments and further decreased to 32% for organisations conducting continuous assessments with risk management technologies.

The findings have prompted a call for increased regulatory measures to enhance digital resilience in the financial sector. An overwhelming 92% of cybersecurity professionals expressed support for the UK to implement regulation akin to the EU's Digital Operational Resilience Act (DORA).

The survey also pointed to concerns among UK cybersecurity professionals about the gap forming between the UK and the EU regarding cybersecurity regulation post-Brexit. A significant 77% perceived a difference in the effectiveness of regulatory deterrents, and 74% were worried about the declining confidence in UK regulation. Furthermore, 72% were concerned that UK regulations are becoming less comprehensive, and 76% felt that UK authorities were not providing sufficient support and guidance.

Despite these challenges, there remains a sense of optimism among many professionals. More than half expressed positive sentiments about the current state of UK cybersecurity regulation.

Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, commented on the situation: "Despite the confusing tangle of regulations and laws currently in – or being brought into – effect across the EU, the UK's cybersecurity professionals seem to recognise that the juice is worth the squeeze, and are buoyed by the opportunity to make a positive impact on UK management of cyber risk."

He continued: "As our research shows, the threat landscape is especially volatile, with supply chain attacks a growing issue for many businesses, UK financial services included. Against this backdrop, it's clear that, despite the UK's relative freedom from EU regulation, cybersecurity professionals here would rather see UK policy hew closer to the EU's in the near term. Only by keeping pace with our closest neighbours and trading partners can we all benefit from improved digital resilience."