More than half of large UK financial services firms experienced at least one third-party supply chain attack in 2024, with nearly a quarter facing three or more incidents, according to research from Orange Cyberdefense. The findings emphasize the increasing vulnerability of financial institutions to cyber threats stemming from their vendor ecosystems. A survey of 200 UK CISOs and senior security decision-makers revealed that many firms still rely on outdated risk assessment models. Nearly half (44%) assess third-party risks only during initial onboarding, while 41% conduct periodic reviews. Only 14% employ continuous monitoring supported by dedicated risk management tools.

The Hidden Cyber Threat Lurking in Your Supply Chain

The impact of these strategies is significant. Among firms that assessed risk only at onboarding, 68% suffered an attack. That figure dropped to 57% for those conducting periodic reviews and 32% for those with continuous monitoring. This data suggests a clear correlation: the more frequently firms evaluate their suppliers, the lower their risk exposure.

Calls for Regulatory Alignment

Cybersecurity professionals argue that regulatory frameworks can drive better risk management. Across the European Union, financial services firms must comply with increasingly stringent rules, including the Cyber Resilience Act, NIS2, and the Digital Operational Resilience Act (DORA). In contrast, UK regulations remain fragmented following Brexit, leading to concerns that the country is falling behind. A majority of UK cybersecurity leaders (92%) believe that the UK should implement its own version of DORA to strengthen digital resilience. Nearly three-quarters (74%) say the EU’s security policies are more robust than those of other economic regions.

There is unease about regulatory gaps emerging between the UK and EU:

• 77% believe UK regulatory deterrents are weaker than those in the EU.
• 74% worry that confidence in UK regulations is eroding.
• 72% say UK cybersecurity policies are becoming less comprehensive.
• 76% feel UK authorities are not providing enough guidance or support.

Despite these concerns, sentiment toward UK cybersecurity regulation remains mixed. More than half (55%) of respondents describe their outlook as optimistic, confident, or excited about the country’s evolving regulatory landscape.

A Question of Cyber Resilience

Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, notes that while regulatory compliance is often seen as a burden, it can enhance digital resilience. “Despite the confusing tangle of regulations and laws currently in – or being brought into – effect across the EU, the UK’s cybersecurity professionals seem to recognise that the juice is worth the squeeze, and are buoyed by the opportunity to make a positive impact on UK management of cyber risk,” Lindsay stated. He added that, given the growing frequency of supply chain attacks, financial institutions may benefit from aligning UK cybersecurity policies more closely with EU standards.

“Only by keeping pace with our closest neighbours and trading partners can we all benefit from improved digital resilience,” he said.

Cyberattacks: A Growing Threat for Accountancy Firms

Professional services firms are becoming increasingly reliant on technology for both internal and external functions. However, cyberattacks are a growing reality, making it a question of ‘not if, but when’ firms suffer a business-critical event. Addressing this exposure is a challenge that all professional services firms must meet.

Accounting firms are particularly attractive targets for cybercriminals due to the volume of confidential and sensitive client information they store. The release of client information could lead to devastating financial loss for individuals and significant damage to a firm’s reputation.

For instance, a malware attack on a global provider of accounting software forced the firm to take cloud-based applications offline, causing major interruptions for clients. When firms are found to have been negligent in their data handling and cybersecurity measures, they may face lawsuits from clients.

Preventing Business-Critical Cyberattacks

Given the potential impact of a cybersecurity breach, firms must take effective steps to prevent occurrences. Attention and investment should be directed toward cybersecurity, including privileged access management, patch management, and Security Information and Event Management (SIEM) systems, as well as multi-factor authentication (MFA).

Controls to ensure incidents can be avoided fall into three categories:

1. Preventative controls – Improve weaknesses in information systems to prevent cyberattacks.
2. Detective controls – Alert businesses to attempts to infiltrate networks and warn them when a cyberattack occurs.
3. Corrective controls – Minimize impact after an incident and help restore functionality.

The preparedness of firms is often dependent on size. Smaller firms typically lack the resources to implement strong defenses, making them attractive targets. In contrast, larger firms may have robust cybersecurity measures, but the scale of damage from their breaches can be significantly greater.

Cyber Insurance – A Worthwhile Investment

Establishing financial and operational resilience is essential. Cyber insurance can mitigate the risks posed by cyberattacks, although it comes at a cost. Premiums and self-insured retentions have increased, while limits have decreased. Many firms find cyber protection too expensive compared to other forms of cover, such as professional indemnity insurance.

However, many traditional policies may not respond to cyber incidents, and standalone cyber policies provide vital coverage. Such policies include protection for IT infrastructure and activities, offering reimbursement for the costs of responding to cyber events, and access to expert breach response teams.

Why Securing Your Software Supply Chain is Now a Critical Leadership Responsibility

Cyber threats to the software supply chain are rising, making it a critical concern for business leaders. Vulnerabilities within the supply chain can have devastating impacts on operational integrity and reputation. Organizations must implement robust security measures, such as thorough risk assessments, continuous monitoring, secure development practices, and strong vendor management.

The Real Threats to Software Supply Chains

Dependency Exploits : Software relies heavily on third-party libraries. Each dependency must be scrutinized for potential weaknesses.

Compromised Code Repositories : Cybercriminals target open-source repositories. Regular audits of open-source code integrity are essential.

Insecure Software Updates : Compromised update mechanisms pose significant risks. Implement cryptographic signing and automated integrity checks to secure updates.

Insider Threats : Malicious insiders can introduce vulnerabilities. Comprehensive vetting and ongoing training are necessary to reduce risk.

Vendor Risks : Every vendor represents a potential vulnerability. Establish rigorous criteria for vendor selection and ongoing monitoring.

Building a Resilient Software Supply Chain: Key Security Measures

Conduct Thorough Risk Assessments : Identify critical assets and potential risks through comprehensive assessments. Regular vulnerability scans and leveraging threat intelligence services are crucial.

Strengthen Vendor and Third-Party Management : Establish stringent standards for vendor selection and monitoring. Insist on transparency through Software Bills of Materials (SBOMs).

Implement Secure Development Practices : Integrate security into the software development lifecycle (SDLC) with secure coding practices and regular code reviews.

Continuous Monitoring and Incident Response : Real-time monitoring tools are essential. Implement robust incident response plans and conduct regular preparedness drills.

Employee Training and Awareness : Regular training programs focusing on supply chain risks reduce the likelihood of breaches.

Securing your software supply chain is a board-level priority that determines the future of your organization’s security and success. By embedding security practices into every phase of software development, business leaders can protect critical assets and maintain customer trust.

For organizations looking to enhance their cybersecurity posture and leverage emerging trends in the industry, GrackerAI offers AI-powered solutions tailored for cybersecurity marketing. By transforming security news into strategic content opportunities, GrackerAI enables marketing teams to monitor threats, identify trends, and produce relevant content that resonates with cybersecurity professionals.

Explore GrackerAI's services at GrackerAI for comprehensive cybersecurity marketing solutions.