ao link
Business Reporter
Business Reporter
Business Reporter
News
Technology
Management
Finance
Sustainability
Resources
Events
Talk Shows
Jobs
Search Business Report
My Account
Remember Login
Register|Reset Password
My Account
Remember Login
Register|Reset Password
News
Technology
Management
Finance
Sustainability
Resources
Events
Talk Shows
Jobs

Cyber-security in the supply chain

Supply Chain11 Mar 2025

Leigh Glasper at BlueVoyant explains why optimising supply chain cyber-security in financial services is more critical than ever 

 

Every day, the financial services industry faces a multitude of risks, including geopolitics, compliance, and social and environmental responsibility. Given how complex financial services supply chains are, with thousands of suppliers, cyber-risks, especially those from third parties, have become more and more of an issue. On top of that, penalties for financial institutions failing adequately to manage cyber-risk are on the rise. 

 

 

New regulations are coming 

The EU’s Digital Operational Resilience Act (DORA) came into force on 17th January. DORA is designed to firm up the cyber-defences of EU financial services firms against digital threats via a range of rigorous risk management standards, with the levels of fines for non-compliance, similar to GDRP. Companies found to be in breach of compliance face fines of up to 2% of annual global turnover and individuals can incur fines of up to €1,000,000.  

 

Non-compliance with DORA is also costly for non-compliant third-party providers to EU financial services firms, with fines of up to €5,000,000 and €500,000 for companies and individuals, respectively. Given these potential fines for noncompliance, as well as additional consequences including suspension of service, mandatory remedial measures, reputational damages and public reprimands, the breadth and scope of the DORA framework will only further keep CISOs, CIOs, and risk management professionals awake at night.  

 

 

Prioritising third-party risk management

BlueVoyant’s recent State of Supply Chain Defence report looked at the pain-points of UK financial services businesses in dealing with cyber-security issues originating within third-party ecosystems. The survey included 300 UK C-level respondents responsible for supply chain and cyber-risk management, representing organisations with more than 1,000 employees across a range of industries. 

 

More so than any other sector surveyed, decision makers within UK financial services organisations cite regulatory compliance as the biggest pain point, with 30% saying this. 

 

Overall, 74% of financial services organisations in the UK admitted to being negatively impacted by one or more supply chain cyber-security breaches in the past 12 months in the same survey. Clearly, there is a pressing need to make supply chain defence a strategic priority. 

 

The top pain points facing firms attempting to improve their supply chain cyber-risk management are:  

  • The handling and triaging of spiralling volumes of alerts including false positives. 
  • Insufficient automation and resources. 
  • A lack of overall supply chain visibility, and current risk postures. 
  • How to best communicate with supply chain vendors of all sizes on prioritising cyber-security – and how to deal with those that fail to mitigate risks.  

The sheer numbers of suppliers within UK organisations’ third-party ecosystems according to the survey re concerning. More than eight-in-ten (84%) UK financial services businesses have between 501 and 50,000 partners. Furthermore, 98% of those UK businesses with between 1,001 and 50,000 suppliers in their third-party ecosystem reported having been negatively impacted by cyber-security incidents within the last 12 months. 

 

Supply chain visibility remains low

Not even a quarter (22%) of UK financial services firms currently monitor all their suppliers for cyber-security risk, with just 24% monitoring for third-party/supplier risk on either a weekly or monthly basis, according to the survey. A staggering 32% of UK financial services organisations don’t monitor the cyber-security of third-party suppliers at all. 

 

An astonishing 30% “have no way of knowing” about cyber-security issues arising in their supply chains. Furthermore, 34% rely on their third parties to “ensure adequate security,” whilst 30% inform third parties about any issues and hope they fix it. 

 

More so than any other sector, 44% of UK respondents claim that it is not a priority at all for their company, according to the survey. For an industry where the crown jewels of financial data are at the mercy of attackers’ best efforts to find just a single entry point within huge supply chains, UK organisations have a long way to go with new regulations coming into effect. 

 

 

Regulation as a revenue driver 

The survey results beg the question of how UK financial services organisations can avoid falling foul of DORA, and avoid significant financial, reputational, and legal issues should they suffer a cyber-attack. First, they must fully familiarise themselves with the legislation; its specific implications for their businesses and everything they’ll need to do to become and stay compliant. 

 

Furthermore, UK financial services organisations shouldn’t assume UK businesses are DORA exempt. Although not an EU member state, companies within the UK need to be abreast of how it affects them, particularly if they are engaged with EU entities and customers. Also, with wide-ranging implications for how firms will operate moving forward, DORA should be viewed as an opportunity to drive revenues via reassurance and differentiation.  

 

What’s more, the UK is expected to soon bring to Parliament the Cyber Security and Resilience Bill, which will aim to be compatible with DORA and other new EU regulations. By being compliant with DORA, purely UK-based organisations will likely have an advantage when new local regulations come into force. 

 

 

Complexity necessitates a holistic view 

UK financial services organisations should thoroughly assess their existing resilience capabilities, and identify areas for immediate improvement aligned with DORA’s stipulations. This will help them to pinpoint any gaps and how best to fill them. They should also consider additional frameworks like ISO27001, NIST 2, and CIS18 in enhancing the security posture of their own business and third-party vendors. These will provide a framework for structuring security assessment, management, and compliance.  

 

The strength, breadth, depth, frequency, and thoroughness of third-party cyber-risk assessment and monitoring is critical for the financial services industry. Therefore, making supply chain cyber-defence a strategic priority will be crucial, not only for regulatory compliance, but the overall security, standing, sustainability, and profitability of the UK financial services sector in the long term. 

 

 

Leigh Glasper is Director, Cyber Advisory at BlueVoyant

 

Main image courtesy of iStockPhoto.com and solarseven

cyber securityRisk ManagementSupply Chain

Most Viewed

Business Reporter

Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

Cookie Policy
Terms of Business
17 Global Goals
Campaign Schedule
Lead Generation Media Kit
Sustainability Report
Contact Us
Privacy Policy
Terms and Conditions
Private Dining Media Kit
Media Kit
BR Studio
Content Guide
Traffic Drivers
Case Study

© 2025, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543