Ever changing third-party cyber risk: A UK Perspective

Ever changing third-party cyber risk: A UK Perspective

Introduction

Most of us work with vendors and suppliers in our businesses.  It’s becoming increasingly evident to us quite how much we rely on these entities.
In recent months, the UK has witnessed a series of third-party cyber breaches.  This means that organisations have suffered breaches or outages because their suppliers suffered an issue. 

 

Here are some examples:

Evolve Bank & Trust - Evolve Bank & Trust, a US financial institution, suffered a breach that impacted several other financial institutions, including Affirm and Wise. 

Digital ID – The provider of ID cards to many entities, including Greater Manchester police, suffered ransomware that could have released the identities of thousands of police officers.

MoveIT – Hackers exploited flaws in the MoveIT software to attach multiple organisations, including BBC, Boots and many others.  

There are many more examples that illustrate how much we rely on third parties to deliver our day-to-day services. 

 

How organisations are responding

The recent breaches are part of a broader trend of increasing cyber threats targeting service organisations.  Regulators too are beginning to focus here, with the Digital Operational Resilience Act due to come into force in the EU in early 2025, recent guidance from Swiss regulator FINMA on the subject and the UK promising a Cyber Resilience act in the recent King’s speech. 

Both the threat and the regulatory landscape point at the need for organisations to improve and formalise supplier risk management.  This can be time consuming and bureaucratic, but more and more it’s proving necessary.  In our view, measures include:

  • Pragmatic review of suppliers: You need to understand who your vendors and suppliers are. It seems simple, but often it’s not.
  • Base it around communication, not challenge: Clearly communicate security expectations if you can.
  • Put your expectations in writing: Ideally in the agreement you have with your supplier. Be sure to outline who is responsible for what, as sometimes there will be shared responsibilities.
  • Leverage existing assurance. Check if they have SOC2 reports or third-party accreditations (such as Cyber Essentials or ISO27001). 
  • Check fourth parties (and beyond). Make sure you understand the suppliers your supplier is using, and that your supplier has the same vendor due diligence as you do.
  • Challenge if you need to. Sometimes, you need to send a questionnaire or ask for more information than they’ve given you. 
  • Support remediation. Help your suppliers to improve if you can, and make sure you give them feedback.

 

Conclusion

The recent spate of third-party breaches in the UK underscores a critical vulnerability in modern supply chains. As cyber threats continue to evolve, you must adopt robust risk management practices and maintain oversight of your third-party partners. By doing so, you can better protect sensitive data and meet regulatory requirements in an increasingly interconnected digital landscape.

 

Back to blog