- US sets AI safety aside in favor of 'AI dominance'
- Why I recommend this HP desktop over the M4 iMac when it comes to work and play
- Cisco’s ISE bugs could allow root-level command execution
- This $20 MagSafe power bank has no business being this versatile for the price
- Clínica Universidad de Navarra apuesta por la IA y la computación cuántica en el ámbito sanitario
Third-Party Risk Management Failures Expose UK Finance Sector
Over half (58%) of large UK financial services firms suffered at least one third-party supply chain attack in 2024, according to a study by Orange Cyberdefense.
Nearly a quarter (23%) of these companies were hit three or more times by third-party attacks.
The research identified significant gaps in financial services third-party risk management strategies. Close to half (44%) of these institutions admitted that they only assess third-party risk during the initial supplier onboarding stage.
A similar proportion (41%) perform periodic risk assessments. Just 14% said they continuously assess risk and use dedicated third-party risk management tools.
A clear link was highlighted between the extent of risk management performed and the chances of suffering a supply chain attack. Over two-thirds (68%) of those who only assessed risk during the onboarding phase suffered a supply chain attack in 2024.
This dropped to 57% for those who periodically assessed risk and 32% for those who assessed continuously and employed risk management technologies.
Concerns Over Brexit Impact on Regulatory Alignment
CISOs and security decision makers surveyed expressed concerns about a lack of cybersecurity regulatory alignment between the UK and EU.
This follows the EU recently introducing major new legislation impacting financial services, including the Network and Information Systems Directive 2 (NIS2), the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA).
Around three-quarters (74%) of respondents said that he EU’s security posture and policies rank better than many other economic regions.
A similar proportion (77%) perceived a gap between the effectiveness of regulatory deterrent in the UK versus the EU. Similarly, 74% are concerned that confidence in UK regulation is dropping, while 72% worry that UK regulation is becoming less comprehensive.
Additionally, 76% stated that UK authorities are not providing enough regulatory support and guidance.
As a result, 92% would like the UK to adopt a country-wide regulation similar to DORA to ensure digital resilience in the financial sector.
Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, commented: “As our research shows, the threat landscape is especially volatile, with supply chain attacks a growing issue for many businesses, UK financial services included.”
“Against this backdrop, it’s clear that, despite the UK’s relative freedom from EU regulation, cybersecurity professionals here would rather see UK policy hew closer to the EU’s in the near term. Only by keeping pace with our closest neighbours and trading partners can we all benefit from improved digital resilience.”
In July 2024, the new Labour government in the UK introduced the Cyber Security and Resilience Bill, which appears to be an attempt to align UK rules closer with the NIS2 provisions.
Over half (55%) of cybersecurity professionals surveyed in the new report are encouraged, excited, confident or optimistic about the current state of UK cybersecurity regulation.
Image credit: Kauka Jarvi / Shutterstock.com
