Over half of UK financial services institutions have suffered at least one third-party supply chain attack in 2024
LONDON, United Kingdom - February 6th, 2025 - New research from Orange Cyberdefense, Orange's specialist cybersecurity business unit and a leader in cybersecurity services in Europe, reveals that nearly six in 10 (58%) large UK financial services (FS) firms suffered at least one third-party supply chain attack in 2024, with 23% being targeted three or more times.
Supply chain attacks continue to be one of the most critical and challenging areas in cybersecurity today. A Censuswide survey of 200 UK CISOs and senior security decision-makers, commissioned by Orange Cyberdefense, reveals that most FS firms must reevaluate how they assess third-party risk.
Just under half (44%) of FS institutions only assess third-party risk during the initial supplier onboarding stage, while a similar proportion (41%) perform periodic risk assessments. Crucially, just 14% follow the gold standard of continuously assessing risk and using dedicated third-party risk management tools.
The impact of these different approaches on digital resilience is clear. In 2024, 68% of those who only assessed risk during the onboarding phase suffered a supply chain attack, dropping to 57% for those who periodically assessed and 32% for those who assessed continuously and employed risk management technologies. These data points indicate a clear cause-and-effect relationship: the more frequently FS organisations assess risk, the less frequently they suffer supply chain attacks. What then needs to change to encourage more FS organisations to employ more robust risk assessment practices?
Regulation for resilience
In the last few years, the EU has introduced a host of new cybersecurity regulations, including the Cyber Resilience Act, EU AI Act, Network and Information Systems Directive 2 (NIS2), and, most recently, the Digital Operational Resilience Act (DORA).
Despite the compliance difficulties that new regulations often pose for businesses, most UK FS cybersecurity professionals (74%) say the EU’s security posture and policies rank better than many other economic regions. Subsequently, 92% of respondents to our survey would like the UK to adopt a country-wide regulation similar to DORA to ensure digital resilience in the financial sector.
In fact, many UK cybersec professionals are concerned that, following Brexit, gaps are emerging between the UK and the European Union on cybersecurity regulation:
- Over three-quarters (77%) perceive a gap between the effectiveness of regulatory deterrents
- Similarly, 74% are concerned that confidence in UK regulation is dropping
- 72% worry that UK regulation is becoming less comprehensive
- And 76% are concerned that UK authorities (e.g. government and regulatory bodies) aren’t providing enough support and guidance
Despite concerns that the UK could struggle to keep pace with the EU on regulation, senior cybersecurity professionals are currently taking an optimistic stance. Over half (55%) are encouraged, excited, confident or optimistic about the current state of UK cybersecurity regulation.
Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense, said: “Despite the confusing tangle of regulations and laws currently in – or being brought into – effect across the EU, the UK’s cybersecurity professionals seem to recognise that the juice is worth the squeeze, and are buoyed by the opportunity to make a positive impact on UK management of cyber risk.
“As our research shows, the threat landscape is especially volatile, with supply chain attacks a growing issue for many businesses, UK financial services included. Against this backdrop, it’s clear that, despite the UK’s relative freedom from EU regulation, cybersecurity professionals here would rather see UK policy hew closer to the EU’s in the near term. Only by keeping pace with our closest neighbours and trading partners can we all benefit from improved digital resilience.”
About the Digital Operational Resilience Act (DORA)
Achieving DORA compliance requires businesses to implement essential protection, detection, containment, recovery, and repair measures, introducing clear rules for ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks. For more information, see here.
About the study
Censuswide conducted this research on behalf of Orange Cyberdefense between December 18th and 31st, 2024. The survey included 200 CISOs and senior security decision-makers from financial services companies with more than 1,000 employees in the UK—a non-EU member state significantly impacted by DORA due to its business ties with EU countries. The study was nationally representative.
To learn more visit our websiteAbout Orange Cyberdefense
Orange Cyberdefense is the Orange Group entity dedicated to cybersecurity. It protects the entire threat lifecycle of 9,000 large companies. As Europe's leading cybersecurity services provider, we aim to be the trusted cyber partner committed to creating value for all by delivering the safest digital space. Our service capabilities draw their strength from research and intelligence, which allows us to offer our clients unparalleled knowledge of current and emerging threats. With more than 30 years of experience in the field of information security, 3,000 multi-disciplinary experts and 36 detection centres spread around the world, we know how to address the global and local issues of our customers. Cybersecurity is a human journey, so we build a safer digital society by placing people at the core of our actions.
Press contact
Edward Cooper
Babel PR for Orange Cyberdefense
orangecyberdefense@babelpr.com
+44 (0)20 7434 5550