Third-party supply chain attacks have emerged as a significant cybersecurity challenge for the UK’s financial services sector, according to new research by Orange Cyberdefense. The study reveals that 58% of large financial institutions experienced at least one such attack in the past year. Nearly a quarter, or 23%, of these organisations faced three or more incidents, highlighting the growing exposure to third-party risks within the industry.
The findings come from a survey conducted by Censuswide on behalf of Orange Cyberdefense between 18 and 31 December 2024. The survey involved 200 chief information security officers (CISOs) and senior security decision-makers from financial services companies in the UK, each employing more than 1,000 people.
Despite the increasing frequency of attacks, many financial institutions continue to rely on limited risk assessment practices. The study revealed that 44% of firms assess third-party risks only during the initial onboarding of suppliers, while 41% conduct periodic assessments after onboarding. Conversely, just 14% of organisations continuously monitor third-party risks using dedicated risk management tools.
Among firms that evaluated third-party risks solely during the onboarding phase, 68% reported suffering a supply chain breach in 2024. This figure dropped to 57% among companies that conducted periodic reviews and decreased significantly to 32% for organisations implementing continuous risk assessment practices supported by specialised risk management technologies. These figures suggest a strong correlation between proactive, ongoing risk management and reduced exposure to cyber incidents.
The survey found that 92% of UK cybersecurity professionals support the introduction of a UK-specific regulatory framework similar to the European Union (EU)’s Digital Operational Resilience Act (DORA). This strong level of support comes amid concerns about potential gaps in the UK’s current regulatory landscape. For example, 77% of respondents believe there is a growing gap between the effectiveness of cybersecurity regulations in the UK compared to those in the EU.
Additionally, 74% expressed concerns that confidence in the UK’s cybersecurity regulatory framework is declining, while 72% worry that UK regulations are becoming less comprehensive over time. Another 76%, meanwhile, felt that government authorities and regulatory bodies are not providing adequate support and guidance to help organisations address emerging cybersecurity threats effectively.
“As our research shows, the threat landscape is especially volatile, with supply chain attacks a growing issue for many businesses, UK financial services included,” said Orange Cyberdefense’s principal advisory consultant Richard Lindsay. “Against this backdrop, it’s clear that, despite the UK’s relative freedom from EU regulation, cybersecurity professionals here would rather see UK policy hew closer to the EU’s in the near term. Only by keeping pace with our closest neighbours and trading partners can we all benefit from improved digital resilience.”
Despite these concerns, more than half of the surveyed cybersecurity professionals, or 55%, reported feeling encouraged, confident, or optimistic about the current state of the UK’s cybersecurity regulations. This optimism reflects a belief that, while gaps exist, there are opportunities to strengthen the UK’s regulatory framework to better address evolving cybersecurity challenges and align more closely with international standards.
Major cyberattacks targeting financial institutions in 2024
In 2024, several major cyberattacks targeted financial institutions globally, exposing sensitive data and disrupting operations. Fidelity Investments, which manages over $14 trillion in assets, suffered a data breach in August, compromising personal information of over 77,000 customers. Attackers created fraudulent accounts and accessed internal databases, with allegations pointing to inadequate employee security training as a possible cause.
In February, US-based Financial Business and Consumer Solutions (FBCS) experienced a breach affecting 4.2 million individuals, exposing social security numbers, account details, and driver’s license information. The breach impacted companies like Truist Bank and Comcast, with warnings issued about potential phishing attacks.
Patelco Credit Union faced a ransomware attack in June, believed to have originated from a phishing email, causing a two-week operational shutdown and exposing data of over one million customers and employees.
In August, US-based United Services Automobile Association (USAA) disclosed a breach affecting 32,000 customers due to a system update error, compromising sensitive data such as social security numbers, passport details, and insurance information.
Lastly, in October, Transak, a cryptocurrency payment processor, reported a breach affecting 92,554 users after a phishing attack compromised employee credentials, leading to the theft of sensitive personal and biometric data.
Read more: IMF calls on global financial system to tighten cybersecurity
