January 5, 2026
Beyond the questionnaire: Why Third-Party Risk is now a boardroom number
Elizabeth Huthman
CRQ Advisory Director

The UK Cyber Security and Resilience Bill is moving supply chain security from compliance to calculus.

The days of managing third-party risks with just questionnaires are over. It's time for a new approach.

Many organisations invest heavily in their own security, but third parties remain a significant vulnerability. Verizon’s latest data shows third-party breaches have doubled between 2024 to 2025,now causing 30% of all incidents. These aren't just technical issues; recent incidents have led to patient deaths and supplier bankruptcies.

The increase in regulatory powers and transparency

The UK Cyber Security and Resilience Bill marks a fundamental shift in accountability. By designating "Critical Third Parties" (CTPs), such as managed service providers, for direct regulatory oversight, the government makes clear that there is a need to tackle the potential impact of system wide third party vulnerabilities.  Over the next year, as third party responsibilities and incident reporting transparency enhances, expect organisations to face public censure and substantial fines.      

We've seen this before with GDPR. Initially dismissed in2018, GDPR fines now reach hundreds of millions across Europe. The lesson is clear: don't ignore this.

From "high risk" to "high cost"

Current industry practices are inadequate. Questionnaires and ratings offer a superficial view of risk, often based on proxies like unpatched vulnerabilities. They don't answer the crucial question: does "high" risk mean a £10,000 impact or £10 million? Without this clarity, effective risk management is impossible.

To navigate this, we need to move beyond surface-level assurance. Cyber Risk Quantification (CRQ) is the solution. CRQ translates technical threats into financial terms, enabling data-driven decisions. It calculates the financial impact of potential threats, such as third-party outages, recovery costs, and fines – up to £17 million or 4% of global annual revenue under the UK Cyber Security and Resilience Bill (for the most serious incidents).

Imagine this in a board report: "There's a 10% chance of a cyber breach through a third party. The most likely financial impact is £50 million. Worst case: £200 million."

These numbers transform the conversation. Risk moves from technical jargon to financial reality. When boards see quantified exposure, they prioritise action. A £200 million problem isn't just IT – it's a business problem.

Building a resilient supply chain

True resilience requires looking past the immediate horizon. It involves mapping the supply chain beyond the first tier to understand fourth and fifth parties and replacing basic proofs with data-driven evidence.

Here are key actions to build a more resilient supply chain:

  1. Demand proof not promises. Stop relying on basic verifications. Demand concrete evidence of control effectiveness, such as penetration test results and live incident response plans. For CTPs, implement continuous monitoring where possible, for real-time risk visibility.
  2. Stress-test dependencies. Don't wait for a crisis. Conduct rigorous simulations and tabletop exercises to test third-party outages. Know exactly how your business recovers if a critical partner goes down.
  3. Translate risk into revenue. Retire "High/Medium/Low" risk labels. Use Cyber Risk Quantification to assign monetary values to third-party threats. This empowers the Board to compare cyber exposure against other business risks and make financially sound investment decisions.
  4. Illuminate the full ecosystem. Resilience requires depth. Look beyond immediate vendors to map all parties with access to your sensitive data. You can't secure what you can't see.
  5. Collaborate to stay ahead. Cyber resilience is a team sport. Engage in industry peer forums and working groups. Sharing intelligence on emerging trends and best practices is crucial for collective defence.

The Cyber Security and Resilience Bill encourages organisations to close gaps in their supply chains and shift from reacting to crises to building resilience. It demands a clear view of the financial stakes in an interconnected world. Businesses that take a strategic approach to third-party risk will not only protect their interests – they will secure their future.

Read the next blog in the series

No items found.
Elizabeth Huthman
CRQ Advisory Director
Liz is the CRQ Advisory Director at CRI. With over 16 years of experience working with clients across industries such as private equity, retail, and legal services, Liz is dedicated to managing cybersecurity. Based in London, Liz is passionate about helping clients prioritise their cybersecurity investments based on their specific risk profile.
Resilience
Blog
Beyond the questionnaire: Why Third-Party Risk is now a boardroom number
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

The UK Cyber Security and Resilience Bill is moving supply chain security from compliance to calculus.

The days of managing third-party risks with just questionnaires are over. It's time for a new approach.

Many organisations invest heavily in their own security, but third parties remain a significant vulnerability. Verizon’s latest data shows third-party breaches have doubled between 2024 to 2025,now causing 30% of all incidents. These aren't just technical issues; recent incidents have led to patient deaths and supplier bankruptcies.

The increase in regulatory powers and transparency

The UK Cyber Security and Resilience Bill marks a fundamental shift in accountability. By designating "Critical Third Parties" (CTPs), such as managed service providers, for direct regulatory oversight, the government makes clear that there is a need to tackle the potential impact of system wide third party vulnerabilities.  Over the next year, as third party responsibilities and incident reporting transparency enhances, expect organisations to face public censure and substantial fines.      

We've seen this before with GDPR. Initially dismissed in2018, GDPR fines now reach hundreds of millions across Europe. The lesson is clear: don't ignore this.

From "high risk" to "high cost"

Current industry practices are inadequate. Questionnaires and ratings offer a superficial view of risk, often based on proxies like unpatched vulnerabilities. They don't answer the crucial question: does "high" risk mean a £10,000 impact or £10 million? Without this clarity, effective risk management is impossible.

To navigate this, we need to move beyond surface-level assurance. Cyber Risk Quantification (CRQ) is the solution. CRQ translates technical threats into financial terms, enabling data-driven decisions. It calculates the financial impact of potential threats, such as third-party outages, recovery costs, and fines – up to £17 million or 4% of global annual revenue under the UK Cyber Security and Resilience Bill (for the most serious incidents).

Imagine this in a board report: "There's a 10% chance of a cyber breach through a third party. The most likely financial impact is £50 million. Worst case: £200 million."

These numbers transform the conversation. Risk moves from technical jargon to financial reality. When boards see quantified exposure, they prioritise action. A £200 million problem isn't just IT – it's a business problem.

Building a resilient supply chain

True resilience requires looking past the immediate horizon. It involves mapping the supply chain beyond the first tier to understand fourth and fifth parties and replacing basic proofs with data-driven evidence.

Here are key actions to build a more resilient supply chain:

  1. Demand proof not promises. Stop relying on basic verifications. Demand concrete evidence of control effectiveness, such as penetration test results and live incident response plans. For CTPs, implement continuous monitoring where possible, for real-time risk visibility.
  2. Stress-test dependencies. Don't wait for a crisis. Conduct rigorous simulations and tabletop exercises to test third-party outages. Know exactly how your business recovers if a critical partner goes down.
  3. Translate risk into revenue. Retire "High/Medium/Low" risk labels. Use Cyber Risk Quantification to assign monetary values to third-party threats. This empowers the Board to compare cyber exposure against other business risks and make financially sound investment decisions.
  4. Illuminate the full ecosystem. Resilience requires depth. Look beyond immediate vendors to map all parties with access to your sensitive data. You can't secure what you can't see.
  5. Collaborate to stay ahead. Cyber resilience is a team sport. Engage in industry peer forums and working groups. Sharing intelligence on emerging trends and best practices is crucial for collective defence.

The Cyber Security and Resilience Bill encourages organisations to close gaps in their supply chains and shift from reacting to crises to building resilience. It demands a clear view of the financial stakes in an interconnected world. Businesses that take a strategic approach to third-party risk will not only protect their interests – they will secure their future.

Key messages

01

02

03

Resilience
Blog
Beyond the questionnaire: Why Third-Party Risk is now a boardroom number

Summary

The UK Cyber Security and Resilience Bill is moving supply chain security from compliance to calculus.

The days of managing third-party risks with just questionnaires are over. It's time for a new approach.

Many organisations invest heavily in their own security, but third parties remain a significant vulnerability. Verizon’s latest data shows third-party breaches have doubled between 2024 to 2025,now causing 30% of all incidents. These aren't just technical issues; recent incidents have led to patient deaths and supplier bankruptcies.

The increase in regulatory powers and transparency

The UK Cyber Security and Resilience Bill marks a fundamental shift in accountability. By designating "Critical Third Parties" (CTPs), such as managed service providers, for direct regulatory oversight, the government makes clear that there is a need to tackle the potential impact of system wide third party vulnerabilities.  Over the next year, as third party responsibilities and incident reporting transparency enhances, expect organisations to face public censure and substantial fines.      

We've seen this before with GDPR. Initially dismissed in2018, GDPR fines now reach hundreds of millions across Europe. The lesson is clear: don't ignore this.

From "high risk" to "high cost"

Current industry practices are inadequate. Questionnaires and ratings offer a superficial view of risk, often based on proxies like unpatched vulnerabilities. They don't answer the crucial question: does "high" risk mean a £10,000 impact or £10 million? Without this clarity, effective risk management is impossible.

To navigate this, we need to move beyond surface-level assurance. Cyber Risk Quantification (CRQ) is the solution. CRQ translates technical threats into financial terms, enabling data-driven decisions. It calculates the financial impact of potential threats, such as third-party outages, recovery costs, and fines – up to £17 million or 4% of global annual revenue under the UK Cyber Security and Resilience Bill (for the most serious incidents).

Imagine this in a board report: "There's a 10% chance of a cyber breach through a third party. The most likely financial impact is £50 million. Worst case: £200 million."

These numbers transform the conversation. Risk moves from technical jargon to financial reality. When boards see quantified exposure, they prioritise action. A £200 million problem isn't just IT – it's a business problem.

Building a resilient supply chain

True resilience requires looking past the immediate horizon. It involves mapping the supply chain beyond the first tier to understand fourth and fifth parties and replacing basic proofs with data-driven evidence.

Here are key actions to build a more resilient supply chain:

  1. Demand proof not promises. Stop relying on basic verifications. Demand concrete evidence of control effectiveness, such as penetration test results and live incident response plans. For CTPs, implement continuous monitoring where possible, for real-time risk visibility.
  2. Stress-test dependencies. Don't wait for a crisis. Conduct rigorous simulations and tabletop exercises to test third-party outages. Know exactly how your business recovers if a critical partner goes down.
  3. Translate risk into revenue. Retire "High/Medium/Low" risk labels. Use Cyber Risk Quantification to assign monetary values to third-party threats. This empowers the Board to compare cyber exposure against other business risks and make financially sound investment decisions.
  4. Illuminate the full ecosystem. Resilience requires depth. Look beyond immediate vendors to map all parties with access to your sensitive data. You can't secure what you can't see.
  5. Collaborate to stay ahead. Cyber resilience is a team sport. Engage in industry peer forums and working groups. Sharing intelligence on emerging trends and best practices is crucial for collective defence.

The Cyber Security and Resilience Bill encourages organisations to close gaps in their supply chains and shift from reacting to crises to building resilience. It demands a clear view of the financial stakes in an interconnected world. Businesses that take a strategic approach to third-party risk will not only protect their interests – they will secure their future.

Key messages

01

02

03

Recent Insights

Calculating the impact of a cyber-attack on critical infrastructure

What would a systemic cyber-attack cost the UK economy? We recently conducted a study for the Department for Science, Innovation and Technology (DSIT) to answer that question. The findings show the scale of potential disruption and underline why resilience planning matters.
James Hanbury
Blog
Sector insights

Cyber resilience in the North West: turning risk into regional strength

According to the Department for Science, Innovation and Technology (DSIT), over 600,000 UK businesses experiencing some form of cyber‑attack. So, if cyber risk isn’t new, why do impacts keep rising? And what can we do in the North West to change the trend?
Martin Tyley
Blog
Resilience

Making sense of cyber attack costs: A sector by sector view

What might a cyber-attack cost your business? Read more about the patterns we found in research we conducted for the Department for Science, Innovation and Technology (DSIT) – and why those patterns still matter today, even as the threat landscape evolves.
James Hanbury
Blog
Sector insights

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo