Why third-party risk is now a boardroom number

The UK Cyber Security and Resilience Bill is moving supply chain security from compliance to calculus.

The days of managing third-party risks with just questionnaires are over. It's time for a new approach.

Many organisations invest heavily in their own security, but third parties remain a significant vulnerability. Verizon’s latest data shows third-party breaches have doubled between 2024 to 2025,now causing 30% of all incidents. These aren't just technical issues; recent incidents have led to patient deaths and supplier bankruptcies.

The increase in regulatory powers and transparency

‍The UK Cyber Security and Resilience Bill marks a fundamental shift in accountability. By designating "Critical Third Parties" (CTPs), such as managed service providers, for direct regulatory oversight, the government makes clear that there is a need to tackle the potential impact of system wide third party vulnerabilities.  Over the next year, as third party responsibilities and incident reporting transparency enhances, expect organisations to face public censure and substantial fines.      

We've seen this before with GDPR. Initially dismissed in2018, GDPR fines now reach hundreds of millions across Europe. The lesson is clear: don't ignore this.

From "high risk" to "high cost"‍

Current industry practices are inadequate. Questionnaires and ratings offer a superficial view of risk, often based on proxies like unpatched vulnerabilities. They don't answer the crucial question: does "high" risk mean a £10,000 impact or £10 million? Without this clarity, effective risk management is impossible.

To navigate this, we need to move beyond surface-level assurance. Cyber Risk Quantification (CRQ) is the solution. CRQ translates technical threats into financial terms, enabling data-driven decisions. It calculates the financial impact of potential threats, such as third-party outages, recovery costs, and fines – up to £17 million or 4% of global annual revenue under the UK Cyber Security and Resilience Bill (for the most serious incidents).

Imagine this in a board report: "There's a 10% chance of a cyber breach through a third party. The most likely financial impact is £50 million. Worst case: £200 million."

These numbers transform the conversation. Risk moves from technical jargon to financial reality. When boards see quantified exposure, they prioritise action. A £200 million problem isn't just IT – it's a business problem.

Building a resilient supply chain

‍True resilience requires looking past the immediate horizon. It involves mapping the supply chain beyond the first tier to understand fourth and fifth parties and replacing basic proofs with data-driven evidence.

Here are key actions to build a more resilient supply chain:

1. Demand proof not promises. Stop relying on basic verifications. Demand concrete evidence of control effectiveness, such as penetration test results and live incident response plans. For CTPs, implement continuous monitoring where possible, for real-time risk visibility.
2. Stress-test dependencies. Don't wait for a crisis. Conduct rigorous simulations and tabletop exercises to test third-party outages. Know exactly how your business recovers if a critical partner goes down.
3. Translate risk into revenue. Retire "High/Medium/Low" risk labels. Use Cyber Risk Quantification to assign monetary values to third-party threats. This empowers the Board to compare cyber exposure against other business risks and make financially sound investment decisions.
4. Illuminate the full ecosystem. Resilience requires depth. Look beyond immediate vendors to map all parties with access to your sensitive data. You can't secure what you can't see.
5. Collaborate to stay ahead. Cyber resilience is a team sport. Engage in industry peer forums and working groups. Sharing intelligence on emerging trends and best practices is crucial for collective defence.

The Cyber Security and Resilience Bill encourages organisations to close gaps in their supply chains and shift from reacting to crises to building resilience. It demands a clear view of the financial stakes in an interconnected world. Businesses that take a strategic approach to third-party risk will not only protect their interests – they will secure their future.