January 5, 2026
Beyond the questionnaire: Why Third-Party Risk is now a boardroom number
Elizabeth Huthman
CRQ Advisory Director

The UK Cyber Security and Resilience Bill is moving supply chain security from compliance to calculus.

The days of managing third-party risks with just questionnaires are over. It's time for a new approach.

Many organisations invest heavily in their own security, but third parties remain a significant vulnerability. Verizon’s latest data shows third-party breaches have doubled between 2024 to 2025,now causing 30% of all incidents. These aren't just technical issues; recent incidents have led to patient deaths and supplier bankruptcies.

The increase in regulatory powers and transparency

The UK Cyber Security and Resilience Bill marks a fundamental shift in accountability. By designating "Critical Third Parties" (CTPs), such as managed service providers, for direct regulatory oversight, the government makes clear that there is a need to tackle the potential impact of system wide third party vulnerabilities.  Over the next year, as third party responsibilities and incident reporting transparency enhances, expect organisations to face public censure and substantial fines.      

We've seen this before with GDPR. Initially dismissed in2018, GDPR fines now reach hundreds of millions across Europe. The lesson is clear: don't ignore this.

From "high risk" to "high cost"

Current industry practices are inadequate. Questionnaires and ratings offer a superficial view of risk, often based on proxies like unpatched vulnerabilities. They don't answer the crucial question: does "high" risk mean a £10,000 impact or £10 million? Without this clarity, effective risk management is impossible.

To navigate this, we need to move beyond surface-level assurance. Cyber Risk Quantification (CRQ) is the solution. CRQ translates technical threats into financial terms, enabling data-driven decisions. It calculates the financial impact of potential threats, such as third-party outages, recovery costs, and fines – up to £17 million or 4% of global annual revenue under the UK Cyber Security and Resilience Bill (for the most serious incidents).

Imagine this in a board report: "There's a 10% chance of a cyber breach through a third party. The most likely financial impact is £50 million. Worst case: £200 million."

These numbers transform the conversation. Risk moves from technical jargon to financial reality. When boards see quantified exposure, they prioritise action. A £200 million problem isn't just IT – it's a business problem.

Building a resilient supply chain

True resilience requires looking past the immediate horizon. It involves mapping the supply chain beyond the first tier to understand fourth and fifth parties and replacing basic proofs with data-driven evidence.

Here are key actions to build a more resilient supply chain:

  1. Demand proof not promises. Stop relying on basic verifications. Demand concrete evidence of control effectiveness, such as penetration test results and live incident response plans. For CTPs, implement continuous monitoring where possible, for real-time risk visibility.
  2. Stress-test dependencies. Don't wait for a crisis. Conduct rigorous simulations and tabletop exercises to test third-party outages. Know exactly how your business recovers if a critical partner goes down.
  3. Translate risk into revenue. Retire "High/Medium/Low" risk labels. Use Cyber Risk Quantification to assign monetary values to third-party threats. This empowers the Board to compare cyber exposure against other business risks and make financially sound investment decisions.
  4. Illuminate the full ecosystem. Resilience requires depth. Look beyond immediate vendors to map all parties with access to your sensitive data. You can't secure what you can't see.
  5. Collaborate to stay ahead. Cyber resilience is a team sport. Engage in industry peer forums and working groups. Sharing intelligence on emerging trends and best practices is crucial for collective defence.

The Cyber Security and Resilience Bill encourages organisations to close gaps in their supply chains and shift from reacting to crises to building resilience. It demands a clear view of the financial stakes in an interconnected world. Businesses that take a strategic approach to third-party risk will not only protect their interests – they will secure their future.

Read the next blog in the series

No items found.
Elizabeth Huthman
CRQ Advisory Director
Liz is the CRQ Advisory Director at CRI. With over 16 years of experience working with clients across industries such as private equity, retail, and legal services, Liz is dedicated to managing cybersecurity. Based in London, Liz is passionate about helping clients prioritise their cybersecurity investments based on their specific risk profile.
Resilience
Blog
Beyond the questionnaire: Why Third-Party Risk is now a boardroom number
Get your copy below.
By submitting this form I agree that Cyber Risk Insights may collect, process and retain my data pursuant to its Privacy Policy.
Thank you! Use the button below to read now.
Oops! Something went wrong while submitting the form.

Summary

The UK Cyber Security and Resilience Bill is moving supply chain security from compliance to calculus.

The days of managing third-party risks with just questionnaires are over. It's time for a new approach.

Many organisations invest heavily in their own security, but third parties remain a significant vulnerability. Verizon’s latest data shows third-party breaches have doubled between 2024 to 2025,now causing 30% of all incidents. These aren't just technical issues; recent incidents have led to patient deaths and supplier bankruptcies.

The increase in regulatory powers and transparency

The UK Cyber Security and Resilience Bill marks a fundamental shift in accountability. By designating "Critical Third Parties" (CTPs), such as managed service providers, for direct regulatory oversight, the government makes clear that there is a need to tackle the potential impact of system wide third party vulnerabilities.  Over the next year, as third party responsibilities and incident reporting transparency enhances, expect organisations to face public censure and substantial fines.      

We've seen this before with GDPR. Initially dismissed in2018, GDPR fines now reach hundreds of millions across Europe. The lesson is clear: don't ignore this.

From "high risk" to "high cost"

Current industry practices are inadequate. Questionnaires and ratings offer a superficial view of risk, often based on proxies like unpatched vulnerabilities. They don't answer the crucial question: does "high" risk mean a £10,000 impact or £10 million? Without this clarity, effective risk management is impossible.

To navigate this, we need to move beyond surface-level assurance. Cyber Risk Quantification (CRQ) is the solution. CRQ translates technical threats into financial terms, enabling data-driven decisions. It calculates the financial impact of potential threats, such as third-party outages, recovery costs, and fines – up to £17 million or 4% of global annual revenue under the UK Cyber Security and Resilience Bill (for the most serious incidents).

Imagine this in a board report: "There's a 10% chance of a cyber breach through a third party. The most likely financial impact is £50 million. Worst case: £200 million."

These numbers transform the conversation. Risk moves from technical jargon to financial reality. When boards see quantified exposure, they prioritise action. A £200 million problem isn't just IT – it's a business problem.

Building a resilient supply chain

True resilience requires looking past the immediate horizon. It involves mapping the supply chain beyond the first tier to understand fourth and fifth parties and replacing basic proofs with data-driven evidence.

Here are key actions to build a more resilient supply chain:

  1. Demand proof not promises. Stop relying on basic verifications. Demand concrete evidence of control effectiveness, such as penetration test results and live incident response plans. For CTPs, implement continuous monitoring where possible, for real-time risk visibility.
  2. Stress-test dependencies. Don't wait for a crisis. Conduct rigorous simulations and tabletop exercises to test third-party outages. Know exactly how your business recovers if a critical partner goes down.
  3. Translate risk into revenue. Retire "High/Medium/Low" risk labels. Use Cyber Risk Quantification to assign monetary values to third-party threats. This empowers the Board to compare cyber exposure against other business risks and make financially sound investment decisions.
  4. Illuminate the full ecosystem. Resilience requires depth. Look beyond immediate vendors to map all parties with access to your sensitive data. You can't secure what you can't see.
  5. Collaborate to stay ahead. Cyber resilience is a team sport. Engage in industry peer forums and working groups. Sharing intelligence on emerging trends and best practices is crucial for collective defence.

The Cyber Security and Resilience Bill encourages organisations to close gaps in their supply chains and shift from reacting to crises to building resilience. It demands a clear view of the financial stakes in an interconnected world. Businesses that take a strategic approach to third-party risk will not only protect their interests – they will secure their future.

Key messages

01

02

03

Resilience
Blog
Beyond the questionnaire: Why Third-Party Risk is now a boardroom number

Summary

The UK Cyber Security and Resilience Bill is moving supply chain security from compliance to calculus.

The days of managing third-party risks with just questionnaires are over. It's time for a new approach.

Many organisations invest heavily in their own security, but third parties remain a significant vulnerability. Verizon’s latest data shows third-party breaches have doubled between 2024 to 2025,now causing 30% of all incidents. These aren't just technical issues; recent incidents have led to patient deaths and supplier bankruptcies.

The increase in regulatory powers and transparency

The UK Cyber Security and Resilience Bill marks a fundamental shift in accountability. By designating "Critical Third Parties" (CTPs), such as managed service providers, for direct regulatory oversight, the government makes clear that there is a need to tackle the potential impact of system wide third party vulnerabilities.  Over the next year, as third party responsibilities and incident reporting transparency enhances, expect organisations to face public censure and substantial fines.      

We've seen this before with GDPR. Initially dismissed in2018, GDPR fines now reach hundreds of millions across Europe. The lesson is clear: don't ignore this.

From "high risk" to "high cost"

Current industry practices are inadequate. Questionnaires and ratings offer a superficial view of risk, often based on proxies like unpatched vulnerabilities. They don't answer the crucial question: does "high" risk mean a £10,000 impact or £10 million? Without this clarity, effective risk management is impossible.

To navigate this, we need to move beyond surface-level assurance. Cyber Risk Quantification (CRQ) is the solution. CRQ translates technical threats into financial terms, enabling data-driven decisions. It calculates the financial impact of potential threats, such as third-party outages, recovery costs, and fines – up to £17 million or 4% of global annual revenue under the UK Cyber Security and Resilience Bill (for the most serious incidents).

Imagine this in a board report: "There's a 10% chance of a cyber breach through a third party. The most likely financial impact is £50 million. Worst case: £200 million."

These numbers transform the conversation. Risk moves from technical jargon to financial reality. When boards see quantified exposure, they prioritise action. A £200 million problem isn't just IT – it's a business problem.

Building a resilient supply chain

True resilience requires looking past the immediate horizon. It involves mapping the supply chain beyond the first tier to understand fourth and fifth parties and replacing basic proofs with data-driven evidence.

Here are key actions to build a more resilient supply chain:

  1. Demand proof not promises. Stop relying on basic verifications. Demand concrete evidence of control effectiveness, such as penetration test results and live incident response plans. For CTPs, implement continuous monitoring where possible, for real-time risk visibility.
  2. Stress-test dependencies. Don't wait for a crisis. Conduct rigorous simulations and tabletop exercises to test third-party outages. Know exactly how your business recovers if a critical partner goes down.
  3. Translate risk into revenue. Retire "High/Medium/Low" risk labels. Use Cyber Risk Quantification to assign monetary values to third-party threats. This empowers the Board to compare cyber exposure against other business risks and make financially sound investment decisions.
  4. Illuminate the full ecosystem. Resilience requires depth. Look beyond immediate vendors to map all parties with access to your sensitive data. You can't secure what you can't see.
  5. Collaborate to stay ahead. Cyber resilience is a team sport. Engage in industry peer forums and working groups. Sharing intelligence on emerging trends and best practices is crucial for collective defence.

The Cyber Security and Resilience Bill encourages organisations to close gaps in their supply chains and shift from reacting to crises to building resilience. It demands a clear view of the financial stakes in an interconnected world. Businesses that take a strategic approach to third-party risk will not only protect their interests – they will secure their future.

Key messages

01

02

03

Recent Insights

Cybersecurity in 2026: What leaders need to know

The latest Global Cybersecurity Outlook from the World Economic Forum highlights three forces reshaping cyber risk in 2026: artificial intelligence, geopolitics and cyber enabled fraud. For many boards, that’s going to raise questions such as “how much loss are we really exposed to?”, and “where should the next pound of investment go?”.
Martin Tyley
Resilience
Blog

What’s the impact on your customers if your company gets hacked?

The cost of a cyber-attack on companies is well understood. But what is the impact on the consumers those companies serve?
Blog
Sector insights

How do we preserve human agency in a world of AI-driven cyber defence?

AI is increasingly playing an essential role in cyber defence, yet every layer of automation carries both benefit and trade-off. The benefit lies in speed, scale, and consistency. The trade-off lies in the gradual displacement of human interpretation. The question is not whether automation is valuable but whether it remains an extension of human intent or becomes a substitute for it.
James Hanbury
Blog
Mega trends

See CRI in action

Book a personalised demo and discover how CRI can help you make smarter cyber risk decisions.
Book a demo