Product News
Control over your email preferences
In our highly interconnected and digitally transformed global economy, outsourcing has become simpler and more cost-effective than ever. Today’s organisations increasingly depend on extensive networks of third-party entities, including vendors, service providers, and strategic partners, to support and enhance their core business operations. But these same connections are putting your organisation - and the entire ecosystem - at risk.
Interconnected corporate supply chains form a huge and highly complex digital landscape that threat actors increasingly exploit. With supply chain attacks fast becoming the leading cyber security threat, and given a rapidly worsening geopolitical environment, where state-sponsored attacks and cyber warfare operations against our critical national infrastructure are on the rise, securing our complex supply chain ecosystems has become an urgent priority. But does traditional third-party risk management (TPRM) have the tools to counter these new threats?
Attacks on our corporate and software supply chains have fast become one of the leading cyber threats facing organisations, and can be among the most devastating, as prominent examples such as the SolarWinds (2020), Log4J (2021) or the recent MOVEit Transfer (2023) supply chain attacks attest to. According to recent data, 30% of all breaches now involve a third party, a 100% increase from previous years, while the European Union Agency for Cybersecurity (ENISA) predicts that by 2030 ‘Supply Chain Compromise of Software Dependencies’ will become the leading cyber threat facing organisations.
In the 2023 MOVEit Transfer attack alone, by exploiting a set of vulnerabilities in Progress Software’s MOVEit file sharing application the Russian state-linked threat actor ClOP impacted over 2500 organisations and 80 million individuals worldwide, including numerous US government agencies, UK institutions and companies such as British Airways, Boots, the BBC and Ofcom.
Or let’s consider the SolarWinds attack of 2020 when threat actors, believed to be associated with Russian intelligence, managed to add a malicious software update to SolarWinds’ Orion, a popular network management system. The attack is said to have affected up to 18,000 clients of SolarWinds worldwide – again including federal US government departments such as Homeland Security, State, Commerce and Treasury, as well as major vendors, such as Microsoft, Intel, and Cisco.
Supply chain attacks can also have potential sector-wide or even systemic implications. Let’s consider the two examples of the ION Trading Technologies and MAERSK. ION Trading Technologies is a provider of digital solutions for electronic trading, pricing and order management, including facilitating the settlement of exchange-traded derivatives, to some of the world’s largest banks, hedge funds and brokerage firms. It counts more than 100 financial services companies among its clients. When ION was hit by a ransomware attack in 2023, this forced its systems offline, resulting in financial institutions suddenly having to manually confirm trades, causing ripple effects and reporting delays across the sector.
But whereas the fallout and impact of the ION Trading Technologies attack was fairly limited, the same can not be said for the impact of the 2017 NotPetya attack affecting the global shipping giant MAERSK. The attack, conducted by a group of Russian hackers called Sandworm and principally directed against Ukraine, exploited a vulnerability in the MeDoc tax accounting software that was used by most businesses in Ukraine. The malware, however, which behaved very differently to the original Petya ransomware and was designed to destroy the systems it infected, soon spread beyond Ukraine.
The malware was so aggressive in fact that after infecting an initial system of Maersk, it quickly spread across all Maersk locations and systems around the world, forcing the company to basically shut down all its operations. The impact of the attack almost meant the end of Maersk, which controlled 76 ports and over 800 vessels around the world at the time, and was involved in one-fifth of global trade. Only by a stroke of luck was Maersk able to completely rebuild its entire IT infrastructure using one remaining unaffected backup retrieved from Ghana in a cloak and dagger-style operation.
The financial and operational fallout has reached record levels in recent years as well:
Having established the scale and severity of the problem, and the possible fallouts from such attacks, let us now look at the reasons for why supply chain attacks are increasingly becoming the tool of choice for attackers. Despite the rising complexity of cyber attacks, there are in essence only 5 ways our organisations can be targeted by threat actors, namely through our Networks, Applications, Physical premises, People, and our Suppliers.
As an industry, we dedicate a lot of time, effort, and resources to mitigating the first 4 risks, but we continue to neglect our suppliers. Yet, to effectively mitigate against cyber security breaches today also requires us to consider the networks, applications, physical premises, and people for most of our suppliers.
As the cyber security postures, especially of large global corporations as well as sensitive government bodies and operators of critical national infrastructures are getting stronger and more difficult to penetrate directly, threat actors are increasingly looking to identify the weakest links in their targets’ security postures, which are often to be found in smaller and less secure third parties or even 4th or 5th parties further down the supply chain. This is why smaller suppliers, who often lack the internal resource and expertise, and are easier to penetrate, often become the targets of choice for threat actors. Even the most prestigious organisations with stringent cyber security measures in place can be blindsided by incidents that originate somewhere in their supply chains.
Attacks on our corporate supply chains can affect our own organisations in several critical ways:
The risk emanating from our supply chains has become further accentuated in recent years because of a significantly worsening global geopolitical environment, leading to an increase in sophisticated state-sponsored attacks and cyber warfare operations.
The risk of being targeted by hostile state actors and their army of hackers and advanced persistent threat actors (APT) is particularly pronounced for the UK. After the United States and the Ukraine, the UK is the third most targeted country in the world for cyber attacks, and UK operators of Critical National Infrastructure (CNI) in sectors such as transport, healthcare, energy, water and other utilities as well as financial services and public sector organisations are prominent targets of such attacks. This year alone, we have already seen supply chain attacks against the MoD, the NHS, and against our democratic institutions, all purportedly conducted by state-linked threat actors.
This proliferation of state-sponsored attacks has prompted the US Cybersecurity & Infrastructure Security Agency (CISA) to issue a joint advisory with the Federal Bureau of Investigation (FBI) warning that “PRC state-sponsored cyber actors are seeking to pre-position themselves on information technology (IT) networks for disruptive cyberattacks against the U.S. critical infrastructure in the event of a major crisis or conflict with the United States.” This was followed by a threat alert from the UK National Cyber Security Centre (NCSC), also highlighting the escalated threat emanating from cyber attacks by state-sponsored threat actors against UK Critical National Infrastructure.
In 2026, the UK government highlighted a "critically high" cyber threat level, leading to the publication of a new Cyber Action Plan to defend CNI. State-sponsored actors are no longer just seeking data; they are increasingly conducting stealth operations to infiltrate and "lay dormant" within critical systems, ready to be triggered for disruption in the event of a major conflict.
Regulators have responded to these systemic risks with a wave of mandatory standards and legislation:
The Digital Operational Resilience Act (DORA) has now been in full effect since January 2025. It provides a harmonised framework for 21 different types of financial entities and their critical third-party ICT providers. As of early 2026, the focus has shifted to active supervisory reviews, with regulators auditing "Third-Party Registers" to ensure every vendor relationship is mapped and secured.
The UK government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill, which underwent its second reading in January 2026. This bill significantly updates the 2018 NIS Regulations by:
In tandem with these laws, the Bank of England (BoE), FCA, and PRA have formalised operational resilience rules.
With supply chains more interconnected than ever before, threat actors are seeking out the weakest links in our extended supply chains to attack us. But traditional Third-Party Risk Management (TPRM) has not evolved to deal with this kind of threat.
TPRM was created for a simpler world where suppliers were isolated entities and compliance was the primary objective. Yet, today’s interconnected supply chains require proactive, continuous defence - not point-in-time, tick-box assessments.
From its limited visibility of nth party vulnerabilities to its lack of continuous monitoring of real-time threats, traditional TPRM is simply ill-equipped for today’s cascading supply chain risks. Unfortunately, TPRM’s flaws are not fixable with incremental improvements, but fundamental architectural failings.
For more insights into the TPRM problem, check out the next article in this series: “The TPRM Crisis: Why the Traditional Model is Broken by Design.”
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
