Deep Dive
Discovering the ‘Unknown Unknowns’ of Financial Services Supply Chain Cyber Risk
As supply chain security risks intensify and regulations tighten, we ask whether much-vaunted Trust Centres are up to the challenge of enabling effective third-party risk management (TPRM).
Trust Centres are frequently touted as potential third-party risk management (TPRM) solutions in an era when organisations are required to undergo increasingly stringent due diligence and compliance processes. Offered by a growing range of providers, Trust Centres provide centralised, often public-facing platforms where organisations can display their security, privacy, and compliance information to stakeholders such as customers, partners, and regulators.
But in a world of fast-moving cyber security threats and complex supply chains, can Trust Centres really live up to the challenge of enabling comprehensive and effective third-party risk management (TPRM)? In this article, we assess their benefits and limitations from the vantage point of TPRM’s inherent challenges – and explore alternatives that offer a more dynamic and effective solution.
Organisations can use Trust Centres to host a vast range of information that they wish to share with any external party. Typically, this information will include evidence of compliance with industry frameworks or international standards, any certificates they might hold, security and privacy policies, penetration test reports, incident-response procedures, data-protection measures, and much more.
Trust Centres have recently been growing in popularity, in response to increasing regulation relating to data protection and cyber security as well as an increasing need for stepped-up supplier due diligence in the face of mounting cyber security threats.
Trust Centre’s primary role in Third-Party Risk Management (TPRM) is to provide transparent, real-time access to key supplier documents. By centralising this information, Trust Centres aim to reduce friction in the risk review process, build stakeholder confidence, and enable supplier organisations to demonstrate proactive commitment to data protection and regulatory compliance.
The two principal benefits of Trust Centres in the context of TPRM are that they enable suppliers to store critical documentation once, and then provide client organisations or other stakeholders access to this information when needed. This approach, if accepted by clients, significantly reduces the time and friction for suppliers commonly associated with numerous manual information requests. For clients, this approach provides much quicker and more ready-made access to supplier compliance information, compared to taking a more traditional TPRM approach of gathering this information through requesting suppliers to complete often long and painstaking manual questionnaires.
While Trust Centres can host a vast amount of information about an organisation, all of the data is nonetheless static and point-in-time. They enable client organisations to check the security status of a supplier at a given point in time, but do not allow continuous monitoring or real-time updates of the security information. Similar to traditional questionnaire-based TPRM, the information within the repository could also be out of date as soon as they have been entered, while they also tend to lack contextual information on what is actually going on without a supplier’s organisation internally.
Despite saving time in questionnaire completion, Trust Centres still require a high level of manual effort from the suppliers’ clients, perhaps even more so than with more traditional TPRM processes. Clients must search, download and review the extracted information and organise and store them on their own. This creates even more inefficiency for clients, particularly when carried out at scale. In addition, Trust Centres also do not provide clients with direct access to the security or compliance teams at their suppliers when they need to clarify information or for coordinating mitigations and responses to any incidents or crisis.
Crucially, given the complex web of supply chain connections and dependencies every organisation has in today’s digital supply chains, Trust Centres do not provide visibility into the security postures of all the additional organisations that the suppliers themselves are connected to. Clients thus have no way of determining the security status of sub-contractors and sub-suppliers further along the supply chain. However, such insights are vital to help organisations understand broader supply chain risks beyond their immediate suppliers.
Another shortcoming shared with traditional questionnaire-based TPRM is that different organisations use different assessment criteria. Most organisations use their own supplier assessment frameworks, making like-for-like comparisons with assessments from industry-peers, for example, difficult and time-consuming, making it almost impossible to benefit from burden sharing and a more collaborative approach to TPRM.
To address the need for greater efficiency in TPRM, for both suppliers and clients, and improve access to real-time security intelligence and risk information, a more dynamic approach to TPRM is required. That’s where dedicated, innovative TPRM platforms, such as Risk Ledger, come in. Unlike Trust Centres, which are effectively digital filing cabinets for supplier security information, TPRM platforms based on the idea of a social network for security teams, enable continuous security monitoring, workflow automation, real-time risk analysis and enhanced collaboration.
By connecting suppliers and their clients on the same platform, and using one standardised security framework mapped against all leading international standards such as NIST, ISO27001 or the NCSC’s Cyber Assessment Framework (CAF),
Risk Ledger creates a single source of truth. It also means that at all times, numerous eyes are on the same supplier. This significantly improves the quality of the information provided as well as ensures that the information is validated not just by one, but by many client organisations.
The platform also enables continuous collaboration between clients and suppliers, allowing security teams to communicate more directly and regularly. Since each supplier organisation creates a profile containing information about their business, security controls, compliance status and other relevant risk areas, which they then share with their connected clients on the platform, similar to pure Trust Centres this also makes the lives of suppliers significantly easier - avoiding having to complete numerous slightly different questionnaires for all individual clients.
Another main benefit of this ‘social network’ approach is that many organisations decide to use Risk Ledger in both capacities, as suppliers and clients seeking to review their own suppliers, at the same time. This creates the crucial middle links in the supply chain that allows for the mapping out of the much wider supply chain dependencies and ecosystems for individual organisations as well as entire sectors of the economy. This also allows for the identification of potential single points of failure and otherwise hidden concentration risks.
Trust Centres can play an important supporting role within the wider TPRM ecosystem, but their limitations mean they are no substitute for a more comprehensive and dynamic supply chain risk management platform.
As supply chain complexity increases and security threats intensify, organisations need TPRM solutions that go beyond static document collation and enable real-time collaboration, risk monitoring and incident response. Regulatory requirements are also tightening, placing greater data protection demands on organisations. This heightens the need for more comprehensive and effective risk management.
The next-generation of TPRM solutions will evolve alongside ever-changing threats, building on the latest capabilities and increasingly transforming TPRM from a mere reactive and compliance driven exercise into an active cyber defence discipline.
It is clear that enhanced collaboration with suppliers and industry peers, enhanced transparency and supply chain mapping will all play a vital role if organisations are to identify hidden supply chain risks and build greater resilience throughout their digital supply ecosystems.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
