Blog
The Supplier Risk Assessment Process
The founding principles of the building society movement always emphasized the strength and importance of collective action and shared risk. In 2026, these values now also serve as the most effective framework for managing organisations’ digital supply chain cyber security. The widespread adoption of cloud-based services has erased the traditional distinction between a society’s internal operations and its external supplier networks. Moreover, every member-owned institution now functions as a critical node in an interconnected financial grid, being deeply interconnected with their peers through shared suppliers. Consequently, the safety of any individual society depends on the resilience of the wider supply chain ecosystem they are part of.
This hyper-connectivity means that a single breach or technical failure at an external service provider can propagate through the entire sector. The Financial Conduct Authority (FCA), in coordination with the Prudential Regulation Authority (PRA), published their final rules in March 2026 under PS7/26 regarding operational incident and third-party reporting. These rules, coupled with FCA PS21/3, PRA SS1/21, CP17/24 as well as the Critical Third Parties (CTP) regime have established a unified framework for identifying systemic vulnerabilities across the UK financial grid. For building societies, this transition requires a shift from isolated risk management to a proactive, collaborative defence model as well as a widened focus on not just their own operational resilience but increasingly also including on the sectoral resilience as well.
This analysis explores how building societies are well positioned to utilise their mutual heritage to address the systemic challenges facing the sector as a whole by mapping the extended supply chains in support of regulatory expectations, but most importantly in order to proactively and immediately respond to the rising challenge emanating from supply chain attacks.
Building societies have been required to maintain registers of their outsourcing arrangements since the introduction of SS2/21 and the initial operational resilience transition period that ended in March 2025. However, the March 2026 framework represents a significant shift in the scope and intent of this data. Previously, these registers served as internal tools for individual firm compliance. The new rules under PS7/26 and PS26/2 transform these documents into a machine-readable, unified "Register of Information" submitted via FCA Connect.
The scope of reporting has also expanded beyond traditional "outsourcing" to include all Material Third-Party (MTP) arrangements. This includes non-outsourcing dependencies such as the purchase of off-the-shelf software, niche APIs, or specific hardware products that support Important Business Services (IBS). The primary objective of this standardised register is to allow regulators to identify potential systemic risks to entire sectors. By collecting aligned data from every regulated firm, the authorities can construct a comprehensive map of the UK’s financial infrastructure. This shift marks the end of isolated record-keeping and the beginning of a system-level view of resilience.
Systemic risk in the building society sector often resides with smaller, specialised shared suppliers rather than large, well-known infrastructure providers. While major cloud service providers are now under the direct oversight of the Critical Third Party (CTP) regime, many niche suppliers remain outside this primary spotlight. These specialised firms often provide critical services such as mortgage application processing, credit scoring, or regulatory reporting tools. Because multiple societies frequently utilise the same specialised software, a single vulnerability at one of these "unknown" shared suppliers can represent a major systemic threat.
These niche suppliers and service providers constitute the biggest problem for sectoral resilience because they are often less transparent and have lower security maturity than global tech giants. Identifying these shared nodes is difficult for any institution working in isolation. A society may be aware of its own reliance on a specific fintech partner, yet remains unaware that ten of its peers rely on the same firm for a different material service. This hidden concentration creates single points of failure that can paralyse a significant portion of the mutual sector simultaneously. Identifying these "hidden" dependencies is the core challenge of the 2026 regulatory environment.
Regulators are currently working to map these sectoral dependencies through the new MTP registers, but this process will take significant time to produce actionable insights. Building societies cannot afford to wait for such an official mapping by regulators to identify their shared vulnerabilities. The time lag between data submission and systemic intervention leaves societies exposed to immediate cyber threats. However, organisations have the capability to perform this mapping themselves through proactive collaboration.
Collaboration with peers allows societies to securely and voluntarily overlay their respective supply chain maps to identify shared suppliers immediately. When several mutuals compare their "Register of Information" data, they can see where their digital nervous systems intersect. This peer-led mapping identifies the shared niche providers that the regulator has yet to flag as critical. By doing this work internally, the sector can remediate vulnerabilities and establish collective contingency plans ahead of the regulatory curve. Societies that wait for a central authority to define their systemic risks miss the opportunity to mitigate those risks before an incident occurs.
Third-Party Risk Management (TPRM) teams should come to function more as intelligence-sharing networks similar to how many Cyber Threat Intelligence (CTI) teams already operate. In many banking and competitor organisations, threat intelligence teams already share Indicators of Compromise (IoCs) and attack patterns to protect the wider grid. TPRM teams must adopt this same mentality by sharing "supplier intelligence" with their peers. This involves moving beyond basic due diligence to exchange insights on supplier security performance and security control gaps.
A network of TPRM professionals across the building society sector can provide real-time assurance that a single firm cannot achieve alone. For example, if one society identifies a vulnerability at a shared specialised supplier, sharing that intelligence allows every other society using that provider to secure their own environment immediately. This collaborative model eliminates the duplication of effort inherent in repetitive, bilateral audits. It creates a "Resilience Dividend" by turning individual risk data into a collective shield for the entire mutual sector.
The regulatory requirements in SYSC 15A of the FCA Handbook remain another crucial anchor for these resilience strategies. Under SYSC 15A.4.1R, building societies are mandated to identify and document the people, processes, technology, facilities, and information necessary to deliver each Important Business Service (IBS). This mapping must be sufficient to allow the firm to identify and remedy vulnerabilities. Crucially, SYSC 15A.5.1R requires firms to test their resilience against "severe but plausible" scenarios, including the total unavailability of a third-party service provider.
The 2026 regulatory observations highlight that successful firms use their mapping data to inform their testing scenarios. These firms do not treat mapping as a static administrative exercise; they use it as a de facto diagnostic tool. By integrating peer-shared intelligence into their SYSC 15A mapping, societies can ensure their scenario testing accounts for the true complexity of the Nth-party layer. This joined-up approach ensures that the "Register of Information" submitted to the FCA is backed by a genuine, operationally validated understanding of the supply chain.
The only viable response to a concentrated digital ecosystem is the adoption of a network-driven supply chain risk management model like Risk Ledger’s. Individual building societies often lack the commercial leverage to demand transparency from global technology providers or the visibility to find shared niche risks alone. By working together to build a transparent, sector-wide supply chain map, the mutual sector can transform the mandatory cost of compliance into a strategic advantage.
The feasibility of this collaborative approach is already being demonstrated through a pioneering project that involved eight leading UK banks. By utilising Risk Ledger’s network-first platform, these institutions moved beyond individual, bilateral audits to create a shared map of their collective supply chain. This real-world implementation provides a clear blueprint for how building societies can use peer-led data to overcome the "visibility ceiling" and identify systemic vulnerabilities years before the official regulatory mapping will be complete.
The results of this collaboration illustrate the depth of the risks hiding in the Nth-party layer. The pilot programme revealed 92 potential concentration risks across the participants' shared infrastructure. Crucially, 62 of these risks, nearly 70%, were identified at the fourth-party level or beyond. These were dependencies that individual bank TPRM teams had previously been unable to track through traditional, point-in-time questionnaires. By overlaying their data on a single platform, the banks uncovered shared single points of failure at niche providers that supported multiple institutions simultaneously.
This case study proves that the "Resilience Dividend" is not a theoretical concept but a tangible outcome of collective action. By sharing supplier intelligence, these eight banks eliminated the duplication of effort inherent in managing over 5,000 shared suppliers individually. This allowed their security teams to shift their focus from manual data collection to active remediation. For building societies, following this collaborative model ensures that important business services are secured by a genuine, operationally validated understanding of the entire digital grid.
Moving from siloed TPRM to a collaborative effort would fulfil the foundational promise of building societies to protect the financial stability of its members, and move from a state of reactive compliance to proactive resilience. Ultimately, the transition to a collective shield ensures that the UK’s mutual institutions can withstand the escalating pressures of the modern cyber threat landscape, securing the financial interests of millions of members for years to come.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
