This article is by Ben Francis, Insurance Lead at Risk Ledger
In recent months, a spate of supply chain–linked cyber incidents impacting the UK retail and transport sectors once again exposed how dependent entire industries have become on a handful of critical third-party service providers. In response to this surge in attacks, a ministerial letter urged company leaders across the country to step up collective efforts to safeguard national security and secure Britain against the rising cyber threat.
Against this backdrop, new research showing that just 14 percent of UK firms assess the security of their immediate suppliers is alarming. The illusion of resilience quickly unravels when even a single trusted vendor becomes a point of failure—a vulnerability the insurance sector in particular, with its sprawling network of intermediaries and third-party providers, can ill afford to ignore. Moreover, the increased reliance of the industry on few critical, and hard to substitute, providers for essential services represent clear systemic risks that have the potential to bring down entire industries.
To achieve greater resilience, an individual company’s efforts to boost their own security is therefore no longer enough – we need to strengthen sectoral and collective resilience through collaboration, both in insurance and other industries.
The regulatory spotlight on operational resilience
The UK insurance sector is a cornerstone of the economy, but its stability is increasingly measured by its operational resilience in the face of escalating cyber threats. A driving force behind this resilience imperative has been the introduction of regulatory frameworks like the FCA PS21/3 as well as PRA SS1/221 and SS2/22, which are explicitly requiring firms to map all critical dependencies supporting important business services. The upcoming UK Cyber Security & Resilience Bill will likely add further momentum to this crucial development.
However, whilst compliance is mandatory, the current tools available to insurance firms and the visibility they can provide are insufficient to uncover dangerous blind spots like systemic and other concentration risks. One of the more implicit aims of regulators behind the new operational resilience regime is to gather as much data as possible from the regulated entities (the insurers and designated Critical Third Parties) to map out the sector’s wider supply chain, identify systemic risks and potential single points of failure. Yet it’s this gap between the goals of the regulation and the ability of individual regulated entities to implement them that could cause firms some problems.
The great wall of visibility: Why traditional TPRM fails
Third party risk management (TPRM) remains the main tool for insurers to uncover and mitigate supply chain risks, yet its legacy approach is preventing firms from identifying and mitigating in their whole supply chains. Traditional TPRM was designed for direct, tier one suppliers, using static and periodic assessments for security risks. Nowadays, company supply chains are more complex, meaning this method is outdated, not looking deeply enough into the extended supply chain – with 64% of UK insurers having incomplete visibility into their supply chain dependencies beyond direct 3rd parties.
Another structural flaw seen with traditional TPRM is the inability to continuously monitor a supplier’s internal controls. This, combined with the lack of visibility into most of their direct suppliers’ own dependencies, means heightened risk from potential blind spots hiding deep within the supply chain.
The systemic threat: Concentration and contagion
Whilst the lack of visibility is an issue for each company and its own supply chain, it’s these blind spots that can also translate directly into systemic risks. This occurs when multiple, seemingly unrelated insurance firms rely on the same, shared provider, without knowing it. This could be a shared SaaS platform, cloud vendor, claims processing and data analytics platforms or network and telecommunications providers, to name a few.
With 90% of UK firms having experienced a cyber security incident in their supply chain in the last year alone, and with 62% suffering two or more, this concentration risk is a ticking time bomb waiting to happen. A single compromise deep in the chain can trigger cascading disruptions across an entire market.
From isolated compliance to collective defence
It’s not all doom and gloom – since the risk is shared, the solution can be too. With no single insurance firm or organisation able to map out the entire supply chain ecosystem alone, the main problem to be overcome relates to the continued reliance on siloed defences.
By moving TPRM from a traditional compliance checklist to a collective defence and intelligence-sharing exercise, firms will be better prepared and better protected. Intelligence sharing is already an established reality between threat intel teams of different companies, through bodies like the Information Sharing Analysis Centres (ISACs), but this is not yet common practice between different TPRM teams within the same industries.
By pooling non-sensitive data on supplier relationships, firms can collectively generate an industry-wide dependency map. This collective mapping is the only way to expose the hidden concentration risks that are invisible from the perspective of a single organisation.
Ensuring the future stability of the market
Collaboration is not just a ‘nice to have’ but a strategic imperative that reduces redundant effort, raises the baseline for security standards across the entire insurance ecosystem and is advocated for by the regulators.
The industry stands at an inflection point. Investing in shared visibility and collaborative resilience – mirroring the success of threat intelligence models like FS-ISAC’s – is essential for safeguarding the stability of the entire market. With greater collective and sectoral resilience, individual market participants will see enhanced operational resilience to cyber-attacks.
Be the first to comment