Written by Arunava Banerjee CISM, Cyber Risk Consulting Lead, Zurich Resilience Solutions
Only 14% of UK businesses have review cyber risks associated with their immediate suppliers. This critical gap was revealed in the UK Government’s 2025 Cyber Security Breaches Survey.
At a time when organisations, especially smaller businesses, increasingly rely on cloud hosting, SaaS (Software as a Service) platforms, managed security services, and outsourced IT, that figure is alarming.
Our experience at Zurich Resilience Solutions is that even when supplier assessments are completed, they are often just a tick-box exercise that says, ‘third party assessed’.
Some of the most damaging cyber incidents in recent years entered through trusted suppliers, deeply embedded in operational ecosystems, that are rarely scrutinised with genuine technical rigour.
Modern supply chains are no longer external. They are extensions of the business itself, woven into processes, infrastructure, and identity systems. Until supplier governance reflects this operational reality, attackers will continue to bypass traditional defences simply by targeting the weakest and most accessible link which is often the vendor ecosystem.
Cyber resilience requires asking better questions
Cyber resilience can no longer be defined as minimising the impact of an attack on your systems. You must be able to answer ‘how do we operate if this critical supplier or managed service provider is down for a day, week or a month?’
What happens to operations, service levels, revenue, and customers during that downtime? Preparing for those scenarios is core to resilience, but many organisations still have no clear answer.
Supply chain risk is an enterprise risk
Many decision makers have a psychological barrier between “us” and “them”, treating vendors as external entities. In reality suppliers’ services sit inside the digital perimeter or your enterprise with all of the rights and privileges that provides: system access, operational dependencies, and sometimes even privileged credentials.
The SolarWinds compromise illustrated this perfectly. Attackers didn’t infiltrate hundreds of organisations individually. They compromised a single supplier and inherited access to every environment using the product. Many of the organisations affected had completed due diligence. Very few had treated SolarWinds as part of their active attack surface.
Annual reviews don’t work for cyber supply chain risk
Supplier risk cannot be governed with annual questionnaires. In a dynamic threat environment, a supplier could be secure today and vulnerable tomorrow. The MOVEit incident proved how quickly a single vulnerability can spread across sectors before organisations even realise how widely the affected tool is used internally.
Modern supplier threats go far beyond the narrow category of ‘third‑party data breach.’ They now include:
- Poisoned software updates
- Compromised build pipelines
- API abuse
- Stolen or mismanaged credentials
- Insider threats
- Nation‑state ‘access now, exploit later’ operations.
The Kaseya VSA breach and the SimpleHelp/DragonForce ransomware attack demonstrated how attackers can compromise one managed service provider (MSP) and use legitimate remote‑management tools to push ransomware to customer environments. This resulted in sector‑wide outages, simultaneous disruptions, and costly recovery efforts.
Identity is the weakest link in the supply chain
Supplier incidents frequently escalate because access is excessive, persistent, and poorly governed. Credentials remain active long after projects end. Privileged access can become permanent, and monitoring is weak or non-existent.
In many investigations, attackers simply logged in with valid credentials harvested from the supplier, allowing them to move laterally without detection. This results in delayed discovery and exponentially higher recovery costs.
The critical question: what if a supplier goes down?
Supplier compromise is inevitable. Resilience depends not on preventing every attack, but on isolating risks and recovering quickly.
Recent incidents illustrate the cascading impacts:
- Asahi Beverages experienced production delays and retail shortages.
- Ingram Micro suffered an incident that rippled across thousands of downstream businesses.
- Blackbaud’s ransomware breach affected thousands of nonprofits, universities, hospitals, and charities whose donor and operations data were hosted within its systems.
In today’s hyper‑connected environment, supplier failures quickly become operational, financial, and reputational crises.
Cyber resilience must be contractually explicit
Many contracts prioritise price and service levels while leaving cyber expectations vague or undefined. When incidents occur, organisations often learn too late that:
- Reporting timelines were unclear,
- Required controls were never formalised,
- Resilience and recovery expectations were not documented.
In some cases, customers learned of breaches from the media before being notified by their vendor.
Cyber supply chain isn’t a technology problem
These incidents do not reflect failures of firewalls or antiviruses. They reflect failures in how organisations:
- Model supplier dependencies,
- Validate controls and access,
- Govern and contractually define expectations,
- Design resilience into their operations.
For Small-Medium Enterprises, the risk is even greater. Smaller organisations often lack the in‑house expertise needed to secure complex digital dependencies, yet rely heavily on third‑party platforms, MSPs, and SaaS providers.
Cyber supply chain resilience requires intelligence not a tick-box
A modern supply chain security model requires a move from compliance‑driven reassurance to continuous, intelligence‑driven oversight:
- Continuous monitoring, not annual reviews,
- Explicit contracts, not implied trust,
- Least‑privilege access, not inherited risk,
- Segmentation and isolation, not unrestricted integration,
- Scenario testing, not blind confidence,
- Mapping real dependencies, not assuming linear supply chains,
- Resilience by design, not resilience by hope.
Planning for disruption costs far less than recovering from one. Investing in specialist external support to build strategy, test assumptions, and redesign resilience is far cheaper than paying a ransomware demand or losing critical services for weeks.
Supply chain cyber resilience is no longer optional. It determines whether a supplier incident becomes a minor inconvenience or a major business outage.
Regulators have recognised this shift. DORA, NIS2, and the upcoming UK Cyber Security and Resilience Bill all make supply chain governance a legal expectation, not a best practice. Organisations must understand their dependencies, govern them rigorously, and ensure they can remain operational even when suppliers fail.
In the years ahead, the only digital asset most organisations will truly own is their data. Everything else infrastructure, platforms, applications, and even core operations will increasingly be delivered by third parties. As a result, cyber risk management and supply chain risk management are now the same discipline.
Want to learn more about cybersecurity and resilience? Join our upcoming webinar on 19 March with a keynote address by the National Cyber Security Centre.
Arunava Banerjee, CISM
Cyber Risk Consulting Lead, Zurich Resilience Solutions, Zurich Insurance
Arunava (Arun) Banerjee leads the Cyber Risk and Resilience Consulting Practice for Zurich Resilience Solutions UK at Zurich Insurance, where he delivers specialist advisory services across Cyber, AI, and Digital Risk and Resilience for both insured and non‑insured clients. He also provides underwriting assurance for large and complex cyber risks.
With nearly two decades of professional experience, Arun’s expertise spans cyber risk quantification, cyber strategy, and resilience consulting. He holds a Master’s degree in Business and Management and is certified in CISM, ISO 27001:2013 Lead Implementer, PRINCE2 Practitioner, and ITIL v3.
Prior to joining Zurich, Arun served as Cyber Security Manager for NHS Greater Glasgow and Clyde, leading major cyber initiatives across multiple health boards and contributing to national programmes in collaboration with the Scottish Government.
A recognised industry voice, Arun speaks regularly at leading conferences such as AIRMIC, CIPFA, ALARM, International Cyber Expo, and the e‑Crime & Cybersecurity Congress. His insights frequently appear in respected industry publications, including ISACA.
In 2025, Arun was named a finalist for the Scottish Cyber Awards – Evangelist of the Year, reflecting his commitment to advancing cybersecurity awareness and practice across sectors.
Connect with Arun on LinkedIn.
