Why Third and Fourth Party Risks Are Financial Services’ Silent Cyber Threat

If you work in cyber security within the financial services sector, chances are you’ve already invested significantly in protecting your organisation. You’ve built strong teams, implemented leading tools, and rigorously tested your systems against known threats.

But have you considered that your greatest vulnerability might not come through the front door?

Your Risk Perimeter is Bigger Than You Think

Too many FS firms still see themselves as singular entities, but the reality is, you’re not. You’re a web of interdependencies - suppliers, vendors, contractors, consultants - and their suppliers too. Research shows that 58% of large UK financial services organisations experienced at least one third-party supply chain cyber attack in 2024, and nearly a quarter suffered three or more incidents in 2025. This research also highlighted that the firms that only assessed risk during third-party onboarding had a 68% chance of suffering an attack, which dropped to 57% for those with periodic assessments and further to 32% for organisations conducting continuous assessments with risk management and tracking. Therefore, cyber security is no longer just a “me” issue, it’s “we”, and unless you treat your third and fourth parties as extensions of your digital infrastructure, you’re managing only part of your actual risk.

The Incoming Cyber Resilience Bill 

While the UK’s Cyber Resilience Bill isn’t out yet, it’s widely expected to put Supplier Risk Management in the spotlight. For the financial sector, we at Cyro Cyber predict we’ll see further alignment with evolving cyber threats:

  • Supply Chain Oversight: Financial institutions will need to ensure that their third-party vendors (e.g., cloud providers, fintech partners) meet new cyber resilience standards.

  • Stronger Regulator Powers: Regulators like the FCA will gain enhanced authority to enforce compliance and issue penalties for non-compliance.

  • Alignment with NIS2: The bill draws on lessons from the EU’s NIS2 directive, which includes stricter requirements for financial services. This ensures UK firms remain competitive and secure in a global context.

So, what does that mean for you?

  • Boards will be expected to own cyber risk, including third parties.

  • Continuous supply chain monitoring will likely be mandatory.

  • Organisations will need to map their supplier ecosystem and prove operational resilience, end to end.

Who’s in Your Supply Chain?

  • 1st party – You

  • 2nd party – Your internal units or functions

  • 3rd party – Any external provider you pay for services (cloud, SaaS, data, HR, etc.)

  • 4th party – Your suppliers’ vendors (the ones you're probably not tracking or are even aware you’re using)

We’ve seen examples of insecure supply chains and their ramifications recently with the M&S attack. They stated that their breach occurred when the hackers gained access to their systems via a "third party" - a company working alongside it - rather than accessing those systems directly. However, it wasn’t the third party’s name that was all over the news, it was theirs. It proves to be a compelling case for taking Supplier Risk Management seriously, and what can happen if you don’t.

Why This Risk is Escalating Now

1. The Talent Gap Is Driving Fragile Dependencies

The cyber talent gap has never been wider. According to World Economic Forum, 67% of organisations report a moderate-to-critical skills gap in cyber security in 2025. This is also an issue wider than cyber security - The British Chamber of Commerce[1] reports that in 2024, 62% of organisations reported to be experiencing a skills shortage. As such, many organisations, including FS, are having to outsource critical functions, often to offshore or less regulated providers. If not managed correctly, this increases your exposure and shrinks your control.

2. Risk Transferred ≠ Risk Managed

Outsourcing, contrary to popular belief, doesn’t eliminate cyber risk. Rather, it just moves it out of sight. If you don’t know where your customer data is stored, who can access it, or which vendor manages the system, then unfortunately you’re not managing the risk. You’re crossing your fingers and hoping the contract holds.

3. “Big Vendor” Doesn’t Mean “Secure Vendor”

Don’t be blinded by shiny logos. The most recognisable providers don’t always have mature controls, especially across all their service lines. Attackers know this, that’s why they’re increasingly targeting vendors instead of you. A 2025 SecurityScorecard report found that 96% of Europe’s largest banks experienced at least one breach via a supplier in the past year, with 97% impacted through fourth-party connections. Globally, 75% of third-party breaches targeted software and tech supply chains, a sure sign that cyber criminals are weaponising trusted software suppliers to scale attacks[2]. Due diligence has never been more important, and by extension, security being part of the procurement process.

4. Regulation is Catching Up

Several major frameworks are tightening the screws:

  • DORA (EU) may require monitoring and management of risk of all IT Providers

  • NIS2 expands critical infrastructure duties to 4th-party risks.

  • The UK Cyber Resilience Bill (expected soon) will likely put third-party risk on the board's radar permanently.

The common denominator that’s becoming more apparent is - you own the risk, even if you didn’t cause the breach.

Business Continuity Depends on Supplier Risk Management

This issue goes beyond the concept of cyber security and becomes a question of business continuity. If your trading platform fails because your data provider was compromised, the outage is yours. If payroll data is stolen via your HR contractor, the fine is yours. No one separates “you” from your ecosystem when things go wrong.

Your customers don't care who caused it. Neither do regulators. Therefore, you must treat your suppliers not as vendors, but as shared risk partners. Build trusted, tested, resilient alliances. You must be able to challenge them and ask the hard questions. Demand clarity. Force transparency. If they flinch? That’s your red flag. Trust without transparency is just exposure.

Speak Their Language

Too often, security teams are left out of procurement and legal discussions. They’re seen as the blockers, not the enablers. This cultural gap is dangerous, and with the incoming Cyber Resilience Bill, it’s likely about to become a compliance risk too.

Security needs to own the conversation, because if you're not lucky enough to have a leadership team that gets it, no one else will hand it to you. So, what can you do?

Speak their language:
→ Tell the CFO what it costs to recover.
→ Show procurement how to spot red flags.
→ Highlight legal liability buried in contracts.

Make the consequences real:
“If X happens, we lose Y.” Not “vulnerability exists in Z.”

Build trust:
When you’ve invested in personal relationships, pushing back gets easier and more accepted.

What Should You Do Next?

Answer a simple question: can you name all the third and fourth parties who could engage with your customer data?

If not, that’s your first risk. Your second is believing this won’t happen to you.

We at Cyro Cyber are here to help you stress test your Supplier Risk Management strategy before attackers or regulators do, and uncover your real exposure, to ensure your cyber resilience is as strong as it can be. Get in touch today.

References

[1] Over half of UK financial services institutions have suffered at least one third-party supply chain attack in 2024 (2025)
[2] Business Barometer - An analysis of the UK skills landscape (2024)

[3] The Cybersecurity of Europe’s Top 100 Financial Institutions 2025 (2025)

Next
Next

One Strategy, Many Regulators - A Practical Guide for Cyber Leaders in Financial Services