A recent report by SecurityScorecard analyzed cybersecurity breaches in the third-party ecosystem of the UK FTSE 100 companies, highlighting the prevalence of breaches in their supply chain and the importance of third-party risk management.


The report revealed that almost all organizations within the UK FTSE 100 were affected by breaches in their third and fourth party ecosystems between March 2023 and March 2024. Supply chain attacks [6], particularly from fourth party vendors, pose a significant risk to organizations. Evaluating the security posture of all entities within a company’s digital ecosystem is crucial to prevent widespread compromises [1]. With upcoming regulatory requirements such as the Digital Operational Resilience Act (DORA) and the NIS2 Directive [6], third-party risk management is essential for enhancing overall cybersecurity posture. Companies with higher market capitalization generally have stronger cybersecurity measures, with the energy and basic materials sectors demonstrating the strongest security posture [4]. Conversely, the communications sector received the lowest overall security rating [2]. Large enterprises across Europe also experienced breaches in their third and fourth party ecosystems in 2023, prompting the need for improved supply chain security [3]. UK companies faced breaches in their fourth party ecosystem [3] [4] [5], including a significant incident involving the MOVEit exploit that resulted in at least $65 billion in losses. Enhancing application and network security is essential for all organizations to defend against cyber threats [5].


The findings of the report underscore the importance of addressing supply chain vulnerabilities and implementing robust third-party risk management practices. Organizations must prioritize enhancing their cybersecurity measures to mitigate the risks posed by supply chain attacks. The incidents reported serve as a wake-up call for companies to strengthen their security posture and prepare for future regulatory requirements. Moving forward, a proactive approach to cybersecurity is essential to safeguard against potential breaches and protect sensitive data.


[1] https://insight.scmagazineuk.com/supply-chain-attack-haunt-uks-ftse-100
[2] https://www.infosecurity-magazine.com/news/ftse-100-exposed-third-fourth/
[3] https://www.itpro.com/security/97-of-ftse-100-firms-suffered-supply-chain-breaches-last-year
[4] https://www.intelligentciso.com/2024/06/03/97-of-the-uks-ftse-100-exposed-to-supply-chain-breaches-in-the-last-year/
[5] https://www.techradar.com/pro/security/nearly-all-of-the-ftse-100-exposed-to-possible-supply-chain-security-issues
[6] https://www.computerweekly.com/news/366587593/97-FTSE-100-firms-exposed-to-supply-chain-breaches