CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Vinda jay 456x490 1 1 1
#
Advanced Persistent Threat Protection
#
Supply Chain
#
Risk & Compliance

From security silos to collective resilience: Transforming supply chain security in the UK insurance industry

Wed, 19th Nov 2025
By Jay Vinda, Global CISO and Cyber Risk Engineering Lead, Mosaic Insurance

The UK insurance industry, a cornerstone of the national economy, is navigating an increasingly complex landscape of operational and cyber risks. A new report on supply chain security highlights the sector's growing exposure to threats emerging across a vast and interconnected network of partners and vendors. As these dependencies evolve, the continued viability of traditional third-party risk management (TPRM) approaches is being tested, especially their inability to provide the depth of visibility needed to fully understand and manage risk across organisations' extended supply chain ecosystems far beyond their direct suppliers - the foundation of greater resilience.

A new report, "Every Link Matters: The State of Supply Chain Security in Insurance 2025", by the supply chain risk management platform provider Risk Ledger indicates that supply chain cyber incidents have become a near-universal problem. It found that an alarming 90% of UK insurance firms experienced at least one such incident in the past year, with more than half (62%) suffering two or more. This is no longer a peripheral issue either, hence 94% of cyber security leaders in the sector now rank supply chain incidents among their top three concerns for 2025, reflecting the escalating risk posed by an ever-expanding ecosystem of IT, cloud, and SaaS providers.

This heightened vulnerability comes as organisations' traditional defence mechanisms are proving insufficient. First generation TPRM processes and solutions, long the standard for vetting direct suppliers, is struggling to keep pace. The report's findings show that nearly half of firms (46%) still rely on periodic security assessments. This creates significant security gaps in a dynamic threat landscape.

Indeed, when questioned on the shortcomings of their current TPRM programmes, 36% of respondents cited the inability to continuously monitor a supplier's internal security controls, while another 26% pointed to a lack of visibility into their suppliers' own dependencies. This challenge is already a key focus for regulators. The Prudential Regulation Authority and the Financial Conduct Authority's operational resilience framework (PRA SS2/21) explicitly requires firms to map their important business services and the chain of dependencies that support them. However, the data suggests that achieving this level of visibility remains a significant hurdle. 74% of firms report having incomplete visibility beyond their immediate suppliers.

The consequence is the unchecked growth of 'systemic risk' - where multiple firms become critically dependent on the same fourth- or nth-party provider, often without realising it. A single breach at a shared technology vendor could trigger cascading disruptions across the entire insurance market. Incidents like the MOVEit and Blue Yonder breaches have already demonstrated how a compromise deep within the supply chain can have far-reaching impacts.

Faced with a problem that outstrips the capabilities of any single organisation, the report argues for a fundamental shift in strategy: from isolated compliance to collective defence. The concept of greater collaboration and intelligence sharing is already established among threat intelligence professionals, with bodies like the Financial Services Information Sharing and Analysis Centre (FS-ISAC) providing a model for the required industry-wide cooperation. Yet, it does not yet exist in TPRM.

Adopting this ethos, however, could transform supply chain resilience. By pooling non-sensitive data on supplier relationships, firms can collectively map their shared dependencies and identify hidden concentration risks that are invisible from the vantage point of a single organisation. Rather than thousands of firms individually assessing the same major cloud or software provider, a collaborative approach could reduce the burden on everyone and raise security standards across the Insurance ecosystem.

The UK insurance sector is at an inflection point. The scale of supply chain risk has outgrown traditional, siloed defences and approaches. With regulatory pressure mounting and the frequency of attacks showing no sign of abating, investing in a new paradigm of shared visibility and collaborative resilience is not just a strategic advantage - it is essential for safeguarding the stability of the entire industry.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Harvey to open Paris office & hire EMEA sales chief
Tighter visa rules deepen SAP S/4HANA skills shortage
CapitaLand Ascendas REIT buys DHL Ohio hub for SGD $94.5m
BioCatch warns AI agents will supercharge online fraud
Gartner sees AI spend hitting USD $2.52trn by 2026

Top stories

YouLend & Teya launch SME cash advances in UK, Europe
Dun & Bradstreet outlines seven key compliance trends
YAP Global names Otto Jacobsson CEO amid crypto shift
Insight & Stripe expand AI-driven enterprise commerce
IMS to power Drive Smart app for Motability Scheme