Report: UK firms struggle to map supply chain cyber threats

More than eight in 10 UK cyber security and third-party risk professionals say their organisation experienced at least one supply chain cyber incident in the past year, highlighting continued gaps in supplier oversight and incident response.

Risk Ledger's research Every Link Matters: The State of Supply Chain Security 2026 - UK Edition found 82.4% of respondents recorded at least one supply chain incident in the previous 12 months. Almost half, at 47.2%, reported two or more. The findings suggest supply chain cyber risk remains a persistent issue for organisations across sectors, despite stronger regulatory scrutiny of operational resilience and supplier dependencies.

Risk levels

The survey of 500 UK cyber security and third-party risk management professionals found 86% ranked supply chain cyber incidents among their top three concerns for 2026.

The data also shows a gap between concern and readiness. Only 6% of respondents said they could accurately map exposure across their supplier ecosystem in under four hours after a major supply chain cyber incident. Another 45% said it would take between four and 24 hours.

More than a quarter said it would take one to three business days. A further 23% said it would take more than a week and require manual outreach to suppliers.

Those delays can limit an organisation's ability to respond when a supplier is compromised. Teams need to know which business services, systems and processes may be exposed. They also need to understand whether risk extends deeper into the supply chain.

Slow checks

Supplier due diligence remains slow. Only 38% of respondents said their organisation could complete security due diligence for a new supplier within two weeks.

Another 34.6% said the process took three weeks or more. Within that group, 12% said it took more than one month.

Risk Ledger's analysis points to a structural weakness in many third-party risk management processes. They often remain manual and focused on bilateral assessment between one customer and one supplier. Many still rely on bespoke questionnaires and periodic reviews.

That approach can create duplicated work for suppliers. It can also leave customers relying on information that may not reflect current security controls.

Visibility gap

Visibility beyond direct suppliers remains uneven.

Some 30% of respondents said they had full visibility into the entire chain of subcontractors contributing to important business functions. Just over half, at 50.2%, said they had high visibility into all direct subcontractors of critical third parties.

A further 16% reported only partial visibility into some fourth parties of their critical suppliers. Only 3% said they had no visibility beyond direct critical third parties.

The findings come as regulators in the UK and EU put greater emphasis on operational resilience, concentration risk and the mapping of digital dependencies. This includes closer scrutiny of subcontractors and deeper-tier relationships that support critical or important services.

"Identifying systemic risks is really important. However in most cases, only industry-level associations have enough combined resources and adequate information sharing guardrails in place to efficiently identify actual systemic risks, agree actions and, with the help of regulators, influence large players in the supply chain," said Yohann Le Grand, Senior Security & Resilience GRC Manager, Lloyds Wealth.

Network mapping

Risk Ledger sets out a model it calls Active Supply Chain Security. It is based on standardised assessments, continuous monitoring, network visibility, collective defence and faster incident response.

The survey suggests organisations are open to more collaborative approaches. Some 42% of respondents said their organisation would be very supportive of an industry-wide model in which supplier intelligence and assurance data are shared with peers. A further 50.2% said they would be somewhat supportive.

Risk Ledger also examined three groups using its platform: 26 government organisations, 25 local authorities and 30 financial institutions.

Across the government group, the platform identified 3,240 direct third parties and 5,886 additional dependencies across shared nth parties. It also identified 1,264 potential concentration risks, including 820 at third-party level.

Of those third-party concentration risks, 224 were rated critical. Risk Ledger said this means an incident at one supplier would be likely to disrupt essential services at multiple public sector organisations.

"Risk Ledger's Network Visualisation Tool has enabled us to efficiently identify critical risks across our supply chain, helping us address potential concentration risks before they escalate," said Chris Phillips, Third-Party Compliance and Assurance Lead, Home Office Cyber Security (HOCS) | Governance, Risk and Compliance (GRC).

Sector exposure

The local authority group had 1,004 direct third parties and 7,659 additional dependencies across shared nth parties. Risk Ledger identified 1,240 potential concentration risks, including 364 at third-party level. Of those, 99 were rated critical.

The financial services group had 2,780 direct third parties and 6,529 additional dependencies. The platform identified 1,322 potential concentration risks, including 727 at third-party level. Of those, 288 were rated critical.

The analysis also found control weaknesses among some critical concentration risks. In the financial services group, 120 suppliers classified as critical third-party concentration risks did not have Cyber Essentials certification. Two were not using Multi-Factor Authentication to secure remote access to their network or cloud environments. Ten did not regularly test or rehearse Business Continuity and Disaster Recovery plans.

"A big challenge with third-party risk management comes down to how corporations and other organisations tackle peer-to-peer communication from within their respective siloes. We (as customers of common suppliers) need to get better at working with each other and trusting what our peers are doing. Using feedback as a form of intelligence about shared interests would allow companies to focus more time on fixing the things we really care about," said Jay Vinda, Global CISO and Cyber Risk Engineering Lead, Mosaic Insurance.

Read full report here.