UK firms urged to prepare for new cyber supply chain rules

SecurityScorecard has released a whitepaper aimed at aiding UK firms in preparing for the forthcoming UK Cyber Security and Resilience Bill, which is set to bring supply chain resilience into regulation for the first time.

Bill overview

The Cyber Security and Resilience Bill, which was introduced during the July 2024 King's Speech, proposes significant changes to existing cyber security standards for UK businesses. The bill will require Managed Service Providers (MSPs), data centres, and "Designated Critical Suppliers" to comply with new regulatory requirements, and brings UK regulation in line with the European Union's NIS2 directive.

Among the major changes, the bill mandates that companies notify authorities of cyber security incidents within 24 hours and submit a full report within 72 hours. There will also be increased regulatory oversight covering small digital service providers and high-capacity data centres.

Industry response

"The UK isn't just under attack, it's falling behind threat actors," said Ryan Sherstobitoff, Field CTO at SecurityScorecard. "They exploited trusted partners in the Jaguar Land Rover, M&S, and European airport breaches demonstrating that legacy compliance models can't keep up with today's threat velocity. The weakest link in your supply chain is now the front door."

SecurityScorecard's whitepaper identifies a marked shift toward regulatory focus on real-time monitoring and accountability across the supply chain. Regulators will also be empowered to recover costs and introduce sector-specific obligations as part of the government's approach to cyber resilience.

Key data findings

The new whitepaper provides an analysis of cyber incidents and security postures among UK companies:

• 97% of the UK's top 100 companies experienced a third-party data breach, with an equal percentage seeing fourth-party compromises.
• 41.4% of ransomware attacks now use third-party access routes to enter systems.
• Companies with an "A" SecurityScorecard rating are 138 times less likely to be breached compared to those rated "F".
• The communications and healthcare sectors in the UK showed the weakest cyber security postures, with up to 70% of companies in those industries rated "C" or lower by SecurityScorecard's assessment scale.

Addressing the need for increased visibility into supply chains, Sherstobitoff added:

"The lesson is simple. If you can't see it, you can't secure it. UK organizations need full visibility into their vendor ecosystem, before regulators or ransomware actors force their hand."

New obligations for businesses

The new bill collectively introduces several steps for UK organisations to consider in anticipation of the regulations. Companies are encouraged to conduct third-party risk assessments that align with the National Cyber Security Centre's Cyber Assessment Framework (CAF), identify their Designated Critical Suppliers, and map supply chain dependencies. Updating incident response protocols to meet tighter reporting deadlines is also recommended.

The UK government's approach reflects international trends in managing digital infrastructure risk. By including additional service providers and imposing stricter timelines for notification and compliance, the legislation is intended to raise the baseline for national cyber resilience in line with current and emerging threats.

SecurityScorecard has supported these efforts by developing Supply Chain Detection and Response (SCDR) solutions that monitor third-party risks, using factor-based ratings and automated assessments to help organisations manage threats across the entire supply chain ecosystem.