Justin Kuruvilla, Chief Cyber Security Strategist, Risk Ledger
For years, financial institutions approached cyber security as something that could be managed largely within their own organisational perimeter. That assumption no longer holds true. Today, a bank’s resilience is increasingly tied to the resilience of the cloud providers, software vendors and outsourced partners sitting behind its operations.
As supply chains become more interconnected, cyber risk is becoming increasingly systemic in nature. Many organisations now rely on the same cloud providers, software vendors, and outsourced partners, creating hidden dependencies and concentration risks that extend beyond any single organisation. A single disruption within a critical supplier can quickly ripple across multiple organisations, markets and services. At the same time, advances in AI are accelerating the speed and sophistication of attacks, while geopolitical tensions are making supply chains themselves a growing point of vulnerability.
The industry is beginning to recognise the scale of the challenge. The World Economic Forum’s Global Cybersecurity Outlook 2026 found that 65% of large organisations now see third-party risk as their biggest cyber security concern. However, the greatest challenge increasingly lies beyond direct suppliers, where fourth, fifth and nth-party dependencies often remain poorly understood despite their potential to create significant operational disruption.While regulations such as the FCA’s PS26/2 guidance are helping improve transparency, they still only provide a partial view of the complex and deeply interconnected ecosystems financial institutions now rely on.
Compliance is only part of the picture
The FCA’s guidance marks an important evolution in how financial institutions are expected to manage supply chain risk. It strengthens reporting requirements and helps bring greater structure to how critical supplier relationships are identified and monitored. For firms operating across multiple jurisdictions, it also helps reduce fragmentation and aligns more closely with frameworks such as DORA in the EU.
But reporting frameworks are, by design, structured and retrospective. While they support oversight and accountability, they do not provide the real time intelligence needed to respond to fast moving threats. As a result, compliance alone cannot deliver a complete picture of risk exposure or improve operational resilience.
The risks beneath the ecosystem
To move beyond a compliance-driven approach, financial institutions need deeper visibility into their supplier ecosystems. This includes understanding not just direct supplier relationships, but also the fourth, fifth, and nth- party dependencies that support critical business decisions and often remain invisible until an incident occurs. This is where risk becomes harder to see. A single compromised dependency within the wider supplier ecosystem can quickly cascade across multiple organisations.
Public reporting on disruptions affecting both high-profile manufacturers and retailers as well as lesser-known organisations highlights how issues linked to third-party providers can quickly impact entire sectors at scale, even where the affected organisations themselves have robust internal controls in place. These incidents reinforce how interconnected supply chains create exposure that extends far beyond a single organisation’s direct oversight.
Improved visibility enables organisations to identify such concentration risks, shared dependencies and emerging vulnerabilities before they can be exploited. It also supports more informed decision making around procurement, risk appetite and incident preparedness. Without this broader perspective, institutions remain reactive rather than proactive, addressing issues only once they have already begun to materialise.
Collaboration will define financial resilience
While individual visibility is essential, it is not sufficient in isolation. Many supply chain risks are systemic in nature, affecting multiple organisations simultaneously through shared suppliers or common technology stacks. This makes sector-wide collaboration a critical component of effective risk management.
By sharing supplier intelligence and risk signals across peers, much like organisations already share cyber threat intelligence today, financial institutions can build a collective view of systemic exposure and identify concentration risks that would remain hidden in isolation.
Advancing cyber risk accountability
As supply chains become more complex and digitally integrated, the most significant cyber risks are increasingly emerging from hidden dependencies across the supply chain ecosystem. Developing a collective understanding of shared suppliers, hidden dependencies, and concentration risks will be essential to improving resilience against systemic threats. This requires organisations to move beyond traditional supplier assurance and towards shared, supply chain intelligence. By giving leadership teams clearer visibility into the risks stemming from the supply chain, organisations can make better-informed decisions, respond more effectively to incidents, and strengthen operational resilience. Ultimately, this enables a more active and resilient approach to supply chain security.