Full Report
Risk Ledger found that 90% of UK professionals view supply chain cyber incidents as a top concern for 2025
Analysis Summary
# Industry News: Pervasive Supply Chain Cyber Risks Highlight Failures in Current TPRM Practices
## Summary
New research presented at Infosecurity Europe 2025 indicates a significant escalation in supply chain cyber risk, with nearly half of organizations suffering at least two incidents in the past year. Despite widespread concern, a large majority (63%) of respondents feel current Third-Party Risk Management (TPRM) approaches are ineffective, pointing toward systemic failures in collaboration and communication across the risk management lifecycle.
## Key Details
- Date: June 3, 2025 (Presentation at Infosecurity Europe 2025)
- Companies Involved: Risk Ledger (Source of research), organizations surveyed across sectors.
- Category: Market Analysis/Risk Assessment Findings
## The Story
Research from Risk Ledger, shared at Infosecurity Europe 2025, reveals that 46% of surveyed firms experienced two or more cybersecurity incidents traceable to their supply chain over the last year. This alarming frequency contributes to 90% of UK respondents ranking supply chain cyber incidents as a top concern for 2025. Critically, the study highlights a substantial trust deficit in current defensive postures, as only 37% of organizations are satisfied with the effectiveness of their existing TPRM programs. A key inhibitor identified is a failure in intra-stakeholder communication, where 54% of TPRM functions only "occasionally" collaborate to spot systemic risks. Furthermore, the research shows substantial maturity gaps across industries, exemplified by legal sector visibility (48% reporting full multi-tier visibility) vastly outperforming other sectors (only 14% reporting the same). Risk Ledger's CEO labeled the current state of TPRM as "fundamentally broken," suggesting that compliance-focused box-ticking is inadequate against fast-moving attackers.
## Business Impact
### For the Companies Involved
- **Organizations facing incidents:** Increased financial losses due to downtime, remediation costs, regulatory fines, and reputational damage stemming from third-party failures.
- **Risk Ledger (and similar vendors):** Validation of their market thesis regarding the inadequacy of existing solutions, driving demand for more effective, collaborative risk intelligence platforms.
### For Competitors
- **Legacy/Compliance-focused TPRM Vendors:** Face increased scrutiny as their solutions, seemingly focused on fulfilling compliance checklists rather than genuine risk reduction, are deemed ineffective by a majority of the market.
- **Maturity Services Providers:** Will see increased market opportunity for bridging the communication and visibility gaps identified in the study.
### For Customers
- **End users of affected services:** Face higher residual risk as the complexity and frequency of supply chain breaches rise, requiring greater vigilance in vetting their own vendors.
- **Clients of the surveyed firms:** May begin demanding higher assurances and evidence of multi-tier supply chain security audits from their primary contractors.
### For the Market
- The data suggests a hardening of regulatory focus on supply chain due diligence, moving beyond basic vendor questionnaires toward verifiable, real-time risk assessment.
- Increased investment is expected to shift from merely *documenting* compliance to actively *managing* and *communicating* systemic third-party risk.
## Technical Implications
The findings suggest a technical deficit in automated, continuous monitoring across the supply chain tiers. The identified communication failure implies that existing tools are not effectively normalizing risk data or facilitating cross-departmental/cross-company threat intelligence sharing necessary to identify "systemic risks" that transcend a single vendor relationship. Innovation is needed in multi-tier mapping and shared risk visualization platforms.
## Strategic Analysis
- Market Positioning: There is a clear market need for security solutions that transition TPRM from a periodic, compliance-driven exercise to a continuous, operational security function focused on collaborative risk intelligence.
- Competitive Advantage: Vendors offering verified, automated, and collaborative oversight across deep tiers of the supply chain will gain significant traction against traditional vendors relying on static documentation.
- Challenges: Overcoming organizational inertia and data silos remains a major hurdle. Even with good tools, improving inter-company communication protocols (especially among tiers 2+ vendors) is inherently difficult.
## Industry Reactions
- **Analyst Opinions:** The findings strongly affirm the industry consensus that the "perimeter" is now defined by the software and service supply chain. The low satisfaction rate with current TPRM validates analyst concerns that organizations are confusing third-party *assessment* with third-party *management*.
- **Expert Commentary:** Experts like the CEO quoted are signaling a necessary shift: security posture must be measured by resilience against complex, interconnected attacks, not just compliance scores against a single vendor.
- **Market Response:** This data will likely fuel increased vendor sales cycles focused on sophisticated risk visibility platforms and potentially drive M&A activity targeting companies specializing in multi-tier supply chain mapping.
## Future Outlook
- **Predictions and Expectations:** Continued high incidence rates will force boards and CISOs to prioritize real-time supply chain risk monitoring over quarterly check-ins. We can expect to see more firms adopting formal framework standards (like NIST SSDF or evolving ISO standards) that specifically mandate multi-tier visibility.
- **What to watch for:** Government mandates regarding critical infrastructure supply chain transparency, similar to recent U.S. executive orders, are likely to increase in scope and severity as these incidents continue.
## For Security Professionals
Security teams must urgently review data-sharing agreements and collaboration protocols within their risk functions. Reliance on annual vendor questionnaires is demonstrably failing. Professionals need to advocate for and implement technology capable of dynamic assessment across deeper tiers, focusing on observable security controls rather than contractual assurances.