TL;DR: 97% of the UK’s top companies have already experienced third- and fourth-party breaches, according to SecurityScorecard, and organisations with poor ratings are 13x more likely to be breached, underscoring why the UK Cyber Security and Resilience Bill pushes supplier oversight, incident reporting, and MSP governance into the operational centre. Point-in-time vendor reviews are no longer enough when supply-chain exposure is already present.
NHIMG editorial — based on content published by SecurityScorecard: How to Prepare for the UK Cyber Security and Resilience Bill in 2025
By the numbers:
- 97% of the UK’s top companies have already experienced third- and fourth-party breaches.
- Companies with poor ratings are 13x more likely to be breached.
Questions worth separating out
Q: What breaks when third-party access is not mapped end to end?
A: When third-party access is not mapped end to end, organisations lose sight of who can still reach internal systems after the original business purpose changes.
Q: Why do third- and fourth-party breaches change resilience planning?
A: Third- and fourth-party breaches change resilience planning because the organisation can be affected even when its own controls are intact.
Q: What do organisations get wrong about security questionnaires?
A: They often treat questionnaire answers as proof of control effectiveness.
Practitioner guidance
- Classify suppliers by access impact Tier vendors by the systems, identities, and data they can touch, then include managed service providers and downstream subcontractors in the same classification model.
- Inventory externally reachable identities Track supplier accounts, API tokens, federation links, and service credentials together so offboarding and review can remove dormant external access paths.
- Set incident triggers for supplier-linked anomalies Define thresholds for unusual vendor activity, privileged supplier logins, and service degradation so security and resilience teams can escalate before wider impact spreads.
What's in the full report
SecurityScorecard's full whitepaper covers the operational detail this post intentionally leaves for the source:
- How the UK Cyber Security and Resilience Bill compares with the EU's NIS2 directive for supplier oversight and incident reporting.
- Immediate steps to align supplier governance with the NCSC Cyber Assessment Framework, including classification and reporting workflows.
- Why companies with poor ratings are 13x more likely to be breached, with the underlying benchmarking approach used in the analysis.
- How the report frames third- and fourth-party breaches in the context of managed service provider oversight and supply-chain resilience.
👉 Read SecurityScorecard's whitepaper on preparing for the UK Cyber Security and Resilience Bill →
UK cyber resilience bill: what changes for third-party risk teams?
Explore further
Third-party risk is now an access-governance problem, not just a procurement problem. When suppliers can reach systems through accounts, integrations, or delegated privileges, the question is no longer only whether a vendor is trustworthy. The question is whether its access is bounded, observable, and revocable across the full relationship lifecycle. Practitioners should treat supplier access as part of identity governance, not a separate compliance silo.
A question worth separating out:
Q: Who is accountable when exposed credentials or weak supplier controls lead to an incident?
A: Accountability should sit with the system owner, the identity governance team, and the supplier manager together, because the failure is usually shared across lifecycle, access, and oversight. The right question is not who owns the blame, but who can revoke access, validate scope, and prove the controls worked.
👉 Read our full editorial: UK cyber security and resilience bill shifts third-party risk