Supply chain risk is the known unknown for most organisations. So what does a credible solution actually look like, and is anyone close to it?

In spring 2025, M&S, Co-op and Harrods were all impacted by incidents where the entry point was not sophisticated technical compromise or zero-day exploitation, but social engineering, credential resets and human trust exploited at scale, proving that no organisation or sector is immune from supply chain cyber risk.

The estimated cost across M&S and Co-op alone is believed to sit between £270 million and £440 million, with disruption filtering far beyond the organisations themselves to suppliers, customers and service providers.

At the same time, research shows only 14% of UK businesses reviewed the cyber risk posed by their suppliers last year. What’s more, that figure relates only to direct suppliers and does not account for tier two and tier three providers further down the chain, highlighting how limited visibility remains across many supply networks and the significant blind spot this continues to create.

Visibility remains limited
One of the clearest themes emerging from the roundtable discussion was that many organisations still rely too heavily on point-in-time supplier assurance, such as annual questionnaires and periodic assessments. While these may provide a baseline, they no longer go far enough in reflecting the pace at which cyber risk evolves across interconnected supply chains. The consensus from the discussion was that organisations increasingly need to move towards continuous monitoring and more dynamic assessment of supplier risk.

The discussion also highlighted the growing importance of procurement in raising cyber resilience standards. While requirements such as Cyber Essentials provide an important and credible starting point, there was broad consensus that minimum baselines alone are unlikely to be sufficient given the increasing complexity of modern supply chains.

A shared problem
Another strong theme emerging from the roundtable was the growing importance of greater intelligence sharing between sectors on third-party cyber risk. Whilst financial services is one of the sectors moving quickest in this direction, wider cross-sector collaboration remains limited.

The role of regulation
The discussion also explored the role regulation may play in improving visibility and accountability across supply chains. The UK introduced the Cyber Security Resilience Bill in 2024 which has the potential to strengthen disclosure and assurance requirements further down the supply chain into tier two and tier three providers. The effectiveness of any future regulation will however ultimately depend on how those requirements are implemented and enforced in practice.

Reducing supply chain exposure
As supply chains become more interconnected, organisations are inheriting increasing levels of cyber risk from systems and providers outside their direct control. At the same time, attackers continue to exploit trusted relationships, human behaviour and gaps in visibility across those networks. So the challenge is no longer simply protecting individual organisations, but building resilience across the wider supply chain itself.