TESTIMONIALS

โ€œReceived the latest edition of Professional Security Magazine, once again a very enjoyable magazine to read, interesting content keeps me reading from front to back. Keep up the good work on such an informative magazine.โ€

Graham Penn
ALL TESTIMONIALS
FIND A BUSINESS

Would you like your business to be added to this list?

ADD LISTING
FEATURED COMPANY
Interviews

Third-party risk

by Mark Rowe

Outsourcing a service does not outsource the risk, writes Robert Hannigan, Chairman of International Business, at the platform BlueVoyant.

In 2026, third-party risk management (TPRM) will move from a background compliance task to one of the most strategically important priorities for UK financial services firms. This shift is rapid and unavoidable. Financial institutions now operate under intense regulatory scrutiny from the Financial Conduct Authority (FCA), PRA and Bank of England, whileย cross borderย firms must also align withย theย EU DORAย regulation. Regulators are no longer satisfied withย point in timeย controls or annual questionnaires. They expectย real-timeย evidence of resilience, continuous monitoring, and the ability to withstand disruptionย that originatesย deep within digital supply chains.

This heightened focus reflects reality. Cloud, AI and other critical digital services have consolidated around a small number of dominant providers, creating systemic dependencies that extend far beyond traditional outsourcing arrangements. A single outage, cyber incident or operational failure at one of these providers can cascade across multiple institutions and even the wider financial system.

As a result, firms mustย maintainย accurateย registers of critical suppliers,ย demonstrateย ongoing resilience, and prepare for the designation of Critical Third Parties (CTPs). This is aย regulatory mechanism that will bring unprecedented oversight to the most influential technology providers.

Crucially, accountabilityย remainsย firmly with the regulated firm. Regulators have been explicit: outsourcing a service does not outsource the risk. Even when failures originate outside the organisation, responsibility for resilience, continuity and customer protection stays inhouse. This principle is shaping every aspect of TPRM in 2026.

Risk landscape

Alongside regulatory pressure, firms are grappling with growing complexity across fourth, fifthย andย Nthpartyย relationships. Incidents increasingly originate deep within vendor ecosystems,ย at subcontractors, cloud dependencies or embedded software providers that sit far beyond the first tier of suppliers. Yet,ย many organisations still lackย end-to-endย visibility of these extended supply chains.

At the same time, newย incident reportingย frameworks are raising expectationsย andย introducingย stricter, standardised requirements for reporting operational incidents and materialย third-partyย arrangements. Firms must detect and classify incidents quickly enough to meet accelerated timelines, coordinate multistage reporting with incomplete information, and harmonise UK rules with EU DORA templates. Without integrated tooling andย real-timeย monitoring, these expectations become extremely difficult to meet.

The rapid adoption of AI adds another layer of complexity. Much of the AI used in UK financial services is delivered or supported by third parties, creating new risks around model transparency, explainability and accountability. Over one third of AI use cases rely onย vendor suppliedย models, yet many firms lack full visibility into how these modelsย operateย or what dependencies they introduce. Regulators are increasingly concerned thatย AI drivenย third-partyย risk could amplify systemic vulnerabilities if not governed effectively.

The message for 2026 is clear: resilience must beย demonstratedย through evidence,ย testingย and preparedness. Firms unable to prove they can withstandย third-partyย failure will face increasing supervisory pressure.

Maturity gapย 

Over the pastย sixย years,ย weโ€™veย seenย TPRMย mature from aย basic awareness effortย into a formal operational function. But maturity does not always translate into effectiveness.ย Our most recentย report,ย The State of Supply Chainย Defense2ย shows that despite heavy investment in tools, teams and processes, many organisations struggle withย internal resistance, limited alignment and a widening gap between programmeย maturity and true organisational commitment.

Most programmes are still driven by compliance requirements rather than genuine risk reduction,ย even though 98% ofย UKย respondentsย were negativelyย impactedย byย aย third-partyย cyber incident in the past year3. Withย nearly allย organisations expecting their vendor ecosystems to grow, the attack surface is expanding faster than support structures. The result is a landscape where silos persist, visibility is limited, and risk reductionย remainsย secondary toย box ticking.

Sector strain

The financial services sector stands out in this yearโ€™s findingsย as a sector under strain.ย Seventyย percent ofย UKย organisations describe their TPRM programmes as early or developing, suggesting that many are still building foundational capabilities. Internal resistance is a major barrier, withย 26% citing it as their biggest challenge.

Perhapsย theย most concerningย findingย is the lack ofย senior leadershipย engagement. Only 10% of organisations brief executives on security monthly or moreย frequently, despiteย all UK financial services firms being negativelyย impactedย by third-party cyberย breaches in the past year. This disconnect between operational reality and executive oversight is a clear sign of systemic issues.

In this sector,ย ownership of TPRM often sits within finance departments rather than security functions, and programmes areย frequentlyย driven by annual contract value rather than risk exposure. This approach may satisfy procurement cycles, but it does little to strengthen resilience or reduce the likelihood ofย third-partyย failure.

From compliance to confidence

The main take-away from 2025 is unmistakable: without organisational alignment, even the most sophisticated TPRM programmes will fail to deliver meaningful outcomes. Integrated systems, cross functional collaboration and a genuine commitment to risk reduction โ€“ not just compliance โ€“ will determine which financial services firms thrive in 2026, and which remain trapped in reactive, box checking cycles.

The financial organisations that succeed will be those that treat TPRM as a strategic capability rather than an administrative burden. By embedding TPRM into coreย decision making, they will gain the visibility needed across the entire supply chain, build realisticย exit strategies, test resilience againstย real worldย scenarios, and ensure that senior leadership fully understands the stakes.

Financial systems are defined by deep interconnectedness. Therefore, the strength of a firmโ€™s third-party ecosystem is now as critical as the strength of its internal controls. Institutions that embrace TPRM as a driver of resilience, not just compliance, will not only meet regulatory expectations but also build a foundation of trust, stability and long-term competitive advantage in an increasingly complex digital economy.

Related News