Close
Press September 30, 2025

SecurityScorecard Whitepaper Urges UK Firms to Act Now Ahead of Cyber Security and Resilience Bill

LONDON, 30th September 2025 — SecurityScorecard today launched a whitepaper to help UK firms prepare for the UK Cyber Security and Resilience Bill, which will bring supply chain resilience into regulation for the first time. 

The Cyber Security and Resilience Bill, introduced in the July 2024 King’s Speech, aims to improve UK companies cyber readiness  by proposing sweeping updates, expanding oversight to include Managed Service Providers (MSPs), data centres, and “Designated Critical Suppliers.” It mirrors the EU’s NIS2 directive in mandating 24-hour incident reporting and proactive supply chain risk assessments.

“The UK isn’t just under attack, it’s falling behind threat actors,” said Ryan Sherstobitoff, Field CTO at SecurityScorecard. “They exploited trusted partners in the Jaguar Land Rover, M&S, and European airport breaches demonstrating that legacy compliance models can’t keep up with today’s threat velocity. The weakest link in your supply chain is now the front door.”

Implications of the New UK Cybersecurity and Resilience Bill

  • Incident notification required within 24 hours; full report due in 72 hours.
  • Regulators can recover costs and impose sector-specific obligations.
  • Expanded oversight includes:
  • Small digital service providers
  • High-capacity data centres
  • Emphasis on real-time monitoring and supply chain-wide accountability.

Key data points:

  • 97% of the UK’s top 100 companies experienced a third-party breach; the same percentage had fourth-party compromises.
  • 41.4% of ransomware attacks now originate via third-party access vectors.
  • Companies with an “A” SecurityScorecard rating are 138.x less likely to be breached than those rated “F”.
  • Communications and Healthcare sectors had the weakest cybersecurity posture:
    • Up to 70% of companies in these industries in the UK were rated “C” or lower.

“The lesson is simple,” Sherstobitoff added. “If you can’t see it, you can’t secure it. UK organizations need full visibility into their vendor ecosystem, before regulators or ransomware actors force their hand.”

Action Steps for UK Organisations

  • Conduct third-party risk assessments aligned with NCSC’s Cyber Assessment Framework (CAF)
  • Identify Designated Critical Suppliers
  • Map supply chain dependencies
  • Update incident response protocols to meet new deadlines

You can read the full whitepaper and prepare your organization for free here.

About SecurityScorecard

SecurityScorecard created Supply Chain Detection and Response (SCDR), transforming how organizations defend against the fastest-growing threat vector – supply chain attacks. Our industry-leading security ratings serve as the foundation and core strength, while SCDR continuously monitors third-party risks using our factor-based ratings, automated assessments and proprietary threat intelligence, to resolve threats before they become breaches. MAX enables response and remediation capability, working through our service partners to protect the entire supply chain ecosystem while strengthening operational resilience, enhancing third-party risk management, and mitigating concentrated risk.

Trusted by over 3,000 organizations – including two-thirds of the Fortune 100 – and recognized as a trusted resource by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Backed by Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, NGP, Intel Capital, and Riverwood Capital, SecurityScorecard delivers end-to-end supply chain cybersecurity that safeguards business continuity.

Learn more at securityscorecard.com or follow us on LinkedIn.

Media Contact
Charles Simon
Senior Global PR Manager
[email protected]