97% of FTSE 100 firms suffered supply chain breaches last year

Data protection and GDPR concept image showing multiple padlocks on a green background with one opened padlock.
(Image credit: Getty Images)

Virtually all of the UK's FTSE 100 companies were exposed to supply chain breaches during the last year, according to a report from SecurityScorecard.

An overwhelming 97% of the UK’s largest companies had a breach in their third-party ecosystem, compared with 94% of German firms, 98% of French companies; and 95% of Italian companies.

The best-performing industries were energy and basic materials and mining and raw materials, with only 12% and 16% respectively reporting third-party breaches, the study found.

The financial sector was the UK's next best performer, with only 5% of companies reporting a third-party incident, while the communications sector had the poorest overall security posture.

Will Gray, director of Northern Europe for SecurityScorecard, said the report highlights a frequent pain point for large organizations and the escalating threats faced by many.

"Third-party risk management is a key component of any robust cyber security program, and the companies represented in this report would benefit by making it a priority,” he said.

"The sectors and organizations in the UK - and in Europe as a whole - need to do more now if they are going to be ready for the implementation of DORA [Digital Operational Resilience Act] by January 2025, as well as the NIS2 directive."

The 25 companies in the UK with the highest market capitalization - over $29 billion - have, unsurprisingly, a stronger cyber security posture, with only 12% having a ‘C’ rating or below on SecurityScorecard’s resilience rating system.

Of the 75 companies with a market capitalization of between $5 billion and $28 billion, 28% had a C rating or below.

UK firms plagued by breaches

A staggering 97% of UK companies had a breach in their fourth-party ecosystem, compared with 95% of German companies and 97% of Italian companies, the study found.

"A vendor experiencing a third- or fourth-party compromise could affect a large number of its customers, or even customers of its customers, in one fell swoop," the researchers point out.

"The MOVEit exploit was discovered in the spring of 2023, and organizations are still dealing with the fallout of the breach, which is projected to cost at least $65 billion."

Similarly, 12% experienced a direct breach in the last year, compared with 8% of German companies, 7% of French companies, and 3% of Italian companies.

"The rise of data breaches across Europe demonstrates that UK companies still need to make third-party risk management an integral component of not only their security program but of their vendor selection process as well," Gray said.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.