Cyber Diligence Now Extends Beyond Your Own Suppliers

Working in financial services means living with a level of scrutiny that most sectors do not experience. At Hodge, a specialist bank based in Cardiff, we operate under clear regulatory expectations from the Financial Conduct Authority and the Bank of England. Those expectations centre on operational resilience. It’s not enough to say that systems are secure; we must demonstrate that our important business services can continue to function under pressure.

That requirement has reshaped how we think about cybersecurity. It’s no longer simply about protecting data or preventing malware. It's about safeguarding the services that customers rely on – savings accounts, mortgages, real estate finance – and ensuring those services remain stable even when external events occur. Technology architecture has to be built to be secure and resilient by design, not retrofitted later.

Like many modern banks, we’re cloud native. We operate across hyperscale environments, and within those environments we add further layers of resilience. That is expected. What has evolved more recently is the level of diligence we apply to our supply chain.

Historically, organisations would focus on third parties. Who provides your core system? Who hosts your data? Who supports your network? That was the boundary. Today, that is no longer sufficient. We categorise our important business services and then look at which suppliers support those services. The next question is unavoidable: who supports them?

That takes us into fourth-party territory. If we rely on a software provider, and that provider tells us they have robust resilience arrangements in place, we have to understand how those arrangements are actually delivered. If they rely on a hyperscaler, we need to know how that instance is configured. If they depend on another specialist partner, we need to understand that link in the chain as well. The analysis goes deeper than it did three or five years ago, and I expect that trend to continue.

This is not academic. We’ve seen high-profile disruptions in other industries where the cost of restarting critical services far outweighed the cost of any lost data. When operational resilience fails at scale, the economic impact can be significant. In financial services, that risk is magnified because of the systemic importance of banks. That is why regulators are focused not just on cyber controls but on continuity of service.

There is a lesson here for SMEs. While smaller organisations are not subject to the same regulatory framework, they increasingly find themselves supplying those who are. If you are bidding to work with a bank, an insurer or a large corporate, you’ll be asked about your cyber posture. And you may be asked about the posture of your own suppliers.

The good news is that there is already a model to follow. Hyperscale providers publish detailed credentials and clear evidence of compliance against recognised standards. When we assess them, we are not starting from scratch; we download what already exists and measure it against our requirements. SMEs can adopt a similar approach. Look at what good looks like, understand the standards that larger organisations expect and assemble your credentials in one place so that when the question comes, the answer is ready.

Frameworks such as Cyber Essentials provide a sensible starting point. Even where it is based on self-attestation, the discipline of working through the controls can expose weaknesses that might otherwise go unnoticed. From there, organisations can build towards more formal certification if it makes sense for their market. What matters isn’t the badge alone, but the clarity and consistency of the controls behind it.

Leadership has a responsibility in this. Security cannot sit solely within an IT function. It has to be sponsored at executive level and embedded in culture. That includes education, awareness and clear expectations for colleagues. In recent years, social engineering has demonstrated how easily technical safeguards can be undermined if people are not prepared. Taking staff on a positive journey, rather than approaching security as a compliance burden, is essential.

There is also a need for pragmatism. Alerts and vulnerabilities are constant. The challenge is to prioritise what will have the most meaningful impact on resilience and to address those risks methodically. Security by design should be the starting principle, but it must be applied with proportion.

Cybersecurity has shifted from being a back-office concern to a commercial differentiator. Organisations that can demonstrate maturity shorten procurement cycles, build confidence with partners and remove friction from due diligence. For SMEs in particular, aligning with the standards already set by regulated industries is not about overreach; it is about readiness.

The boundary of responsibility is extending. Third-party oversight is becoming fourth-party oversight. That may sound onerous, but it also creates clarity. If you understand your own dependencies and can evidence the strength of your controls, you are far better placed to compete.

In a regulated environment, we have little choice but to take that approach. Increasingly, others will find that they do not have a choice either.