What happens when your biggest cybersecurity risk isn't inside your organization at all, but somewhere deep within your supply chain? In this episode of The Business of Cybersecurity, I sit down with Ben Gibbins, Head of Financial Services and Insurance at Orange Cyberdefense UK, to discuss the Financial Conduct Authority's new cyber incident and third-party reporting requirements and what they mean for financial institutions facing a March 2027 compliance deadline.
The conversation begins with a striking statistic. More than 40% of cyber incidents reported to the FCA involved at least one third party, highlighting how interconnected digital ecosystems have created new points of vulnerability across financial services. Ben explains why attackers are increasingly targeting suppliers, service providers, and technology partners to gain access to larger organizations, and why regulators are becoming increasingly concerned about concentration risk across critical infrastructure.
We also tackle one of the biggest misconceptions surrounding the new FCA requirements. Many organizations assume that compliance with the EU's Digital Operational Resilience Act (DORA) automatically prepares them for the UK's reporting obligations. Ben explains why that assumption could leave firms exposed, outlining the differences between the two frameworks and the additional work many organizations still need to complete.
Our discussion explores operational resilience, supply chain visibility, incident reporting, and the practical realities of responding to cyber incidents while simultaneously meeting regulatory expectations. Ben shares insights on why organizations need a far better understanding of third-, fourth-, and even fifth-party dependencies, and why traditional approaches to supplier risk management are struggling to keep pace with today's interconnected business environment.
We also examine how collaboration between regulators, cybersecurity providers, threat intelligence specialists, and financial institutions could help strengthen collective defenses against increasingly sophisticated threats. From cyber extortion campaigns to supply chain attacks affecting hundreds of organizations simultaneously, the discussion highlights why resilience has become as important as prevention.
If your organization assumes compliance is already covered, this conversation may prompt a second look. Are businesses truly prepared for the next phase of cyber resilience reporting, or are many still underestimating the risks hidden within their supply chains? Share your thoughts with me.
