New research from Risk Ledger reveals that 82% of UK organisations experienced a supply chain cyber incident in the past year, while most businesses still require nearly two days to understand their supplier exposure during an attack—highlighting growing concerns around supply chain visibility, resilience and third-party risk management.
Cyber threats are becoming an increasingly significant supply chain risk, with new research showing that more than four in five UK organisations experienced at least one supplier-related cyber security incident over the past 12 months.
According to Risk Ledger’s Every Link Matters: The State of Supply Chain Security 2026 report, 82% of organisations were affected by a supply chain cyber incident during the past year, while nearly half (47%) experienced two or more supplier-related incidents.
The findings highlight how cyber risk is no longer confined to IT departments but has become a broader supply chain resilience challenge, affecting organisations through increasingly complex supplier ecosystems.
Limited Visibility Beyond Tier-One Suppliers Remains a Major Challenge
As supply chains become more interconnected, many organisations continue to struggle with visibility beyond their direct suppliers.
The research found that 25% of organisations identified limited visibility into fourth- and fifth-tier suppliers as the single biggest weakness in their current third-party risk management approach.
This lack of transparency is creating significant blind spots across supply networks, making it difficult for organisations to understand dependencies supporting critical operations and assess how disruptions could cascade through supplier ecosystems.
The report suggests that many organisations remain poorly positioned to assess supply chain exposure during an active cyber event.
Only 9% of respondents said they could map their full supplier exposure within four hours of a major cyber incident. More than half reported that it would take longer than a full working day to determine whether they were affected.
On average, businesses require 1.9 days to understand exposure across their supplier networks following a significant cyber attack.
For supply chain leaders, this delay can increase operational disruption, prolong recovery times and complicate decision-making during critical incidents.
The research indicates that conventional third-party risk management approaches are increasingly being challenged by the speed and complexity of modern supply chains.
While 60% of organisations described traditional third-party risk management programmes as somewhat effective, only 28% said they were very effective. This represents a decline from 37% in 2025, suggesting confidence in existing approaches is weakening.
A further 20% of respondents cited the inability to continuously monitor supplier security controls as a major limitation in their current risk management framework.
The findings point to a growing gap between awareness of supply chain risk and the ability to monitor and respond to threats in real time.
The report highlights growing support for a more collaborative approach to supply chain resilience.
An overwhelming 93% of organisations said they support an industry-wide model for sharing supplier cyber assurance and intelligence data.
At the same time, 24% of businesses reported that they still cannot identify concentration risks across shared suppliers and subcontractors, leaving them vulnerable when multiple organisations rely on the same critical third parties.
“Traditional approaches to supply chain cyber security are no longer enough to deal with the speed and complexity of modern threats,” said Haydn Brooks, CEO and Co-Founder of Risk Ledger.
“The fact that 93% of security leaders want an industry-wide model for sharing supplier intelligence tells you everything about where the market is heading. Organisations recognise that cyber resilience can no longer be achieved in isolation. However, businesses still lack visibility into dependencies, continuous insight and the collaborative mechanisms needed to identify risks before they escalate into operational disruption.”
The research suggests organisations are increasingly exploring what Risk Ledger describes as Active Supply Chain Security (ASCS), a continuous, network-based approach that replaces periodic assessments with real-time visibility and shared intelligence.
For procurement, supplier risk and supply chain leaders, the model reflects a broader shift toward proactive risk management, where supplier resilience is monitored continuously rather than assessed through annual reviews and static questionnaires.
Brooks believes collaboration will be critical as supply chains become increasingly interconnected.
“A collaborative model means businesses can continuously share assurance data, identify systemic vulnerabilities earlier and respond to threats collectively rather than individually. In practice, that creates a much more dynamic and resilient approach to supply chain security, especially when attacks can escalate across entire ecosystems within hours.”
