Fourth-Party Supply Chain Exposure: The Threat Vector UK Businesses Are Not Monitoring
The UK Government’s Cyber Security Breaches Survey 2025 recorded two figures that, when placed alongside each other, define the current state of supply chain security for UK businesses. Only 7% of organisations formally review their wider supply chain. In the same survey period, 61% experienced a supply chain or third-party breach.
That relationship is not incidental. It is the operational consequence of a persistent visibility failure across UK business.
This analysis examines the specific threat mechanism involved, the legal exposure it creates, and the proportionate steps a small or medium-sized business can take to reduce it.
Defining the Exposure
Third-party risk is widely understood, if inconsistently managed. Your direct suppliers, the organisations you contract with, hold access to your data, your systems, or your operational processes. A compromise of any one of them creates a pathway into your business.
Fourth-party risk is the layer beneath that. It is the risk introduced by your suppliers’ suppliers: the cloud infrastructure underpinning your payroll provider, the sub-processors handling data on behalf of your accountancy software vendor, the software dependencies embedded in the remote management tools your IT support company uses to access your network.
You have no direct contractual relationship with these entities. You have likely never audited them. In many cases, you may not know they exist. None of that reduces your exposure.
The infographic that prompted this analysis illustrates the compounding effect accurately. A single compromised fourth party can propagate through multiple third-party relationships simultaneously, reaching dozens of downstream organisations in a single incident. This is not a theoretical risk model. It is the documented mechanism behind the largest supply chain attack recorded against UK businesses.
The MOVEit Incident: A Documented Case Study
In May 2023, the Cl0p ransomware group exploited a zero-day SQL injection vulnerability, identified as CVE-2023-34362 with a CVSS score of 9.8, in MOVEit Transfer, a managed file transfer platform operated by Progress Software. The vulnerability had been under active reconnaissance by Cl0p since at least July 2021.
The exploitation cascade functioned as follows. Cl0p targeted MOVEit Transfer infrastructure. Zellis, a UK payroll and HR software provider, used MOVEit Transfer as part of its data processing operations. Multiple UK organisations, including the BBC, British Airways, Boots, and Aer Lingus, used Zellis for payroll processing. When Zellis’s MOVEit instance was compromised, employee data held by those downstream organisations was exposed.
The BBC had no contractual relationship with Progress Software. British Airways had no visibility into Zellis’s file transfer architecture. Their fourth-party exposure was invisible to them, and remained so until the breach surfaced.
By October 2023, confirmed affected organisations numbered 2,559. Exposed individual records exceeded 66 million. The incident was described by analysts as arguably the most operationally effective public extortion campaign of the year.
The propagation was not a result of any failure in the direct security posture of the BBC, British Airways, or Boots. It was a consequence of a dependency relationship two steps removed from their own network perimeter.
The Legal Position
The UK GDPR framework does not limit controller accountability to breaches originating within the controller’s own systems. Article 28 requires that processors engage sub-processors only with prior authorisation from the data controller, and that those sub-processor relationships be documented under a contract providing equivalent data protection guarantees.
In practical terms, this means that if your payroll provider engaged a file transfer platform as a sub-processor without informing you, you have a potential compliance exposure. If that sub-processor suffered a breach and personal data you control was compromised, your notification obligations to the ICO under Article 33 apply regardless of where the breach originated.
The ICO’s position following MOVEit was explicit on this point. Organisations are responsible for demonstrating appropriate technical and organisational measures across the full data processing chain. The involvement of a third or fourth party does not transfer that accountability.
Only 14% of UK businesses formally review the cybersecurity practices of their immediate suppliers, according to the 2025 Breaches Survey. Among small businesses, the figure drops to 21%. Among micro-businesses, it is 11%. For charities, 9%.
Documented due diligence at the point of onboarding, and at regular intervals thereafter, is a defensible position in an ICO inquiry. The absence of documentation is not. For context on the consequences of compliance failure at SMB scale, see the analysis of how cyber insurance claims are being denied as a direct result of unmet security obligations.
The Concentration Risk Problem
The infographic referenced at the start of this analysis identifies a specific risk category: concentration risk. This occurs when multiple suppliers in your chain share a common fourth-party dependency, meaning a single upstream failure creates simultaneous exposure across several of your supplier relationships.
The MOVEit incident illustrated this precisely. Zellis was not the only MOVEit customer affected. Hundreds of organisations shared that fourth-party dependency, and Cl0p exploited the concentration rather than targeting individual organisations. The same attack logic applied to the DragonForce campaign targeting remote management and monitoring tools: a single compromised platform propagated through every MSP customer sharing that infrastructure.
For UK SMBs, concentration risk most commonly manifests through shared cloud infrastructure, shared managed service providers, and shared payroll or HR platforms. If your IT support company uses the same remote management toolset as dozens of other clients, you share a concentration risk with all of them, regardless of how well your own systems are secured.
Industry analysis from Safe Security’s 2026 TPRM review noted that supply chain compromises have affected more than 60% of organisations in recent years, and that a single compromised fourth party can affect dozens of vendors simultaneously. That is the compounding effect in quantified terms.
How to Turn This Into a Competitive Advantage
Supply chain security due diligence is becoming a differentiator in procurement. Larger organisations and regulated sectors are beginning to require documented evidence of supplier security practices, including evidence of how suppliers manage their own dependencies.
An SMB that can provide a current supplier register, documented sub-processor disclosures, and evidence of Cyber Essentials requirements in procurement is materially better positioned in competitive tender processes than one that cannot.
The NCSC’s Cyber Essentials Supply Chain Playbook, published in late 2025, provides a structured approach for embedding Cyber Essentials certification as a minimum security requirement across supplier relationships. The IASME Supplier Check tool allows rapid verification of current certification status across your supply chain. Deploying both as part of a documented procurement process requires no specialist headcount.
For organisations pursuing Cyber Essentials or Cyber Essentials Plus certification themselves, demonstrating supplier assurance activities supports the overall security posture assessed during certification. It is also a requirement that assessors are increasingly examining in practice.
How to Sell This to Your Board
Three arguments to frame this conversation at executive level.
Liability attaches to the data, not the breach location. Under UK GDPR, a fourth-party breach that exposes personal data you control triggers your ICO notification obligations. It creates your regulatory exposure. The breach occurring in a system you never contracted with does not alter that position. The board needs to understand that accountability is determined by data flow, not contractual proximity.
The risk is present in your current technology estate. If your organisation uses cloud software, payroll platforms, managed IT services, or SaaS tools of any kind, you have existing fourth-party exposure. This is not a future risk to be assessed in the next planning cycle. It is the current state of your operational dependencies.
The remediation is proportionate to SMB scale. This does not require a dedicated risk function. It requires a supplier register, two or three additional questions in your vendor onboarding process, and sub-processor disclosure requests to your critical vendors. Those are administrative actions with a measurable risk reduction outcome. The cost of not taking them, in the event of a breach and subsequent ICO inquiry, is not proportionate.
For a broader analysis of how to position cybersecurity risk as a business governance question rather than an IT cost, the argument for board-level ownership is covered in depth in this analysis of why ransomware continues to succeed against organisations that treat it as a technical problem.
What This Means for Your Business
-
Construct a supplier register. List every organisation with access to your data, your systems, or your operational infrastructure. Include your IT support company, cloud software vendors, payroll provider, payment processor, and any SaaS tool used across more than one business function. This is the foundation from which all subsequent due diligence operates. Without it, you cannot identify your exposure.
-
Request sub-processor disclosures from critical vendors. For any supplier processing personal data on your behalf, send a written request for their current sub-processor list under UK GDPR Article 28. Retain both the request and the response. An inability or refusal to provide this information within a reasonable period is itself material information for your risk assessment.
-
Require Cyber Essentials certification from high-risk suppliers. Use the NCSC IASME Supplier Check tool to verify current certification status. For suppliers that do not hold it, document that you have requested a timeline for achievement and the response received. Where contractual leverage exists at renewal, treat certification as a minimum security requirement.
-
Implement breach notification monitoring for your technology dependencies. Domain monitoring services and threat intelligence feeds via your IT provider can surface breach events affecting platforms in your supply chain before they reach mainstream coverage. The speed of awareness matters when the compromised entity is two relationships removed from your own network perimeter.
-
Validate your incident response plan against a fourth-party scenario. If your plan exists, test whether it addresses a situation where the breach originated outside your direct control but involved personal data you are responsible for. If no plan exists, that is the prior requirement. A fourth-party breach without a rehearsed response compounds the regulatory exposure it has already created.