Europe’s top 100 firms admit supply chain cybersecurity breaches
All but two firms recorded breaches in the systems of their third-party vendors
Almost all of Europe’s top 100 companies reported a breach at one of their suppliers in the past year, according to SecurityScorecard, which said there is an urgency to enhance cyber risk management with just one month until Europe’s Digital Operational Resilience Act (DORA).
According to the results of its survey, SecurityScorecard says 98% of European firms across all sectors experienced third-party breaches within their supply chains, while just 18% report direct breaches of their systems. SecurityScorecard says the results of its survey reveal “significant gaps in internal defences”.
France records the highest rate of third- and fourth-party vendor breaches, the survey reveals, at 98% and 100%, respectively. By contrast, 84% of Middle Eastern firms recorded third-party breaches in the past year.
“Europe’s top 100 companies face an urgent cybersecurity challenge. Despite the high stakes, many organisations lack effective ways to measure their risk, effectively leaving them exposed and ‘flying blind’,” SecurityScorecard says. “Europe’s largest organisations are facing mounting cybersecurity challenges, with third- and fourth-party ecosystems emerging as major points of vulnerability.”
Ryan Sherstobitoff, senior vice-president of threat research and intelligence at SecurityScorecard, says the supplier ecosystem “is a highly desirable target for ransomware groups”. He adds: “Governments worldwide are set to enforce stricter security regulations in 2025 that place accountability on organisations and their suppliers, demanding higher security standards across the board, making monitoring and understanding a company’s flaws essential.”
SecurityScorecard’s rating system assigns just 25% of Europe’s top 100 companies (by market capitalisation) an A rating for cyber resilience. SecurityScorecard says firms with an A rating are 13.8 times less likely to experience a breach compared to F-rated firms and none of Europe’s companies rated A for cybersecurity experienced a breach in the last year.
While transport is revealed as the most secure, with no companies rated C or below, 75% of firms in the energy sector are rated C or below.
Regionally, Scandinavian companies record the strongest levels of cybersecurity, with 20% rated C or lower, compared with 41% in Italy, 40% in France, 34% in Germany and 24% in the UK.
As Europe’s financial services firms look ahead to compliance with DORA from 17 January 2025, SecurityScorecard reveals that all of Europe’s financial firms in the survey experienced a third-party breach in the past year and 33% are rated C or below.
Ryan Sherstobitoff, senior vice-president of threat research and intelligence at SecurityScorecard, says: “Supply chain vulnerabilities remain a critical threat, as adversaries exploit these weak links to infiltrate global networks. With regulations like DORA set to reshape cybersecurity standards, European companies must prioritise third-party risk management and leverage rating systems to safeguard their ecosystems.”
The report says: “Financial entities such as banks, insurance companies and investment firms will all need to ensure that the European financial sector is able to maintain resilience during severe third-party operational disruptions.”
SecurityScorecard advises Europe’s firms to prioritise improving their cyber hygiene to close down exposure to operational disruption and reputational risk. In particular, it recommends firms strengthen application and network security to defend against an increasing array of cyber threats. It also alerts the 41% of companies with cybersecurity ratings of C or below to take more urgent action, and should in addition address the health of domain name systems, strengthen the security of all endpoints and establish patching cadence for systems, hardware and software.
