What happens when your biggest cybersecurity risk isn't inside your organization at all, but somewhere deep within your supply chain? In this episode of The Business of Cybersecurity, I sit down with Ben Gibbins, Head of Financial Services and Insurance at Orange Cyberdefense UK, to discuss the Financial Conduct Authority's new cyber incident and third-party reporting requirements and what they mean for financial institutions facing a March 2027 compliance deadline.
The conversation begins with a striking statistic. More than 40% of cyber incidents reported to the FCA involved at least one third party, highlighting how interconnected digital ecosystems have created new points of vulnerability across financial services. Ben explains why attackers are increasingly targeting suppliers, service providers, and technology partners to gain access to larger organizations, and why regulators are becoming increasingly concerned about concentration risk across critical infrastructure.
We also tackle one of the biggest misconceptions surrounding the new FCA requirements. Many organizations assume that compliance with the EU's Digital Operational Resilience Act (DORA) automatically prepares them for the UK's reporting obligations. Ben explains why that assumption could leave firms exposed, outlining the differences between the two frameworks and the additional work many organizations still need to complete.
Our discussion explores operational resilience, supply chain visibility, incident reporting, and the practical realities of responding to cyber incidents while simultaneously meeting regulatory expectations. Ben shares insights on why organizations need a far better understanding of third-, fourth-, and even fifth-party dependencies, and why traditional approaches to supplier risk management are struggling to keep pace with today's interconnected business environment.
We also examine how collaboration between regulators, cybersecurity providers, threat intelligence specialists, and financial institutions could help strengthen collective defenses against increasingly sophisticated threats. From cyber extortion campaigns to supply chain attacks affecting hundreds of organizations simultaneously, the discussion highlights why resilience has become as important as prevention.
If your organization assumes compliance is already covered, this conversation may prompt a second look. Are businesses truly prepared for the next phase of cyber resilience reporting, or are many still underestimating the risks hidden within their supply chains? Share your thoughts with me.
00:00:00 --> 00:00:02 And if you are running a business right now,
00:00:02 --> 00:00:04 you may have noticed there's a quiet shift happening.
00:00:05 --> 00:00:07 One that most people are still underestimating.
00:00:08 --> 00:00:10 And that is, your company doesn't live inside
00:00:10 --> 00:00:14 your network anymore. It lives inside the browser.
00:00:15 --> 00:00:18 That's where your SaaS apps sit. That's where
00:00:18 --> 00:00:21 your data moves. And increasingly, that's where
00:00:21 --> 00:00:24 attackers are focusing their attention. So Nord
00:00:24 --> 00:00:27 layer has just launched its new business browser.
00:00:27 --> 00:00:30 and it's designed specifically for small and
00:00:30 --> 00:00:33 medium sized companies that need visibility and
00:00:33 --> 00:00:37 control without the overhead of enterprise security
00:00:37 --> 00:00:40 tools. What I like here is the balance. You get
00:00:40 --> 00:00:43 advanced protection, better compliance and full
00:00:43 --> 00:00:46 visibility into how your team is working online
00:00:46 --> 00:00:49 but without slowing anyone down or forcing them
00:00:49 --> 00:00:52 to learn anything new. It feels like a practical
00:00:52 --> 00:00:55 step forward rather than another security layer
00:00:55 --> 00:00:57 that adds friction. So if you want to see more
00:00:57 --> 00:01:01 about how it works, please head over to Nordlayer
00:01:01 --> 00:01:04 .com slash browser and check it out and let me
00:01:04 --> 00:01:07 know your thoughts. But now on with today's show.
00:01:13 --> 00:01:16 What happens when a cyber attack against one
00:01:16 --> 00:01:20 supplier? suddenly becomes a crisis for hundreds
00:01:20 --> 00:01:23 of financial institutions. Well today on the
00:01:23 --> 00:01:26 Business of Cyber Security podcast, I'm joined
00:01:26 --> 00:01:30 by Ben Gibbons, Head of Financial Services and
00:01:30 --> 00:01:35 Insurance at Orange Cyber Defence UK. And together
00:01:35 --> 00:01:38 we're going to unpack the growing pressure facing
00:01:38 --> 00:01:41 financial firms as regulators tighten operational
00:01:41 --> 00:01:46 resilience. tighten operational resilience expectations
00:01:46 --> 00:01:50 across the UK and Europe. And this is not a theoretical
00:01:50 --> 00:01:54 conversation. More than 40 % of financial sector
00:01:54 --> 00:01:58 incidents typically involve a third party. And
00:01:58 --> 00:02:00 that's according to the FCA, which reinforces
00:02:00 --> 00:02:04 what many security leaders already suspect. Supply
00:02:04 --> 00:02:07 chain exposure is rapidly becoming one of the
00:02:07 --> 00:02:10 defining cybersecurity risks of modern business.
00:02:10 --> 00:02:13 So today Ben will talk about compliance with
00:02:13 --> 00:02:18 Europe's DORA framework. It doesn't automatically
00:02:18 --> 00:02:20 mean compliance with the UK's operational resilience
00:02:20 --> 00:02:23 regime and why many firms still underestimate
00:02:23 --> 00:02:27 the complexity of incident reporting and how
00:02:27 --> 00:02:31 vague regulatory definitions are forcing organisations
00:02:31 --> 00:02:35 to rethink their internal processes long before
00:02:35 --> 00:02:39 a breach ever happens. I will also discuss the
00:02:39 --> 00:02:42 F5 breach, targeting file transfer platforms,
00:02:42 --> 00:02:45 concentrating risks inside critical suppliers
00:02:45 --> 00:02:49 and why collective defence may become one of
00:02:49 --> 00:02:51 the most important cyber security strategies
00:02:51 --> 00:02:56 of the next decade. So if you do work in financial
00:02:56 --> 00:02:59 services, cyber security, risk, governance or
00:02:59 --> 00:03:02 operational resilience, this conversation is
00:03:02 --> 00:03:05 aimed at offering a timely look at how the rules
00:03:05 --> 00:03:09 of resilience are changing, but enough from me.
00:03:09 --> 00:03:12 Let me introduce you to my guest now. So thank
00:03:12 --> 00:03:15 you for joining me on the podcast today. Can
00:03:15 --> 00:03:16 you tell everyone listening a little about who
00:03:16 --> 00:03:19 you are and what you do? Yeah, no problem. So
00:03:19 --> 00:03:22 my name is Ben Gibbons and my official title
00:03:22 --> 00:03:25 is Managing Principal for Banking, Financial
00:03:25 --> 00:03:29 Services and Insurance at Orange Cyber Defence.
00:03:29 --> 00:03:32 But that doesn't really tell you much about what
00:03:32 --> 00:03:36 I do at all. Financial Services is the biggest
00:03:36 --> 00:03:38 market for orange cyber defense in the UK, and
00:03:38 --> 00:03:41 it's growing. And so we've got about 60 active
00:03:41 --> 00:03:45 clients of different shapes and sizes. But because
00:03:45 --> 00:03:48 of our size and our reputation as an organization,
00:03:48 --> 00:03:51 we're the largest managed security services provider
00:03:51 --> 00:03:55 in Europe. Our clients expect us to bring kind
00:03:55 --> 00:03:58 of thought leadership and to be up to date on
00:03:58 --> 00:04:00 topics and what's going on across the financial
00:04:00 --> 00:04:03 services sector. as well as the cybersecurity
00:04:03 --> 00:04:07 ecosystem and the threat landscape. So that's
00:04:07 --> 00:04:09 essentially my role, ensuring that we stay up
00:04:09 --> 00:04:11 to date when meeting the needs of our clients.
00:04:12 --> 00:04:14 What that actually entails is a lot of reading,
00:04:15 --> 00:04:18 talking to cybersecurity leaders, vendors, our
00:04:18 --> 00:04:22 partners, analysts, and subject matter experts
00:04:22 --> 00:04:25 across the business to make sure that the right
00:04:25 --> 00:04:28 people are connected. And there's so much that
00:04:28 --> 00:04:30 i want to talk with you about because after years
00:04:30 --> 00:04:33 of reading how users are being blamed for the
00:04:33 --> 00:04:36 weakest link in cyber security i was recently
00:04:36 --> 00:04:39 reading that the fca said that there i think
00:04:39 --> 00:04:42 it's something like more than 40 percent of cyber
00:04:42 --> 00:04:46 incidents reported in 2025. actually included
00:04:46 --> 00:04:49 a third party. So does that statistic confirm
00:04:49 --> 00:04:54 that supply chain exposure has become one of
00:04:54 --> 00:04:56 the most defining cybersecurity risks for financial
00:04:56 --> 00:04:59 services? Or is there more going on here? What
00:04:59 --> 00:05:03 did you take away from that stat? I think that
00:05:03 --> 00:05:06 it's definitely a headline. And it is correct.
00:05:06 --> 00:05:09 It's consistent with our findings as well. So
00:05:09 --> 00:05:12 we look at about 19 different incidents
00:05:12 --> 00:05:14 that are in cyber defense across the world, so
00:05:14 --> 00:05:18 across sectors, across jurisdictions. And that's
00:05:18 --> 00:05:20 pretty much consistent with our own findings
00:05:20 --> 00:05:24 as well. So there's a number of reasons for that.
00:05:24 --> 00:05:27 The first one is that organizations are becoming
00:05:27 --> 00:05:31 more and more interconnected in terms of their
00:05:31 --> 00:05:36 supply chains. And things like adopting AI and
00:05:36 --> 00:05:39 adopting cloud services, they all contribute
00:05:39 --> 00:05:45 to that reality. The other thing is that actually
00:05:45 --> 00:05:48 being able to target a third party can often
00:05:48 --> 00:05:52 be a lot more fruitful than targeting a mature
00:05:52 --> 00:05:56 organization particularly. So maybe a couple
00:05:56 --> 00:05:59 of examples that we've seen just to give anecdotes
00:05:59 --> 00:06:04 in October last year. F5 disclosed that a nation
00:06:04 --> 00:06:07 -state actor had breached its systems and exfiltrated
00:06:07 --> 00:06:11 source code and information about undisclosed
00:06:11 --> 00:06:14 vulnerabilities. To put that into perspective,
00:06:14 --> 00:06:19 F5 is used by about 80 % of Fortune Global 500
00:06:19 --> 00:06:25 companies. There's not a slight on F5, but it
00:06:25 --> 00:06:28 just gives you the insights into the potential
00:06:28 --> 00:06:33 impacts of the supply chain. And I think that
00:06:33 --> 00:06:36 regulators and governments are realizing that
00:06:36 --> 00:06:40 actually targeting supply chains can have a detrimental
00:06:40 --> 00:06:44 and disproportionate effect on our society and
00:06:44 --> 00:06:46 on our critical national infrastructure. If you
00:06:46 --> 00:06:49 are able to target a concentration risk, as we
00:06:49 --> 00:06:53 call it within the third party realm, you can
00:06:53 --> 00:06:56 cause really substantial and consistent damage.
00:06:57 --> 00:07:01 Maybe another example. that you might be interested
00:07:01 --> 00:07:04 in. This all comes from our security navigator,
00:07:05 --> 00:07:08 which we publish once a year on our findings
00:07:08 --> 00:07:11 and our research. It's a cyber extortion actor
00:07:11 --> 00:07:16 called Klopp. It has a reputation. I built up
00:07:16 --> 00:07:20 a reputation in Q1 2025 for its large -scale
00:07:20 --> 00:07:24 attacks targeting commonly used file transfer
00:07:24 --> 00:07:28 platforms. and through that they were able to
00:07:28 --> 00:07:31 impact hundreds of victims. So just to give you
00:07:31 --> 00:07:36 a statistic, a single event leading to many,
00:07:36 --> 00:07:39 many victims accounted for around 18 % of all
00:07:39 --> 00:07:42 cyber extortion victims that are in cyber defense
00:07:42 --> 00:07:46 recorded in Q1 of 2025, just to give you an idea
00:07:46 --> 00:07:49 of the scale. Wow, that really does bring it
00:07:49 --> 00:07:52 to life there. We will have many people listening
00:07:52 --> 00:07:55 inside of organizations around the world that
00:07:55 --> 00:07:57 assume that if they're already working toward
00:07:57 --> 00:08:01 compliance with regulations like financial conduct
00:08:01 --> 00:08:04 authority, DORA requirements, then that's it.
00:08:04 --> 00:08:06 They're covered. But can you expand on why that
00:08:06 --> 00:08:09 assumption could actually create problems, especially
00:08:09 --> 00:08:13 as that March 2027 FCA deadline continues to
00:08:13 --> 00:08:16 get closer? Once upon a time, it seemed a long
00:08:16 --> 00:08:20 way away. it is getting closer, isn't it? Yeah,
00:08:20 --> 00:08:23 absolutely. Um, so the first thing to understand,
00:08:23 --> 00:08:26 um, I guess is why you might make the assumption
00:08:26 --> 00:08:29 that if you're, um, aligned to Dora and you've
00:08:29 --> 00:08:31 implemented Dora, um, then you should be fine
00:08:31 --> 00:08:36 with the supervisory authorities, um, operational
00:08:36 --> 00:08:39 instant and third party reporting policy, which
00:08:39 --> 00:08:41 is part of their wider operational resilience
00:08:41 --> 00:08:47 regime. And that is, um, that both Dora. and
00:08:47 --> 00:08:50 the UK's operational resilience regime are trying
00:08:50 --> 00:08:53 to achieve the same thing. So they both talk
00:08:53 --> 00:08:56 about critical national infrastructure and important
00:08:56 --> 00:09:00 sectors, well, financial services for DORA as
00:09:00 --> 00:09:03 critical national infrastructure. And they're
00:09:03 --> 00:09:06 both concerned with operational resilience, which
00:09:06 --> 00:09:09 is, I would say, the recognition that protection
00:09:09 --> 00:09:12 isn't enough. You also need to be able to deal
00:09:12 --> 00:09:15 with an incident when it does occur and it will
00:09:15 --> 00:09:17 inevitably occur. and because of the complexity
00:09:17 --> 00:09:20 of the landscape and the challenges that we've
00:09:20 --> 00:09:23 got. So the other thing that might make it quite
00:09:23 --> 00:09:27 confusing for listeners is that Dora has got
00:09:27 --> 00:09:30 five key pillars, and all of those pillars are
00:09:30 --> 00:09:33 also covered by the operational resilience regime.
00:09:33 --> 00:09:36 So we're talking about risk management, we're
00:09:36 --> 00:09:38 talking about instant management and reporting,
00:09:39 --> 00:09:42 third party risk management, both of those, the
00:09:42 --> 00:09:44 last two that I just referred to. are obviously
00:09:44 --> 00:09:47 in the title of the policy that we're discussing
00:09:47 --> 00:09:50 today. And then there's also testing and information
00:09:50 --> 00:09:55 sharing. So even down to the chapters, as they're
00:09:55 --> 00:09:59 called in Dora, but the high level topics, both
00:09:59 --> 00:10:03 regimes are talking about the same thing. Now,
00:10:04 --> 00:10:08 that's why you might get them confused. But actually,
00:10:08 --> 00:10:12 they are completely different regimes. So Dora,
00:10:12 --> 00:10:16 impacts any organization in financial services
00:10:16 --> 00:10:20 that operates within the EU. And many UK firms
00:10:20 --> 00:10:23 do that because of the size and the health of
00:10:23 --> 00:10:26 our financial services sector. Whereas the FCA
00:10:26 --> 00:10:32 and the PRAs joint regime target UK based organizations.
00:10:33 --> 00:10:37 So I suppose to compare and contrast them, operational
00:10:37 --> 00:10:41 resilience regime in the UK is outcome led. So
00:10:41 --> 00:10:44 the focus really is on identifying important
00:10:44 --> 00:10:48 business services and protecting them. Whereas
00:10:48 --> 00:10:51 Dora is rules -led and it's all about securing
00:10:51 --> 00:10:54 the technology. And in my opinion, it reads somewhat
00:10:54 --> 00:10:58 like an ISO standard in that sense. So they're
00:10:58 --> 00:11:01 both trying to do the same thing, but they take
00:11:01 --> 00:11:04 different approaches in doing that. The difference
00:11:04 --> 00:11:07 between the two regimes is that the operational
00:11:07 --> 00:11:11 resilience regime in the UK is outcome -led and
00:11:11 --> 00:11:16 the DORA regime is rules -led. The UK regime
00:11:16 --> 00:11:20 is focused on identifying your important business
00:11:20 --> 00:11:23 services, establishing the tolerances, your impact
00:11:23 --> 00:11:28 tolerances. For example, a critical service may
00:11:28 --> 00:11:33 only be tolerant to your organization for that
00:11:33 --> 00:11:36 service to be down for four hours. You need to
00:11:36 --> 00:11:39 establish the components that make up that service.
00:11:39 --> 00:11:42 and then test severe but plausible scenarios.
00:11:42 --> 00:11:46 Whereas the DORA regime is rules -led and it
00:11:46 --> 00:11:49 reads somewhat like an ISO standard. So the challenge
00:11:49 --> 00:11:53 with that is that if you meet DORA, then you've
00:11:53 --> 00:11:58 secured your IT, but you haven't met the UK regulators'
00:11:58 --> 00:12:02 requirements to map how your people and your
00:12:02 --> 00:12:05 processes and your third party support those
00:12:05 --> 00:12:08 business services. Alternatively, if you followed
00:12:08 --> 00:12:11 the operational resilience regime in the UK,
00:12:11 --> 00:12:15 then you've likely got strong business continuity
00:12:15 --> 00:12:20 and disaster recovery capabilities, but you might
00:12:20 --> 00:12:23 fall foul of the DORA regime. So really what
00:12:23 --> 00:12:26 we're here today to talk about is for UK organizations
00:12:26 --> 00:12:29 to understand that... actually there is something
00:12:29 --> 00:12:32 that they need to do when it comes to this new
00:12:32 --> 00:12:34 operational incident and third party reporting
00:12:34 --> 00:12:39 policy. And if they don't do it, they may fall
00:12:39 --> 00:12:44 foul of the regulators. Another one of the major
00:12:44 --> 00:12:47 themes in these new rules is the visibility into
00:12:47 --> 00:12:50 third party dependencies and indeed interconnected
00:12:50 --> 00:12:53 infrastructure. And just to take a peek behind
00:12:53 --> 00:12:56 the curtain for a moment, why is mapping digital
00:12:56 --> 00:13:00 supply chains become so difficult in modern financial
00:13:00 --> 00:13:02 service environments? What's been going on here?
00:13:02 --> 00:13:06 What's the cause? So I would say that historically,
00:13:06 --> 00:13:10 the way that the industry has done third party
00:13:10 --> 00:13:14 risk management has not been fit for purpose.
00:13:14 --> 00:13:17 And I'll elaborate on that. So I think there's
00:13:17 --> 00:13:21 more of a recognition from regulators and from
00:13:21 --> 00:13:24 the market as a whole that in order to really
00:13:24 --> 00:13:27 manage your supply chain, you need to be able
00:13:27 --> 00:13:30 to continuously monitor it. So understand the
00:13:30 --> 00:13:32 changes that are occurring, often in real time,
00:13:33 --> 00:13:37 and also be able to understand that supply chains
00:13:37 --> 00:13:41 are an interconnected web rather than a kind
00:13:41 --> 00:13:45 of a single point and that it's more than just
00:13:45 --> 00:13:47 third -party risk. We're talking about fourth
00:13:47 --> 00:13:51 -party, fifth -party, nth -party risk and really
00:13:51 --> 00:13:55 concentration risks at that level. So there's
00:13:55 --> 00:13:57 a recognition that we need to do more to really
00:13:57 --> 00:14:02 secure our organizations and the industry and
00:14:02 --> 00:14:05 this is really a step towards doing that. The
00:14:05 --> 00:14:09 FCA is emphasizing faster, clearer and more structured
00:14:09 --> 00:14:12 incident reporting, all makes perfect sense,
00:14:12 --> 00:14:16 but in the middle of a live cyber incident, organizations
00:14:16 --> 00:14:19 are already dealing with operational chaos and
00:14:19 --> 00:14:21 the phone constantly going, people wanting updates,
00:14:21 --> 00:14:24 for example people running around with laptops
00:14:24 --> 00:14:27 looking busy, but how realistic is it for firms
00:14:27 --> 00:14:29 to deliver that meaningful reporting in real
00:14:29 --> 00:14:33 time without major changes to internal processes,
00:14:33 --> 00:14:35 especially when they're caught right in the eye
00:14:35 --> 00:14:38 of the storm there with that operational chaos.
00:14:38 --> 00:14:41 I think that's a good question. So without changes
00:14:41 --> 00:14:44 to their internal processes, I don't think it's
00:14:44 --> 00:14:48 realistic. So the regulators have said that for
00:14:48 --> 00:14:51 90 % of organizations, well, the FCA really for
00:14:51 --> 00:14:54 90 % of organizations that come within the scope
00:14:54 --> 00:14:57 of the operational incident reporting requirements.
00:14:57 --> 00:15:02 they will only need to answer the standard set
00:15:02 --> 00:15:05 of questions, which is about 10 questions, and
00:15:05 --> 00:15:08 they're obliged to do that within 24 hours. So
00:15:08 --> 00:15:11 if you haven't really considered the policy and
00:15:11 --> 00:15:15 the requirements of the policy and how operational
00:15:15 --> 00:15:19 resilience, operational incidents relate to your
00:15:19 --> 00:15:22 organization, then you won't be able to do that
00:15:22 --> 00:15:25 or you will struggle to do that whilst you're
00:15:25 --> 00:15:28 kind of trying to get all hands on deck to deal
00:15:28 --> 00:15:32 with operational incidents. The reason I say
00:15:32 --> 00:15:37 that as well is because the policy is both prescriptive
00:15:37 --> 00:15:40 and not prescriptive, and I'll elaborate on that.
00:15:41 --> 00:15:44 So the FCA and the PRA, which combined are the
00:15:44 --> 00:15:48 Supervisory Authority, have agreed on the definition
00:15:48 --> 00:15:52 of an operational incident. And that is essentially
00:15:52 --> 00:15:55 a single or series of events which disrupts firms'
00:15:56 --> 00:15:59 operations such that it disrupts the delivery
00:15:59 --> 00:16:03 of a service to an end user external to the firm
00:16:03 --> 00:16:08 or impacts the ability, authenticity, integrity,
00:16:08 --> 00:16:12 or confidentiality of information or data relating
00:16:12 --> 00:16:15 or belonging to such an end user. The reason
00:16:15 --> 00:16:18 that I share that definition is because it's
00:16:18 --> 00:16:21 open to interpretation. it's not clear, it doesn't
00:16:21 --> 00:16:25 give you quantitative conditions under which
00:16:25 --> 00:16:30 you need to inform the regulators of an incident.
00:16:31 --> 00:16:35 That's by design. The regulators have taken the
00:16:35 --> 00:16:39 stance that organizations should have a better
00:16:39 --> 00:16:41 understanding of what an operational incident,
00:16:42 --> 00:16:46 a material operational incident is. They should
00:16:46 --> 00:16:50 be interpreting that definition. and defining
00:16:50 --> 00:16:54 it. If you haven't considered that as part of
00:16:54 --> 00:16:57 your internal processes and embedded those considerations
00:16:57 --> 00:17:00 into your internal processes, you will struggle
00:17:00 --> 00:17:04 to do that during an operational incident and
00:17:04 --> 00:17:08 the consequences could be severe. In fact, the
00:17:08 --> 00:17:10 regulators have actually been quite vague about
00:17:10 --> 00:17:15 the consequences, I think intentionally, because
00:17:15 --> 00:17:20 they do have some significant powers. but they
00:17:20 --> 00:17:23 also want to be proportionate as well. So is
00:17:23 --> 00:17:27 it realistic for you to be able to, during an
00:17:27 --> 00:17:32 incident, report on, in most organizations' cases,
00:17:32 --> 00:17:37 10 simple questions? I think yes. Is it realistic
00:17:37 --> 00:17:40 if you haven't done the work to actually understand
00:17:40 --> 00:17:44 the policy, interpret it, and familiarize yourself
00:17:44 --> 00:17:47 with what you need to do? I would say no. Going
00:17:47 --> 00:17:51 back to the prescriptive and non -prescriptive
00:17:51 --> 00:17:54 element of this as well, the non -prescriptive
00:17:54 --> 00:17:57 side is that they've provided a definition and
00:17:57 --> 00:18:00 they've provided thresholds, and that's up to
00:18:00 --> 00:18:03 you to determine how to interpret that within
00:18:03 --> 00:18:06 your business as long as it makes sense, essentially.
00:18:07 --> 00:18:10 But they've been very prescriptive on how you
00:18:10 --> 00:18:12 have to report that information. So you're going
00:18:12 --> 00:18:14 to have to report that using the FCA Connect
00:18:14 --> 00:18:18 portal. And that's both for the PRA and the FCA.
00:18:18 --> 00:18:21 And you have to use a standardized template,
00:18:21 --> 00:18:24 an Excel spreadsheet, essentially, which gives
00:18:24 --> 00:18:27 you very specific information that you need to
00:18:27 --> 00:18:30 share with them. And I think we've all been on
00:18:30 --> 00:18:34 the wrong side of outages involving big providers
00:18:34 --> 00:18:37 from CloudFlare to Amazon Web Services, which
00:18:37 --> 00:18:40 have all demonstrated how a single third party
00:18:40 --> 00:18:43 issue can ripple across entire industries. In
00:18:43 --> 00:18:45 some cases, it feels like half the internet has
00:18:45 --> 00:18:48 disappeared and all your apps or your SaaS apps
00:18:48 --> 00:18:51 disappear very quickly. So what lessons do you
00:18:51 --> 00:18:53 think financial institutions should maybe take
00:18:53 --> 00:18:57 from those high profile incidents when thinking
00:18:57 --> 00:19:00 about resilience? and concentration risk. Any
00:19:00 --> 00:19:03 big lessons there? So I think the biggest lesson
00:19:03 --> 00:19:05 that the regulators are trying to enforce as
00:19:05 --> 00:19:09 well is about operational resilience. So when
00:19:09 --> 00:19:11 I say that, it means that protection is not enough.
00:19:12 --> 00:19:17 To try and protect yourself or believe that organizations
00:19:17 --> 00:19:21 and the critical suppliers that you rely on are
00:19:21 --> 00:19:24 not going to suffer outages and incidents I think
00:19:24 --> 00:19:29 is a mistake. So really it's very important to
00:19:29 --> 00:19:32 have business continuity, disaster recovery,
00:19:33 --> 00:19:36 resilience embedded into everything that you
00:19:36 --> 00:19:38 do in your critical services, really, and your
00:19:38 --> 00:19:41 important business services in this case. And
00:19:41 --> 00:19:45 that means making sure that you've got a plan,
00:19:45 --> 00:19:47 making sure that that plan is tested, making
00:19:47 --> 00:19:50 sure that you've considered severe but plausible
00:19:50 --> 00:19:52 scenarios, which is what the regulators talk
00:19:52 --> 00:19:57 about. So that if an incident does happen, you
00:19:57 --> 00:20:02 have experience, you understand the plan and
00:20:02 --> 00:20:04 it's tried and tested so that you can maintain
00:20:04 --> 00:20:09 that kind of tolerance of your services and your
00:20:09 --> 00:20:12 systems. Big thank you to Denodo for supporting
00:20:12 --> 00:20:16 the Tech Talks Network and making these conversations
00:20:16 --> 00:20:19 possible. Because when your lake house stores
00:20:19 --> 00:20:22 the data, the real challenge is getting that
00:20:22 --> 00:20:26 data where it needs to go and faster. And your
00:20:26 --> 00:20:30 lake house stores the data, but Denodo helps
00:20:30 --> 00:20:33 deliver it faster. So with real -time access,
00:20:33 --> 00:20:36 built -in governance and a business -ready data
00:20:36 --> 00:20:39 marketplace, Denodo can help your teams unlock
00:20:39 --> 00:20:43 insights without costly duplication. And you
00:20:43 --> 00:20:45 can learn more by simply visiting denodo .com.
00:20:46 --> 00:20:50 There's also always been a somewhat tension between
00:20:50 --> 00:20:53 regulatory compliance that must be done and the
00:20:53 --> 00:20:57 reality of all the operational reality that's
00:20:57 --> 00:21:00 inside every organization. So I'm curious from
00:21:00 --> 00:21:02 those conversations you're having with firms
00:21:02 --> 00:21:06 today, where are organizations most unprepared
00:21:06 --> 00:21:09 when it comes to meeting these FCA expectations
00:21:09 --> 00:21:12 when they are trying to balance it with operational
00:21:12 --> 00:21:15 reality, alert fatigue and everything in between?
00:21:17 --> 00:21:20 That's a good question. So I would say that with
00:21:20 --> 00:21:24 large organizations that are regulated, dual
00:21:24 --> 00:21:28 regulated, so regulated by the PRA and FCA, they
00:21:28 --> 00:21:32 should already be meeting many of the requirements
00:21:32 --> 00:21:36 of this policy in the sense that they should
00:21:36 --> 00:21:40 have outsourcing policies or third party or supply
00:21:40 --> 00:21:43 chain risk policies. They should have processes
00:21:43 --> 00:21:46 in place. They should have instant response processes
00:21:46 --> 00:21:49 and plans, and they should be tested regularly.
00:21:49 --> 00:21:53 They should have business continuity and disaster
00:21:53 --> 00:21:56 recovery plans in place. What they won't have
00:21:56 --> 00:22:01 is very specifically aligned processes and policies.
00:22:01 --> 00:22:04 And that's consistent with what the regulators
00:22:04 --> 00:22:07 expect to happen as well. So every time that
00:22:07 --> 00:22:10 the regulators implement a new policy or changes,
00:22:10 --> 00:22:13 they have to do a cost benefit analysis. They
00:22:13 --> 00:22:16 estimate that there'll be around 12 to 25 million
00:22:16 --> 00:22:24 pounds in expenses as a result of implementing
00:22:24 --> 00:22:30 these policies. So the idea is that most organizations,
00:22:30 --> 00:22:33 there shouldn't be some really significant changes
00:22:33 --> 00:22:36 that need to come into play. However, for smaller
00:22:36 --> 00:22:39 organizations, there probably will be. significant
00:22:39 --> 00:22:41 processes that need to go into place. They may
00:22:41 --> 00:22:47 not be doing the prerequisite activities that
00:22:47 --> 00:22:50 are required in order to get to the position
00:22:50 --> 00:22:54 where you can report on your material third parties
00:22:54 --> 00:22:57 and your operational instance. I think it's a
00:22:57 --> 00:23:01 fair comment that organizations are struggling
00:23:01 --> 00:23:04 with things like alert fatigue and definitely
00:23:04 --> 00:23:06 security teams that we're speaking to and security
00:23:06 --> 00:23:11 leaders have got 101 things on their plate. The
00:23:11 --> 00:23:13 good thing about regulation is that it forces
00:23:13 --> 00:23:19 organizations to prioritize building their capabilities
00:23:19 --> 00:23:22 up. So I am supportive of regulations, but one
00:23:22 --> 00:23:26 of the challenges is actually in terms of providing
00:23:26 --> 00:23:29 this information, what's the value that the regulators
00:23:29 --> 00:23:32 are kind of going to get out of that? Now, the
00:23:32 --> 00:23:36 regulators have provided the rationale behind
00:23:36 --> 00:23:41 collecting this information. But that is a question.
00:23:41 --> 00:23:44 It's going to require additional effort and additional
00:23:44 --> 00:23:47 resources from firms, even if it's just to understand
00:23:47 --> 00:23:49 what the obligations are, and there's minimal
00:23:49 --> 00:23:52 changes that are required. And that does take
00:23:52 --> 00:23:55 away from the kind of the day -to -day activity.
00:23:55 --> 00:23:58 But in the same time, it raises the bar. So I
00:23:58 --> 00:24:01 guess generally, I am supportive of it. And it
00:24:01 --> 00:24:04 gives us a great excuse to talk about operational
00:24:04 --> 00:24:07 instance, the importance of planning for operational
00:24:07 --> 00:24:09 instance. the importance of operational resilience
00:24:09 --> 00:24:13 and the importance of supply chain risk management.
00:24:14 --> 00:24:17 And I know you've said regulators and the private
00:24:17 --> 00:24:20 industry need to collaborate more closely to
00:24:20 --> 00:24:22 tackle systemic supply chain risks and some of
00:24:22 --> 00:24:24 the things that we're talking about today. But
00:24:24 --> 00:24:27 in the real world, what does meaningful collaboration
00:24:27 --> 00:24:30 actually look like in practice, especially when
00:24:30 --> 00:24:33 some organizations might be reluctant to share
00:24:33 --> 00:24:36 sensitive incident data? There's somewhat of
00:24:36 --> 00:24:39 a balancing act there and a great deal of trust
00:24:39 --> 00:24:45 as well, right? I think that's a a good point
00:24:45 --> 00:24:49 that organizations, you know, just to kind of
00:24:49 --> 00:24:51 really pick up on the point that organizations
00:24:51 --> 00:24:56 are potentially reluctant to share information
00:24:56 --> 00:24:58 with one another. So I'd like to kind of elaborate
00:24:58 --> 00:25:02 on that one. So it is true that competitors,
00:25:03 --> 00:25:07 organizations, you know, banks, insurance organizations,
00:25:07 --> 00:25:11 or insurance firms, they are competitors. But
00:25:11 --> 00:25:14 when it comes to cybersecurity, they aren't competitors,
00:25:15 --> 00:25:18 they have adversaries, they have shared adversaries
00:25:18 --> 00:25:22 and we need a collective defense and that's important
00:25:22 --> 00:25:25 for our society but it's also beneficial to kind
00:25:25 --> 00:25:30 of crowdsource anonymously in many cases intelligence
00:25:30 --> 00:25:34 that helps you to bolster your defenses. So there
00:25:34 --> 00:25:38 are organizations out there that support collaboration
00:25:39 --> 00:25:42 One of them, for example, is in the insurance
00:25:42 --> 00:25:45 sector is the Lloyd's Market Association, where
00:25:45 --> 00:25:51 market authorities or agents collaborate essentially
00:25:51 --> 00:25:55 on many things including cybersecurity to strengthen
00:25:55 --> 00:26:00 the market as a whole. So I do think that even
00:26:00 --> 00:26:03 though in some ways organizations might see themselves
00:26:03 --> 00:26:07 as competitors within cybersecurity, there's
00:26:07 --> 00:26:09 a recognition that we're all fighting the same
00:26:09 --> 00:26:12 battle. And we actually see that quite a lot
00:26:12 --> 00:26:15 within our clients and our industry. So one of
00:26:15 --> 00:26:17 the things that our clients really enjoy about
00:26:17 --> 00:26:20 our own cyber defense is our communities. And
00:26:20 --> 00:26:22 we see that actually across the partners that
00:26:22 --> 00:26:25 we work with as well. So building these CSO communities
00:26:25 --> 00:26:30 and collaborating and discussing kind of the
00:26:30 --> 00:26:34 collective challenges that we have. and how we
00:26:34 --> 00:26:37 work together to overcome them. So a great example
00:26:37 --> 00:26:39 of that actually is that Orange Cyber Defense
00:26:39 --> 00:26:44 hosted a series of dinners with financial services
00:26:44 --> 00:26:48 leaders, so CISOs, to discuss operational resilience
00:26:48 --> 00:26:51 in practice, so away from kind of policies and
00:26:51 --> 00:26:54 away from regulations and what the real challenges
00:26:54 --> 00:26:59 are there. One of the real challenges that came
00:26:59 --> 00:27:02 out of those discussions actually is visibility
00:27:02 --> 00:27:05 of the extended supply chain and understanding
00:27:05 --> 00:27:09 concentration risks. When asked, and I asked
00:27:09 --> 00:27:12 about 24 CISOs from all across the financial
00:27:12 --> 00:27:16 services sector, some very major organizations,
00:27:16 --> 00:27:19 The real challenge was actually they had visibility
00:27:19 --> 00:27:23 of third parties and in some cases, fourth party,
00:27:23 --> 00:27:27 but beyond that, it was a total black box. So
00:27:27 --> 00:27:30 collaboration with the sector doesn't just mean
00:27:30 --> 00:27:34 collaboration amongst organizations, but it also
00:27:34 --> 00:27:37 means collaboration with threat intelligence
00:27:37 --> 00:27:40 providers and Orange Cyber Defense is a leader
00:27:40 --> 00:27:45 in threat intelligence globally. but also the
00:27:45 --> 00:27:48 innovators in the space. One of the real benefits
00:27:48 --> 00:27:51 that I get being in the position that I am at
00:27:51 --> 00:27:55 a large cybersecurity company is that I get to
00:27:55 --> 00:27:58 work with some of these disruptive platform providers.
00:27:59 --> 00:28:02 And one of those is a company called Grisledger.
00:28:03 --> 00:28:05 And the real differentiator that they've got
00:28:05 --> 00:28:08 is their Enth party mapping, and they provide
00:28:08 --> 00:28:11 lots of information on this online. But essentially,
00:28:11 --> 00:28:13 they have 16 suppliers on their platform.
00:28:14 --> 00:28:20 And they use that to develop a better sense of
00:28:20 --> 00:28:23 concentration risk across various levels of the
00:28:23 --> 00:28:26 extended supply chain anonymously. And they provide
00:28:26 --> 00:28:29 that back to their community anonymously. So
00:28:29 --> 00:28:33 you can contribute to that, but you're not being
00:28:33 --> 00:28:38 identified to do that. The real benefit there,
00:28:38 --> 00:28:41 both for the industry and also the regulators,
00:28:41 --> 00:28:44 is there is innovation. We have a very strong
00:28:44 --> 00:28:47 and innovative cybersecurity sector within the
00:28:47 --> 00:28:50 UK, and there's knowledge and innovation in the
00:28:50 --> 00:28:52 private sector that can support the regulators
00:28:52 --> 00:29:02 with their purposes of this policy. Maybe if
00:29:02 --> 00:29:04 you're human me now, I would say that the three
00:29:04 --> 00:29:08 purposes of collating information in regards
00:29:08 --> 00:29:12 to operational instance and third party risk
00:29:12 --> 00:29:15 is the regulators want to improve their ability
00:29:15 --> 00:29:19 to triage sector impacting instance more effectively.
00:29:20 --> 00:29:23 They want to develop thematic analysis to identify
00:29:23 --> 00:29:27 trends and insights that will drive future policies
00:29:27 --> 00:29:30 and policy updates. They want to better understand
00:29:30 --> 00:29:33 the interconnectedness of supply chains and extended
00:29:33 --> 00:29:36 supply chains, which is what we would call concentration
00:29:36 --> 00:29:43 risks. I think that partnering with cybersecurity
00:29:43 --> 00:29:46 companies that provide threat intelligence, and
00:29:46 --> 00:29:48 we'll often do that for free. Orange Cyber Defense
00:29:48 --> 00:29:51 is very supportive of the public sector in the
00:29:51 --> 00:29:54 UK and very open and happy to provide threat
00:29:54 --> 00:29:59 intelligence for free. organizations that are
00:29:59 --> 00:30:02 disruptive in the way that they approach things
00:30:02 --> 00:30:05 like third party risk management and also partnering
00:30:05 --> 00:30:10 with incident responders and organizations themselves
00:30:10 --> 00:30:12 that are happy to kind of contribute and that
00:30:12 --> 00:30:15 have contributed through the consultation is
00:30:15 --> 00:30:19 a way to do that. And looking ahead, I'm curious,
00:30:20 --> 00:30:22 do you think these new FCA rules are at the beginning
00:30:22 --> 00:30:25 of maybe a much broader global shift towards
00:30:25 --> 00:30:28 stricter cyber resilience accountability for
00:30:28 --> 00:30:31 third party ecosystems? And if you do, I mean,
00:30:31 --> 00:30:33 what does that mean for the future of cybersecurity
00:30:33 --> 00:30:36 leadership in regulated industries? It feels
00:30:36 --> 00:30:41 like there's a lot going on here. So in regards
00:30:41 --> 00:30:49 to the first question, I think that the UK financial
00:30:49 --> 00:30:54 services sector and the UK in general are mature
00:30:54 --> 00:30:57 in terms of their cybersecurity capabilities.
00:30:57 --> 00:31:00 It's one of the most mature markets in the world.
00:31:00 --> 00:31:04 And because of that, they are somewhat of a barometer
00:31:04 --> 00:31:07 for change and what's coming kind of across the
00:31:07 --> 00:31:12 world. Now, we did see DORA release their regulate
00:31:12 --> 00:31:15 or the EU released the DORA regulation. And we
00:31:15 --> 00:31:17 have our own regulation as well. And this is
00:31:17 --> 00:31:20 a reiteration, let's say, of our operational
00:31:20 --> 00:31:24 resilience regime. So from our perspective and
00:31:24 --> 00:31:29 our closest economic partners in the EU, this
00:31:29 --> 00:31:33 is a continuation of the emphasis on operational
00:31:33 --> 00:31:39 resilience and the importance of truly recognizing
00:31:39 --> 00:31:45 or truly dealing with extended supply chain security.
00:31:46 --> 00:31:49 And I think that will be replicated in other
00:31:49 --> 00:31:51 markets across the world, and it will need to
00:31:51 --> 00:31:54 be replicated in different countries and different
00:31:54 --> 00:31:58 areas across the world in order for those companies
00:31:58 --> 00:32:00 to keep their societies and their economies secure.
00:32:01 --> 00:32:04 In regards to what it means for the future of
00:32:04 --> 00:32:07 cybersecurity leadership in regulated industries
00:32:07 --> 00:32:10 and financial services industries, I would go
00:32:10 --> 00:32:14 back to the to the comments that we made or the
00:32:14 --> 00:32:16 conversation that we had a little bit earlier,
00:32:16 --> 00:32:19 which is there has to be a recognition that this
00:32:19 --> 00:32:23 is a group activity and this is a effort that
00:32:23 --> 00:32:26 everyone needs to support and we need to collaborate
00:32:26 --> 00:32:30 with one another. No organization can manage
00:32:30 --> 00:32:33 its extended supply chain on its own. And I think
00:32:33 --> 00:32:36 the regulators and the government recognize that.
00:32:36 --> 00:32:39 I think that many leaders within financial services,
00:32:40 --> 00:32:42 particularly at the firms that we work at, recognize
00:32:42 --> 00:32:45 that. And they're already contributing to forums,
00:32:45 --> 00:32:48 they're already very willing to discuss with
00:32:48 --> 00:32:52 us and to utilize our communities, but also discuss
00:32:52 --> 00:32:55 with kind of innovators that are sharing information,
00:32:55 --> 00:32:58 whether that be threat intelligence, or approaches
00:32:58 --> 00:33:02 to third party risk management. And I think there
00:33:02 --> 00:33:08 needs to be a combined effort for organizations,
00:33:08 --> 00:33:10 not just in financial services, but across the
00:33:10 --> 00:33:15 board to put greater emphasis on the security
00:33:15 --> 00:33:17 of the third parties that they work with. And
00:33:17 --> 00:33:19 I think that can be challenging, especially in
00:33:19 --> 00:33:22 the era of AI, when organizations are worried
00:33:22 --> 00:33:26 about, have FOMO. So they're worried about not,
00:33:26 --> 00:33:30 if they don't embed AI into their processes and
00:33:30 --> 00:33:32 they're not utilizing the newest technology.
00:33:33 --> 00:33:36 They might lose their place in the market, which
00:33:36 --> 00:33:40 leads to shadow AI, which isn't managed by security
00:33:40 --> 00:33:42 teams. It leads to processes not being followed
00:33:42 --> 00:33:46 in many cases, or not really a real understanding
00:33:46 --> 00:33:49 of the way that we're using technology and the
00:33:49 --> 00:33:51 exposures that we're putting ourselves to, especially
00:33:51 --> 00:33:55 in regards to data security. I think that the
00:33:55 --> 00:33:58 government recognizes that, which is really good
00:33:58 --> 00:34:02 to see. As I mentioned to you off the podcast,
00:34:02 --> 00:34:05 I was at Cyber UK in Glasgow a couple of weeks
00:34:05 --> 00:34:09 ago, and Dan Jarvis, who I believe is the Minister
00:34:09 --> 00:34:12 for Security, certainly a prominent member of
00:34:12 --> 00:34:15 the government, announced that he will be or
00:34:15 --> 00:34:19 the government will be pledging £90 million towards
00:34:19 --> 00:34:22 operational resilience within the supply chain,
00:34:22 --> 00:34:25 and that is essentially ensuring that organizations
00:34:25 --> 00:34:29 are adhering to the cyber essentials, the cyber
00:34:29 --> 00:34:33 essentials framework. And the public sector bodies
00:34:33 --> 00:34:37 are pledging essentially to only use organizations
00:34:37 --> 00:34:42 that at least meet the cyber essentials framework
00:34:42 --> 00:34:46 requirements. And that is one way to strengthen
00:34:46 --> 00:34:50 the supply chain. But of course, it's going to
00:34:50 --> 00:34:54 be a continuous effort. to do that and a continuous
00:34:54 --> 00:34:57 effort as well to recognize is the limitations
00:34:57 --> 00:35:02 on outsourcing and the need to actually have
00:35:02 --> 00:35:07 compensating controls and defense in depth, which
00:35:07 --> 00:35:11 is having, for example, for important business
00:35:11 --> 00:35:17 services, secondary suppliers and non -linked
00:35:17 --> 00:35:19 elements within your disaster recovery, your
00:35:19 --> 00:35:23 business continuity. And I think that is a powerful
00:35:23 --> 00:35:25 moment to end on so much food for thought there
00:35:25 --> 00:35:27 and I cannot thank you enough for taking the
00:35:27 --> 00:35:30 time to sit down with me today and demystify
00:35:30 --> 00:35:33 some of those Financial Conduct Authority and
00:35:33 --> 00:35:36 DORA requirements put it all in a language that
00:35:36 --> 00:35:39 everyone can understand and especially inside
00:35:39 --> 00:35:44 any organization and as that March 2027 FCA deadline
00:35:44 --> 00:35:47 approaches anyone listening that would like to
00:35:47 --> 00:35:50 continue this conversation with you or your team.
00:35:50 --> 00:35:51 Where would you like me to point out? everyone.
00:35:52 --> 00:35:55 I would be more than happy for people to contact
00:35:55 --> 00:35:59 me on LinkedIn. Alternatively, contact Orange
00:35:59 --> 00:36:02 Cyber Defense. The other thing that I would say
00:36:02 --> 00:36:05 is that even if you're not interested in contacting
00:36:05 --> 00:36:07 Orange Cyber Defense at the moment to discuss
00:36:07 --> 00:36:11 this, we do share a lot of threat intelligence
00:36:11 --> 00:36:15 information in a mechanism that can be read by
00:36:15 --> 00:36:18 and kind of anyone through our security navigator
00:36:18 --> 00:36:21 reports. And that's about 100 pages worth of
00:36:21 --> 00:36:23 threat intelligence and our views on where things
00:36:23 --> 00:36:26 are going, including third party risk, including
00:36:26 --> 00:36:29 our insights from, as I said, the 19 true
00:36:29 --> 00:36:32 positive instance that we dealt with last year.
00:36:33 --> 00:36:35 And the other thing that I would recommend that
00:36:35 --> 00:36:37 people do is take the time to actually read.
00:36:37 --> 00:36:40 the guidance that the FCA and the PRA provide.
00:36:41 --> 00:36:44 They are obliged to provide not only their rules,
00:36:44 --> 00:36:47 but also the rationale behind their rules, as
00:36:47 --> 00:36:49 well as the challenges that have been posed during
00:36:49 --> 00:36:52 consultation. And I think that those are really
00:36:52 --> 00:36:55 useful documents for understanding what's coming
00:36:55 --> 00:36:58 in the future, but also the requirements that
00:36:58 --> 00:37:01 you need to adhere to now. But as I said, I'm
00:37:01 --> 00:37:04 very happy to talk to your listeners on a one
00:37:04 --> 00:37:08 -to -one basis about the rules. Perfect, thank
00:37:08 --> 00:37:10 you so much. So for everybody listening, if you
00:37:10 --> 00:37:13 go over to techtalksnetwork .com, there will
00:37:13 --> 00:37:16 be a blog post associated with this episode and
00:37:16 --> 00:37:19 there'll also be a section of useful links there.
00:37:19 --> 00:37:21 I'll include links to everything you mentioned
00:37:21 --> 00:37:24 there, including the security navigator report,
00:37:24 --> 00:37:28 the guidance documents, your website and LinkedIn,
00:37:28 --> 00:37:30 et cetera. So I will include everything there.
00:37:30 --> 00:37:33 And I urge people to get in touch, let you know,
00:37:33 --> 00:37:36 let me know what they thought of everything we
00:37:36 --> 00:37:38 covered today. also how it might help, some of
00:37:38 --> 00:37:40 the challenges they've come across. It'd be great
00:37:40 --> 00:37:43 to share everything together there and work that
00:37:43 --> 00:37:45 way forward together. But thank you for starting
00:37:45 --> 00:37:47 this conversation today, Ben. Been a real pleasure.
00:37:48 --> 00:37:51 Thank you for having me, Neil. So a big thank
00:37:51 --> 00:37:53 you to my guests for joining me today and helping
00:37:53 --> 00:37:56 unpack what is becoming one of the most important
00:37:56 --> 00:37:59 shifts that is happening in cybersecurity right
00:37:59 --> 00:38:02 now. And I think this idea that resilience is
00:38:02 --> 00:38:05 no longer limited to protecting your own environment
00:38:05 --> 00:38:09 is quite striking because organisations are now
00:38:09 --> 00:38:12 being judged on how well they understand their
00:38:12 --> 00:38:16 dependencies, suppliers, platforms and interconnected
00:38:16 --> 00:38:18 systems that are sitting behind their critical
00:38:18 --> 00:38:22 business services. And this changes the conversation
00:38:22 --> 00:38:25 completely because it's no longer simply just
00:38:25 --> 00:38:28 an IT issue or a compliance exercise sitting
00:38:28 --> 00:38:31 in a spreadsheet somewhere. Operational resilience
00:38:31 --> 00:38:34 is becoming a board level business priority,
00:38:34 --> 00:38:37 especially as regulators demand faster reporting,
00:38:37 --> 00:38:40 clearer accountability and deeper visibility
00:38:40 --> 00:38:43 into third party exposure. And I thought Ben
00:38:43 --> 00:38:45 made an important point there about collaboration.
00:38:46 --> 00:38:50 Cyber criminals already operate as highly connected
00:38:50 --> 00:38:52 ecosystems that are sharing tools, techniques
00:38:52 --> 00:38:56 and infrastructure. And defenders are increasingly
00:38:56 --> 00:38:59 realizing they cannot treat resilience as a competitive
00:38:59 --> 00:39:02 advantage that they keep behind closed doors.
00:39:02 --> 00:39:05 So if you'd like to learn more about Orange Cyber
00:39:05 --> 00:39:09 Defence UK, the security navigator research we
00:39:09 --> 00:39:12 referenced or the FCA and PRA guidance discussed
00:39:12 --> 00:39:15 today. I'll have links to everything in the show
00:39:15 --> 00:39:17 notes, please check it out. And I'd love to hear
00:39:17 --> 00:39:21 your thoughts after listening. Pop over to techtalksnetwork
00:39:21 --> 00:39:24 .com, let me know your thoughts on anything we
00:39:24 --> 00:39:27 raised today. And are you and your organization
00:39:27 --> 00:39:31 genuinely prepared for this new era of operational
00:39:31 --> 00:39:34 resilience? Or are your teams still treating
00:39:34 --> 00:39:37 supply chain security as somebody else's problem?
00:39:37 --> 00:39:40 Lots to think about. And I've taken up far too
00:39:40 --> 00:39:42 much of your time. So you have a think about
00:39:42 --> 00:39:45 that. Let me know your thoughts and I'll return
00:39:45 --> 00:39:48 again soon with another guest. Thanks as always.
00:39:48 --> 00:39:49 Bye for now.