Security · IT Support
The Risk Your Firm Didn't Choose
6 July 2026

No financial services firm operates alone. Fund administrators, custodians, compliance consultants, cloud platforms and software vendors all sit somewhere in the chain between a firm and its clients' money. Every one of them is a decision the firm made about who to trust — and every one of them is a risk the firm now owns.
The uncomfortable truth is that a firm can do everything right internally and still be exposed because a supplier wasn't held to the same standard.
This article relates to the Third-Party & Supply Chain domain of the Technology Resilience Score. It looks at whether your firm actually knows what risk it has inherited through its supplier relationships.
Why third-party risk is different for financial services firms
Boutique investment firms and wealth managers typically outsource more than they realise: administration, custody, reporting platforms, even parts of compliance. Each relationship creates a dependency that the firm's own controls can't reach directly.
- Sensitive client and deal data often passes through multiple third parties before a transaction completes
- Smaller firms have limited leverage to demand security assurances from larger suppliers
- Supplier contracts are frequently signed without meaningful security or continuity clauses
- A single supplier outage or breach can affect several client relationships simultaneously
Outsourcing a function does not outsource the responsibility for what happens to the data inside it.
FCA operational resilience and the supply chain you rely on
The FCA's operational resilience rules are explicit that a firm remains accountable for its important business services even where third parties are involved in delivering them. If a fund administrator or reporting platform goes down and that affects a firm's ability to serve clients, the FCA's expectation is not that the firm point to the supplier — it's that the firm had already assessed that dependency and planned for its failure.
Under SM&CR, that accountability often sits personally with a senior manager, which makes supplier oversight a governance issue as much as a technical one. The key question becomes: "If one of our key suppliers had a serious outage or breach tomorrow, do we know exactly how it would affect us, and what we'd do next?"
Is your firm's technology environment resilient?
Find out whether your supplier relationships have actually been assessed, or just assumed to be fine.
Get your Technology Resilience ScoreThe problem with unmanaged supplier relationships
Most firms have suppliers. Far fewer have a process for actually managing the risk they bring.
- No central list of which suppliers hold or process sensitive data
- Contracts signed without security, data protection or continuity clauses
- No process for reviewing supplier security posture before onboarding
- No ongoing review once a supplier relationship is live
A relationship that was never assessed cannot be managed — only hoped for.
What weak third-party risk management looks like in a financial services firm
These are the gaps most commonly found when a firm looks closely at its supplier landscape for the first time.
- No register of suppliers with access to client or deal data
- Security questionnaires never sent, or sent but never reviewed
- Contracts with no defined data protection or breach notification obligations
- No understanding of which suppliers are themselves reliant on other suppliers
- No plan for what happens if a critical supplier fails or is breached
- Supplier access to internal systems left in place long after a relationship ends
Each gap represents risk the firm has accepted without ever deciding to.
What strong looks like
A firm with mature supply chain management knows exactly which suppliers touch its data, has assessed each one proportionately to the risk it carries, and has contractual protections in place before data ever changes hands. Reviews happen on a schedule, not only when something goes wrong.
Critically, the firm has thought through what happens if a key supplier fails — not just technically, but in terms of client communication and regulatory obligations — before it needs that plan.
How this TRS domain helps financial services firms improve
The Third-Party & Supply Chain domain of the Technology Resilience Score gives firms a structured way to see the risk they've inherited through their supplier relationships, rather than discovering it during an incident.
- Builds a clear picture of which suppliers hold or access sensitive data
- Assesses whether contracts include meaningful security and continuity protections
- Reviews whether supplier risk is reassessed periodically, not just at onboarding
- Identifies concentration risk where too much depends on too few suppliers
The result is a score out of 5, giving your firm a clear baseline and a structured improvement path for bringing supplier risk under proper control.
Owning the risk you didn't choose
Firms can't eliminate their dependence on third parties, and shouldn't try to. What they can do is make sure every dependency has been assessed, contracted and reviewed with the same rigour applied to their own systems.
The Technology Resilience Score gives ambitious financial services firms a benchmark across 10 domains, including Third-Party & Supply Chain, turning an invisible risk into a managed one.