New research from global cyber security consultancy CyXcel has revealed a persistent trust gap in the UK’s approach to digital risk management, with nearly three in ten risk managers reporting insufficient confidence in their third-party vendors.
CyXcel’s study shows that 27% of surveyed UK risk leaders do not have enough trust in external partners to reliably manage their most critical threats. The data points to a dual challenge: not only are vendor relationships under strain, but more than a quarter (28%) of UK respondents do not fully understand the scope of risk they are responsible for managing internally.
As UK businesses continue to outsource essential areas — including cyber incident response (26%), AI adoption (20%), and geopolitical risk management (21%) — this lack of both trusted partners and internal clarity creates a fragile risk posture. The research highlights that organisations are increasingly dependent on external providers, but often lack the internal visibility and assurance needed to assess whether these vendors are fit for purpose.
“Organisations are stuck between needing external support and not having enough partners they truly trust,” said Megha Kumar, Chief Product Officer and Head of Geopolitical Risk at CyXcel. “It’s a tension we’re seeing across sectors, and it’s leaving risk ecosystems fragmented and vulnerable. Without stronger internal understanding, risk leaders are flying blind, placing responsibility in the hands of vendors they can’t fully vet. What’s needed now is a shift toward integrated intelligence, not just compliance checklists. Businesses must empower their teams to assess threats clearly and select partners confidently.”
Despite annual investments between £75,000 and £100,000 in risk management tools and strategies, many organisations remain unsure if these efforts are effective. Nearly a quarter of risk managers (24%) say they feel overwhelmed by the sheer volume and complexity of threats they face. The findings prompt key questions about whether outsourcing is truly a strategic choice, or a reflection of internal uncertainty around risk ownership.
“We see this pattern again and again,” said Ngaire Guzzetti, Technical Director – Supply Chain at CyXcel. “Organisations are handing over the keys to their digital resilience — but don’t have the internal visibility to know if those partners are steering in the right direction. Risk managers are drowning in complexity, yet leaving the handling of the lifeboat to vendors they barely trust. Resilience doesn’t start with spend; it starts with clarity. The more you understand the threat, the better equipped you are to evaluate who should be helping you manage it.”
The CyXcel findings echo wider industry concerns, as global regulators and the UK’s own Financial Conduct Authority and Information Commissioner’s Office increase their focus on supply chain resilience. Recent high-profile incidents — including AI-driven attacks and complex ransomware campaigns — have amplified calls for intelligence-led, ongoing vendor assessment. As boards face mounting scrutiny, the ability to demonstrate robust third-party oversight has become a board-level priority.
In response, CyXcel has launched its Digital Risk Management (DRM) platform, aimed at improving visibility and governance around evolving AI and supply chain threats. The DRM platform brings together cyber, legal, technical, and strategic expertise, and provides real-time vendor assurance and remediation services to help organisations continuously validate the integrity of their partners. This approach is designed to move businesses from reactive to resilient at a time when regulatory scrutiny and supply chain attacks are on the rise.
With threat complexity mounting and supply chain attacks surging, CyXcel’s research suggests that UK organisations must balance investment in technology with enhanced internal visibility and a shift toward more collaborative, intelligence-led risk partnerships.
