The supplier underneath the supplier

Three disclosures last month tell the same story from three angles: NHS England's tech provider, an NHS GP software supplier, and the Foreign Office. None of them is the headline brand. All of them are where the actual attack surface lives.

Three disclosures in December tell the same story from three different angles. The story is one most board threat models stop one layer too short of.

On 18 December, a tech provider for NHS England confirmed a data breach affecting an unstated population of personal records. The same week, an NHS GP software supplier was hit by a separate ransomware incident, disrupting clinical workflows at practices using the platform. And the Foreign, Commonwealth and Development Office confirmed a cyber attack against its systems, the details of which remain sparse but the existence of which is not in dispute.

Three incidents. Three sectors at the edge — healthcare delivery, healthcare administration, diplomatic services. None of them with a customer-facing brand the average reader would recognise. All of them sitting one layer below organisations whose names the average reader recognises immediately.

This is now the standard shape of UK cyber compromise. The supplier underneath the supplier.

The shape of the attack surface in 2026

For most of the last decade, supply chain risk in cyber meant the immediate supplier. Your cloud provider. Your SaaS vendor. Your managed service partner. Boards were asked to assess "third-party risk", and the assessment usually stopped at the firms with direct contractual relationships.

What the December cluster makes clear — and what Synnovis, ChipSoft, Capita and Advanced before it had been making clear — is that the operationally relevant attack surface lives two or three layers down. NHS England does not run its own clinical software. It contracts with providers who themselves contract with software vendors who themselves rely on a small number of upstream library and infrastructure suppliers. Compromise at any of those layers cascades back up. By the time the impact reaches the patient-facing service, the original incident may have been somewhere none of the contracting parties has line of sight into.

This is not a new observation. What is new is how routine it has become. Three incidents of this shape in a single fortnight is not noise. It is the standard.

The deeper structural problem is one the Log4Shell episode of December 2021 made unavoidable for any honest practitioner: most organisations do not know what is actually running inside their software supply chain. They know their direct suppliers. They do not know their direct suppliers' suppliers, or what libraries those suppliers depend on, or which of those libraries have been compromised or end-of-lifed without anyone noticing. Five years on from Log4Shell, the inventory question is still unanswered in most firms.

Why this is hard for boards

Boards are good at asking about the suppliers they buy from. They have contracts, SLAs, security questionnaires, and named relationship owners. The supplier-direct conversation is mature.

Boards are poor at asking about the suppliers their suppliers buy from. The contractual chain is opaque, the SLAs cascade unevenly, the security questionnaires were filled in by someone two firms away, and there is no named relationship owner — because there is no relationship.

The result is a real but unmeasured exposure. Most firms cannot tell you which of their critical SaaS providers depends on which managed-database provider, which cloud region, which authentication broker, or which open-source library maintainer. Some of this is genuinely opaque even to the providers themselves. Some of it is opaque because nobody has spent the procurement-cycle effort to surface it.

What the December incidents have in common

Three properties show up in all three.

Concentration. Each compromised supplier serves a large fraction of its market. The NHS England provider serves a large population; the GP software supplier underpins thousands of practices; the FCDO incident touches diplomatic communications at scale. When one of these suppliers fails, the failure is not isolated.

Opacity. None of the three compromises was visible to downstream consumers before the supplier disclosed it. The patient checking in for an appointment, the practice manager opening the morning's diary, the embassy officer logging into a routine system — all of them depended on infrastructure they had no visibility into, and only learned of the problem when the problem reached them.

Mismatched accountability. The reputational cost of the incident attaches to the visible brand — NHS, FCDO. The remediation cost and the regulatory exposure attach somewhere along the contractual chain, often unevenly. The firm whose name is in the headline is rarely the firm whose decisions caused the exposure.

This shape — concentration, opacity, mismatched accountability — is what makes the supplier-underneath-the-supplier pattern so corrosive. It produces incidents whose downstream cost cannot be priced into any individual contractual relationship.

For boards

Three questions worth putting on the next audit committee agenda.

Which of our critical services depend on suppliers whose suppliers we cannot name? Pick one critical service, walk it back, and stop only when you reach an irreducible dependency. This exercise, done seriously, is uncomfortable. It is the work of finding out what you actually depend on.

Of the suppliers we contract with directly, how many have themselves disclosed a cyber incident in the last twelve months — and what did we do as a result? If the answer is "we sent them a questionnaire", that is not enough. The disclosure is information; the question is what changed in your operating posture.

If a December-shaped incident hit one of our critical suppliers tomorrow, what is the minimum information we would need to make a decision about how to respond, and how quickly could we get it? Most firms cannot answer this because they have never tried. The exercise of trying is more valuable than the answer.

The closing observation

The Cyber Security and Resilience Bill, currently moving through Parliament, addresses some of this by widening the scope of regulated entities and tightening reporting obligations. That is part of the answer. The other part — the part the Bill cannot deliver — is the discipline at firm level of asking what do we depend on, two layers down, and what is our plan if it goes wrong?

The firms that take that discipline seriously in 2026 will be the firms whose December 2026 looks different from this one. The firms that do not will be on the next list.