MSPs report supplier cyber breaches, seek clearer CSRB rules

New research from CyberSmart found that 43% of managed service providers and their customers in the UK and Ireland experienced a cyber incident caused by a supplier or third-party vendor in the previous 12 months. The 2026 MSP Survey was conducted by OnePoll and gathered responses from 350 MSP leaders across the two countries.

Survey respondents reported that attackers were exploiting MSPs’ privileged access to customer systems to reach multiple organisations. Of the incidents linked to a supplier, 39% affected only the customer, 16% affected only the MSP, and 39% affected both. CyberSmart calculated that MSPs were involved in 55% of supplier-related incidents in some capacity.

The report found that 55% of MSPs do not monitor supply chain risk. Among those that perform assessments, 37% review third-party risk quarterly and 11% do so annually. The top operational challenges listed by respondents were managing and enforcing security requirements in contracts (39%), third-party risk assessment and monitoring (37%), and the cost of securing and monitoring supply chains (36%).

The survey also asked about readiness for the UK’s Cyber Security and Resilience Bill, introduced in November 2025. The legislation places providers into formal regulation with mandatory security requirements, stricter incident reporting and increased accountability. Overall, 96% of respondents said they felt prepared to some extent for the law, and 45% described themselves as fully prepared.

Respondents identified organisational barriers to readiness rather than technology gaps. Skills shortages, clearer customer expectations and stronger support for managing third-party risk were each cited by 41% of participants, while 39% called for better-defined roles and liability. Increased legal exposure and added liability was the leading concern for 42% of MSP leaders.

When asked what would improve protection for MSPs, 54% wanted clearer guidance and best practice standards, 52% sought stronger protections around shared liability, and 51% wanted regulatory frameworks specifically for MSPs. Seventy-seven percent of participants said they believe the CSRB goes far enough to protect supply chain organisations, including MSPs.

Jamie Akhtar, CyberSmart’s CEO and co-founder, warned that supply chain risk has become a central concern for MSPs and small businesses as cybercriminals target interconnected business environments. He added that MSPs occupy a central position between customers and suppliers and that a single weak link can have wide consequences. Akhtar called for clearer guidance, shared responsibility and continuous risk visibility to support accountability and resilience.