More than eight in 10 UK cyber security and third-party risk professionals say their organisation experienced at least one supply chain cyber incident in the past year, highlighting continued gaps in supplier oversight and incident response.

Risk Ledger‘s research Every Link Matters: The State of Supply Chain Security 2026 – UK Edition found 82.4% of respondents recorded at least one supply chain incident in the previous 12 months. Almost half, at 47.2%, reported two or more. The findings suggest supply chain cyber risk remains a persistent issue for organisations across sectors, despite stronger regulatory scrutiny of operational resilience and supplier dependencies.

Risk levels

The survey of 500 UK cyber security and third-party risk management professionals found 86% ranked supply chain cyber incidents among their top three concerns for 2026.

The data also shows a gap between concern and readiness. Only 6% of respondents said they could accurately map exposure across their supplier ecosystem in under four hours after a major supply chain cyber incident. Another 45% said it would take between four and 24 hours.

More than a quarter said it would take one to three business days. A further 23% said it would take more than a week and require manual outreach to suppliers.

Those delays can limit an organisation’s ability to respond when a supplier is compromised. Teams need to know which business services, systems and processes may be exposed. They also need to understand whether risk extends deeper into the supply chain.

Slow checks

Supplier due diligence remains slow. Only 38% of respondents said their organisation could complete security due diligence for a new supplier within two weeks.

Another 34.6% said the process took three weeks or more. Within that group, 12% said it took more than one month.

Risk Ledger’s analysis points to a structural weakness in many third-party risk management processes. They often remain manual and focused on bilateral assessment between one customer and one supplier. Many still rely on bespoke questionnaires and periodic reviews.

That approach can create duplicated work for suppliers. It can also leave customers relying on information that may not reflect current security controls.

Visibility gap

Visibility beyond direct suppliers remains uneven.

Some 30% of respondents said they had full visibility into the entire chain of subcontractors contributing to important business functions. Just over half, at 50.2%, said they had high visibility into all direct subcontractors of critical third parties.

A further 16% reported only partial visibility into some fourth parties of their critical suppliers. Only 3% said they had no visibility beyond direct critical third parties.

The findings come as regulators in the UK and EU put greater emphasis on operational resilience, concentration risk and the mapping of digital dependencies. This includes closer scrutiny of subcontractors and deeper-tier relationships that support critical or important services.

“Identifying systemic risks is really important. However in most cases, only industry-level associations have enough combined resources and adequate information sharing guardrails in place to efficiently identify actual systemic risks, agree actions and, with the help of regulators, influence large players in the supply chain,” said Yohann Le Grand, Senior Security & Resilience GRC Manager, Lloyds Wealth.

Network mapping

Risk Ledger sets out a model it calls Active Supply Chain Security. It is based on standardised assessments, continuous monitoring, network visibility, collective defence and faster incident response.

The survey suggests organisations are open to more collaborative approaches. Some 42% of respondents said their organisation would be very supportive of an industry-wide model in which supplier intelligence and assurance data are shared with peers. A further 50.2% said they would be somewhat supportive.

Risk Ledger also examined three groups using its platform: 26 government organisations, 25 local authorities and 30 financial institutions.

Across the government group, the platform identified 3,240 direct third parties and 5,886 additional dependencies across shared nth parties. It also identified 1,264 potential concentration risks, including 820 at third-party level.

Of those third-party concentration risks, 224 were rated critical. Risk Ledger said this means an incident at one supplier would be likely to disrupt essential services at multiple public sector organisations.

“Risk Ledger’s Network Visualisation Tool has enabled us to efficiently identify critical risks across our supply chain, helping us address potential concentration risks before they escalate,” said Chris Phillips, Third-Party Compliance and Assurance Lead, Home Office Cyber Security (HOCS) | Governance, Risk and Compliance (GRC).

Sector exposure

The local authority group had 1,004 direct third parties and 7,659 additional dependencies across shared nth parties. Risk Ledger identified 1,240 potential concentration risks, including 364 at third-party level. Of those, 99 were rated critical.

The financial services group had 2,780 direct third parties and 6,529 additional dependencies. The platform identified 1,322 potential concentration risks, including 727 at third-party level. Of those, 288 were rated critical.

The analysis also found control weaknesses among some critical concentration risks. In the financial services group, 120 suppliers classified as critical third-party concentration risks did not have Cyber Essentials certification. Two were not using Multi-Factor Authentication to secure remote access to their network or cloud environments. Ten did not regularly test or rehearse Business Continuity and Disaster Recovery plans.

“A big challenge with third-party risk management comes down to how corporations and other organisations tackle peer-to-peer communication from within their respective siloes. We (as customers of common suppliers) need to get better at working with each other and trusting what our peers are doing. Using feedback as a form of intelligence about shared interests would allow companies to focus more time on fixing the things we really care about,” said Jay Vinda, Global CISO and Cyber Risk Engineering Lead, Mosaic Insurance.

Read full report here.

Ardmore Group’s businesses, including its construction and major projects arms, have filed a notice of intention to appoint administrators.

This has left nine active projects in London in limbo, including a £500m scheme with laboratories and housing in King’s Cross, known as Tribeca.

It had also been working on high-end hotels in Mayfair and Kensington, flats at Earl’s Court and Hackney Wick, and offices at Chancery Lane, The Telegraph reports.

What is the Ardmore Group?

The Ardmore Group was founded in Catford in 1974 by Irish brothers Cormac and Patrick Byrne.

It was well-known for its building projects in London, such as the Raffles hotel and The Ned.

Alongside that, it was a partner for major housebuilders such as Barratt Redrow, Berkeley and Crest Nicholson.

Ardmore’s LinkedIn page shares that the firm specialises in “large-scale complex projects through our direct delivery capability, technical and engineering expertise, and pro-active approach to managing risk.”

It adds: “We’ve designed and built some of the UK’s most significant projects, establishing an unrivalled reputation as one of the country’s leading residential and hotel builders.

“Our traditional, hands-on approach to construction puts us at the heart of the action.”

Why did the Ardmore Group file for administration?

Scrutiny of apartment blocks that were built before the Grenfell disaster uncovered fire safety deficiencies at multiple buildings that Ardmore had built decades earlier.

Last year, Ardmore’s construction arm was put into administration in an attempt to protect the wider business group from being hit by client claims.

Despite this, Crest Nicholson won a landmark High Court challenge against the group over remediation costs at its Admiralty Quarter development in Portsmouth.

It was awarded close to £15m, and this paved the way for other builders to pursue claims against Ardmore.

Discussing the outcome of this High Court challenge, Ardmore shared: “The administration follows the profound impact of the recent Building Liability Order (BLO) judgment relating to the Admiralty Quarter project, which completed in 2009.

“The judgment has affected client confidence, payment terms and certified values across a number of live projects, materially affecting the construction group’s ability to continue trading in the normal way.”

On Thursday (June 11), Ardmore Group applied for a company moratorium, which is designed to give it temporary protection from creditor action while rescue options are explored.

This is also intended to give the group time to continue preparing its appeal against the BLO judgment.

An Ardmore spokesperson added: “This is a deeply disappointing outcome for the construction group, its employees and its stakeholders.

“Our focus is now on preserving value in the wider Group, protecting the continuing businesses where possible, and pursuing the appeal against a judgment which we believe raises important questions for the wider industry.”

Other UK companies that have closed or entered administration/liquidation in 2026

It has been a tough year for the UK high street, with several retailers entering administration and others announcing widespread store closures.

Major high street retailers LK Bennett and Claire’s both closed all their stores in April, having previously fallen into administration.

Quiz also revealed that it will be closing its 37 remaining stores by the end of June, after falling into administration in February (for the second time in 12 months).

Other retailers have been forced to close stores this year, including:

• River Island
• Primark
• Poundland
• Revolution
• BrewDog
• Franco Manca

Iguanas Holdings Limited, which runs 47 Las Iguanas restaurants across the UK, and Poundstretcher are also in danger of collapsing into administration if restructuring plans aren’t agreed, having “fallen into financial difficulties”.

Four UK travel companies have closed in 2026:

• Regen Central Ltd
• Gold Crest Holidays
• Asiara UK Ltd
• Simply Florida Travel Ltd

Luxury UK holiday company Salamander Voyages also shut down recently after entering administration.

Meanwhile, three UK airlines have fallen into administration or liquidation:

• Ascend Airways (liquidation)
• EcoJet Airlines (liquidation)
• Zenith Aviation Limited (administration)

UK delivery company Yodel is set to be phased out over the coming months after being acquired by InPost.

It’s also been reported that Morrisons is looking to sell some of its in-store pharmacies as it continues to cut costs.

It’s not been all bad news for the UK high street, with several major brands announcing new store openings for 2026, including Aldi, M&S, and Superdrug.

Plus-size clothing brand Evans has also returned to the UK high street in 2026 after closing all its stores and concessions in December 2020.

Have you noticed an increased number of businesses closing or going into administration in your area this year? Let us know in the comments.

SOFIAH NICHOLE SALIVIO

News Editor

O2 has signed an agreement with Cellnex to join the Brighton Main Line connectivity project. The route serves more than 300,000 passengers on weekdays.

The deal gives O2 access to Cellnex infrastructure along the rail corridor between London, Gatwick Airport and the South Coast. It will support a phased rollout of mobile coverage, including 5G, across the full route in the coming months.

The Brighton Main Line is one of the UK’s busiest commuter railways, serving London Victoria, London Bridge and Clapham Junction. It carries 1,700 train movements a day and links services operated by Thameslink, Southern, Gatwick Express, Great Western Railway and London Overground.

Cellnex has been building the network under a 25-year contract awarded by Network Rail in 2021. The project uses a neutral host model, allowing mobile operators to use shared infrastructure rather than build separate systems along the line.

The shared network is intended to address long-standing gaps in mobile coverage on a route shaped by tunnels, deep cuttings and older station infrastructure. Once fully activated, the system is expected to provide high-speed connectivity across 99% of the 108km corridor.

O2 is the latest operator to join the programme after Three UK signed up in 2023. The addition of a second operator suggests Cellnex is gaining support for its model as rail passengers and regulators place greater scrutiny on mobile coverage and network resilience.

Station upgrades

Part of the work has focused on the main London stations served by the route. Indoor mobile systems are being installed at London Victoria, London Bridge and Clapham Junction, which together account for about 19% of rail passenger traffic to and from the capital from outside London.

The build includes 130km of fibre, four base station hotels to house operator equipment, 39 distributed antenna systems in tunnels and trackside areas, a dedicated station distributed antenna system at the three main stations, and 16 macro sites along the route. The three-year programme has so far required more than 129,000 working hours and more than 11,000 worker entries on the lineside and at stations.

For O2 passengers, the agreement means coverage improvements will be introduced in stages as parts of the system go live. The aim is to improve reliability for customers travelling between the coast and the capital.

Steve Cray outlined the case for the project.

Steve Cray, Managing Director, Cellnex UK, said: “Regular railway passengers will understand the frustration of losing signal mid-conversation or spending whole journeys with buffering videos. With O2 now on board, many more passengers are going to notice the difference on one of the UK’s most important commuter routes. This collaboration stands as one of the most significant end-to-end telecommunications infrastructure deployments on the British railway so far, and we are proud to be setting a new standard for the UK’s entire rail network.”

Operator demand

As a neutral host provider, Cellnex designs, plans and builds infrastructure that multiple mobile network operators can connect to. The approach can cut duplicate investment and reduce the amount of equipment needed across the railway estate.

For O2, the Brighton Main Line forms part of a broader effort to improve coverage where people travel and work. Rail corridors remain difficult mobile environments because of moving trains, variable terrain, and the engineering limits of older tunnels and stations.

Professor Robert Joyce, Director of Mobile Access Engineering, O2, said: “Our £700m Mobile Transformation Plan is focused on delivering reliable connectivity in the moments that matter most, and railway lines are a key part of that. By working with Cellnex to improve connectivity along the Brighton Main Line, we’ll be bringing improved coverage and capacity to customers travelling from the coast to the capital over the coming months.”

Network Rail, which is partnering with Cellnex on the scheme, said the line has been one of the most technically difficult parts of the railway for mobile coverage. The infrastructure has had to be installed while the route remained operational.

Paul Richmond, Head of Business Development, Network Rail, said: “Passengers on the Brighton Main Line deserve connectivity that matches the importance of this route, and our long-term partnership with Cellnex is transforming what has historically been one of the most technically demanding corridors for mobile coverage into a showcase for modern railway connectivity. A huge amount of collaboration has gone into this project over the last few years to support the infrastructure on a railway that is constantly operational. With O2 now on board, even more passengers will soon experience the benefits of this investment every time they travel.”