NewsCyb3r Operations raises $5.4m to tackle third-party risk blind spots

Read article
Cyb3r Operations
Sector · Financial services

Industry · Financial services

Third-party risk for the regulator dialogue, the audit committee, and the next named supplier incident.

Cyb3r Operations gives UK and EU financial firms a continuous, evidence-led third-party picture mapped to DORA, PRA SS1/21, NYDFS, FFIEC, and the FCA Handbook. Built for firms who answer to a supervisor as well as a board.

Discover your third-party ecosystem nowSee the regulatory map

From the field

Our last DORA-readiness review hinged on whether we could show current third-party evidence on demand. Cyb3r Operations was the only platform that could.

Head of Operational Resilience · UK Tier-1 Bank

What the financial services supplier estate looks like

800 to 2,000

critical third parties at a typical UK Tier-1 bank

3 to 5

tier-2 nodes typically behind 50% of tier-1 critical suppliers

60% gap

between procurement spreadsheet and actual third-party estate

The problem

The supervisor stopped accepting questionnaire responses dated 11 months ago.

DORA, PRA SS1/21, and the FCA Handbook all converged on a single expectation: financial firms must show current, evidence-led oversight of their critical third parties, including the nth-tier subprocessors they never assessed in the first place. "We sent them a questionnaire" stopped being an answer.

By the time a supervisor or audit committee asks the question, the firm has hours to assemble an answer that survives scrutiny. The traditional TPRM operating model, annual review cycles plus supplier self-attestation, was not built for that timetable.

Today's reality

  • ·DORA Article 28 to 30 evidence required on demand
  • ·Concentration risk in cloud, payment, and market-data named systemic
  • ·Audit committee scrutiny per quarter, not per year
  • ·Supervisor expects current evidence, not last March's questionnaire

Supply chain shape

What a financial firm's third-party graph actually looks like.

Six categories drive most of the regulated and continuity-critical exposure. The concentration risk usually lives one tier deeper.

Cloud infrastructure

Underlies almost every regulated workload. Concentration in a small number of providers is a named systemic risk.

  • AWS
  • Microsoft Azure
  • Google Cloud

Payment & settlement

Card networks, payment processors, and clearing infrastructure sitting behind customer-facing flows.

  • Visa
  • Mastercard
  • Stripe
  • Worldpay

KYC, AML & identity

Customer onboarding and ongoing screening providers, regulated as third-party processors.

  • Onfido
  • ComplyAdvantage
  • Refinitiv World-Check

Market data & trading

Real-time data, execution venues, and trading platforms whose downtime is a market-impact event.

  • Bloomberg
  • Refinitiv
  • ICE
  • Murex

Core banking & ledger

The platforms running deposits, loans, and the ledger. Migration risk and concentration both elevated.

  • Temenos
  • FIS
  • Mambu

Identity & access

Authentication and access management for staff and customers. A single point of failure for nearly every workflow.

  • Okta
  • Microsoft Entra
  • Ping

Threat landscape

Who is targeting the sector right now.

Named groups and patterns recurring in 2024 to 2026, weighted toward UK and EU financial entities.

LockBit, BlackCat, Cl0p

Ransomware groups

Continued targeting of banks, asset managers, and insurance carriers. Tier-2 supplier compromises commonly precede tier-1 disclosure.

FIN7, FIN11

Financially motivated cybercrime

Targeting payment infrastructure, ATM networks, and treasury management systems via supplier supply chains.

APT38 (Lazarus, North Korea)

State-sponsored

Long-running SWIFT and crypto-exchange targeting. Persistent threat to global financial messaging.

Akira, Royal, Play

Ransomware groups

Newer ransomware crews concentrating on mid-market financial services, insurance brokers, and wealth managers.

Supply-chain attacks (Snowflake, MOVEit, Okta)

Recurring pattern

Compromise of a single tier-2 platform cascading across financial services customers simultaneously.

BEC + market-data spoofing

Recurring pattern

Sophisticated business email compromise targeting treasury teams, often via compromised third-party email domains.

What changes

What financial firms get from Cyb3r Operations.

DORA-ready evidence on demand.

Articles 28 to 30 obligations mapped to live evidence. The register of information stays current, not annual.

Concentration risk you can take to a supervisor.

Tier-N visibility of cloud, payment, KYC, and market-data dependencies with scoring by service, geography, and regulator.

Operational resilience evidence the PRA expects.

Important business services mapped to the suppliers behind them, refreshed continuously.

Audit-committee-ready narratives.

Short, consequence-led briefings the board and the audit committee can act on without a 40-page appendix.

Supervisor dialogue ready.

Evidence packs aligned to DORA, PRA SS1/21, NYDFS, and FCA expectations, generated on demand.

Plugs into the SOC and GRC stack.

Splunk, Sentinel, Cortex, ServiceNow GRC, Drata, Vanta. The signal lives where the team already does.

Regulatory map

Rules of the road for financial services.

What each regulator asks for, and what Cyb3r Operations evidences against it.

Regulator

DORA (Articles 28 to 30)

Jurisdiction

EU

Obligation

ICT third-party risk management; register of information; evidence on demand for supervisor.

What we evidence

Live register, framework-mapped evidence pack per critical ICT supplier.

Regulator

PRA SS1/21

Jurisdiction

UK

Obligation

Operational resilience: identify important business services and tolerate disruption from third parties.

What we evidence

Business services mapped to the suppliers behind them, refreshed continuously.

Regulator

FCA Handbook SYSC 8

Jurisdiction

UK

Obligation

Outsourcing and operational resilience expectations for regulated firms.

What we evidence

Continuous third-party assurance evidence and tier-N visibility.

Regulator

Bank of England Critical Third Parties

Jurisdiction

UK

Obligation

Direct oversight of designated critical third parties to UK financial services.

What we evidence

Concentration risk monitoring across cloud, payment, and infrastructure providers.

Regulator

NYDFS Cybersecurity Reg (23 NYCRR 500)

Jurisdiction

US (New York)

Obligation

Third-party service provider policies, due diligence, monitoring.

What we evidence

Continuous monitoring evidence and supplier-tier evidence packs.

Regulator

FFIEC IT Examination Handbook

Jurisdiction

US

Obligation

Third-party risk management expectations for federally-regulated financial institutions.

What we evidence

Evidence aligned to the third-party risk management booklet's lifecycle.

Regulator

BCBS 239

Jurisdiction

Global (BIS)

Obligation

Risk data aggregation and reporting principles, increasingly applied to third-party exposure.

What we evidence

Risk register integration and board-pack evidence on demand.

Sector scenarios

What this looks like in practice for a financial firm.

Three short stories from the field, each anchored to a platform capability.

Scenario 01

Concentration risk for the audit committee

A UK Tier-1 bank's CRO had four days to answer the audit committee's question about cloud and market-data concentration. Cyb3r Operations mapped 23 critical tier-1 suppliers across five tiers and flagged three systemic tier-2 nodes by the next morning.

See it in the Relationship Mapping use case

Scenario 02

DORA evidence pack for the supervisor

An EU insurer received an unexpected DORA-readiness enquiry. The GRC team pulled the evidence pack for 47 critical ICT suppliers in two hours, mapped to Articles 28 to 30, with the register of information attached.

See it on the GRC persona page

Scenario 03

Tier-2 supplier breach response

When a major SaaS supplier announced a breach, a Tier-1 retail bank's Head of Vendor Management already had the exposure picture from three months earlier. The supplier disclosure was a confirmation, not a scramble.

See it in the Supplier Breach Warning use case

The financial services buying centre

The roles that lead this in the sector.

Each persona reads the third-party picture slightly differently. Click through to the role-specific page for the full operating-model framing.

Chief Risk Officer

Carries third-party risk on the enterprise risk register with current evidence.

Open the Chief Risk Officer page

CISO

Sees supplier exposure within the disclosure clock the supervisor expects.

Open the CISO page

Head of GRC

Produces DORA, PRA, and FCA evidence packs on demand without supplier engagement.

Open the Head of GRC page

CFO

Funds operational resilience and brings audit-committee-ready financial impact evidence.

Open the CFO page

Sector questions

Questions financial firms ask in the first conversation.

Each Article 28 obligation has a built-in mapping: register of information (live), ICT supplier due diligence (continuous evidence), monitoring of ICT services (outside-in), and incident reporting (signals routed into your IR runbook).

Yes. We map suppliers to the business services they support, surface concentration risk across services and tiers, and produce evidence for the resilience tolerance the firm is required to demonstrate.

Cyb3r Operations is the third-party evidence layer feeding your existing GRC workflow. We don't replace ServiceNow GRC or OneTrust; we provide the live, supplier-independent evidence underneath.

No. Outside-in evidence does not require the supplier to engage. This matters most for the long tail and for the tier-2 suppliers your tier-1 vendors hired without telling you.

Yes. Evidence is timestamped, framework-mapped, and includes the underlying signal data. Big 4 increasingly prefer this over questionnaire responses for supplier-relationships audit testing.

Underwriters now reward evidence of continuous third-party monitoring. Several customers have used Cyb3r Operations evidence to renegotiate premium and cover terms.

Read next

Where to go next.

use case

Map 4th, 5th, and Nth-tier dependencies

Concentration scored by service, geography, and regulator. The DORA Article 28 picture.

Open

use case

Know when a supplier is breached before they tell you

Pre-disclosure warning aligned to the supervisor's expected disclosure clock.

Open

platform

Relationship Mapping

The capability behind the tier-N graph and concentration scoring.

Open

compare

Compare TPRM on supervisor-readiness

How continuous evidence differs from questionnaire-led TPRM when the supervisor asks.

Open

Comparing alternatives?

Comparing TPRM platforms on financial-services readiness?

See how the major TPRM platforms differ on DORA evidence, PRA SS1/21 fit, and supervisor-dialogue readiness.

See the full breakdown

Built for firms who answer to a supervisor.

30-minute walkthrough, no commitment. We will produce a DORA-aligned evidence pack for one of your real suppliers before the call.

Start your discovery now

Get started

Three steps to supervisor-ready third-party evidence.

Step 01

30-minute walkthrough

Map the platform to your important business services and top critical ICT suppliers.

Step 02

Outside-in scan against your real supplier list

See the concentration picture, the tier-N graph, and the evidence pack before the next supervisor enquiry.

Step 03

Pilot tied to one regulator dialogue

Pick DORA, PRA, or FCA. Run a 30-day pilot with the audit committee in mind.