Cybersmart, a leading provider of cyber risk management for small businesses, has released the findings from its third annual CyberSmart MSP Survey, which focuses on the security of Managed Service Providers (MSPs) and their customers. The 2026 report has revealed that, amid high-profile attacks and changing regulation, third-party risk is mainstream. In fact, 43% of MSPs and their customers have experienced a cyber incident caused by or originating from a supplier or third-party vendor in the past 12 months.
The 2026 research, conducted by OnePoll, features insights from 350 MSP leaders across the UK and Ireland, spanning a selection of industries and serving customers ranging from 1 to 250+ employees.
Over Half of Supply Chain Incidents Involve MSPs in Some Way
Over the past year, it has become clear that supply chain breaches are systemic, not incidental. One notable cyberattack on a British car manufacturer, for example, is believed to have had a significant ripple effect across ~5,000 suppliers and partner organisations. MSPs are uniquely situated in the supply chain, as they often have privileged access to the inner workings of their customers’ organisations. This makes them a highly coveted target for cybercriminals and the potential gateway to tens, if not hundreds, of other organisations.
Of those surveyed, 2 in 5 leaders noted that they’d suffered a supply chain incident, where 39% only affected the customer, 16% only affected the MSP, and 39% affected both the MSP and the customer. This means that over half (55%) of incidents involved the MSP in some way. Yet, over half (55%) of MSPs do not continuously monitor for supply chain risk. Worryingly, 37% of MSPs only assess risk quarterly and 11% only annually.
The top challenges for MSPs when it comes to securing their customers as part of the supply chain are:
- Managing and enforcing security requirements in contracts (39%)
- Third-party risk assessment and ongoing monitoring (37%)
- Cost of securing and monitoring the supply chain (36%).
Inconsistent security standards across suppliers is also noted as a top concern. Government frameworks and certifications, like Cyber Essentials, are a good way to prove baseline cybersecurity across suppliers.
Cyber Security Resilience Bill Causes Liability Worry For MSPs
The Cyber Security and Resilience Bill (CSRB), introduced in November 2025, brings MSPs into the scope of formal UK cyber regulation for the first time, introducing mandatory security requirements, stricter incident reporting and greater accountability. It reflects a broader shift towards managing systemic supply chain risk and positions MSPs not just as service providers, but as critical components of national cyber resilience.
96% of those surveyed said that they are prepared for the CSRB to a certain extent, with 45% saying they’re ‘fully’ prepared. Notably, MSPs do not see software as the solution to closing the readiness gap. Instead, they point to skills (41%), clearer customer expectations (41%), stronger support for managing third-party risk (41%) and better-defined roles and liability (39%). This highlights that the challenge is less about technology and more about coordination, capability and clarity across the ecosystem.
For MSPs, the biggest concern regarding the CSRB is increased liability and legal exposure for MSPs (42%). MSP leaders are worried about undefined accountability, not about accountability itself. With costs, contracts and guidance also ranking highly, MSPs are grappling less with the principle of regulation and more with how risk will be allocated and operationalised in practice.
Regulation Goes Far Enough, Say MSPs
Promisingly, most respondents (77%) believe that the CSRB is doing enough in protecting supply-chain organisations, including MSPs, from cyber risk.
When it comes to what more could be done, if anything, to protect MSPs, 54% said clearer guidance and best practice standard, 52% said stronger protections around shared liability, 51% said clearer regulatory frameworks specifically for MSPs and 50% said certification of MSPs security provided to clients.
“Supply chain risk has become a central concern for MSPs and SMEs as cybercriminals increasingly target interconnected business ecosystems,” said Jamie Akhtar, CEO and Co-Founder of CyberSmart. “MSPs sit at the centre of these environments, which means a single weak link can have far-reaching consequences for customers, suppliers and partners. What our research shows is that the industry understands the need for greater accountability and resilience, but MSPs also need clearer guidance, shared responsibility and continuous risk visibility to make that possible in practice.”
To read the full report, visit: https://cybersmart.co.uk/msp-survey-2026/
