How Supply Chains Really Fail: Aggregation Risk, MSPs and Hidden Single Points of Failure
Most supply chains do not fail because a single supplier is weak.
They fail because too many organisations depend on the same thing, in ways nobody fully mapped.
The Cyber Security and Resilience Bill brings this uncomfortable reality into regulation for the first time. It does not just care whether suppliers are secure — it cares whether their failure would cascade.
This is aggregation risk, and it is the most misunderstood threat in modern digital supply chains.
What aggregation risk actually is
Aggregation risk occurs when:
-
multiple organisations rely on the same provider,
-
the same platform,
-
the same MSP,
-
or the same piece of shared infrastructure,
creating a single point of failure that is invisible when each dependency is assessed in isolation.
No single customer thinks they are “overexposed”.
Collectively, everyone is.
Why MSPs sit at the centre of the problem
Managed service providers are a perfect aggregation layer:
-
privileged access to multiple environments,
-
shared tooling and credentials,
-
common update pipelines,
-
and concentrated operational control.
Individually, customers assess their MSP as “reasonable risk”.
Systemically, the MSP becomes critical infrastructure.
The Bill recognises this by regulating managed service providers directly — not because they are careless, but because their failure has outsized impact.
The illusion of diversification
Many organisations believe they are safe because:
-
they have multiple suppliers,
-
contracts are split,
-
or services are “redundant”.
In practice:
-
redundancy often sits on the same cloud,
-
multiple suppliers rely on the same MSP,
-
backup systems share authentication or management planes.
Diversity on paper does not guarantee independence in reality.
Why this breaks incident response
When aggregation risk materialises, organisations struggle to answer basic questions:
-
Is this incident isolated or systemic?
-
Are our other suppliers affected?
-
Are our customers exposed through shared dependencies?
Under the new reporting regime, that uncertainty becomes regulatory risk.
If you cannot assess aggregation impact quickly, you cannot make confident reporting or notification decisions — and the clock does not wait.
Why traditional assessments miss this entirely
Questionnaires ask:
-
“Do you have MFA?”
-
“Do you have backups?”
-
“Do you meet ISO 27001?”
They do not ask:
-
“Who else do you manage?”
-
“What else shares this control plane?”
-
“How many customers would fail if you did?”
Aggregation risk is structural, not procedural.
Why regulators now care
The Bill shifts focus from individual compliance to systemic resilience.
From a regulator’s perspective:
-
one incident affecting one firm is noise,
-
one incident affecting dozens is signal.
Aggregation turns routine failures into national issues — which is exactly why MSPs, data centres and critical suppliers are now in scope.
The uncomfortable reality for suppliers
If you provide services to multiple regulated entities, you are no longer “just a supplier”.
You are:
-
a shared dependency,
-
a potential multiplier of harm,
-
and a candidate for designation based on impact alone.
This is designation-by-dependency in action.
What actually reduces aggregation risk
There is no silver bullet — but there are better questions.
Effective approaches focus on:
-
mapping shared dependencies across customers,
-
understanding access concentration,
-
identifying common management planes,
-
testing failure scenarios, not just controls,
-
and designing isolation where it genuinely matters.
This is harder than distributing questionnaires — but it reflects how failures really happen.
The practical takeaway
If your supply-chain risk management cannot identify:
-
where dependencies stack,
-
where access concentrates,
-
or where failure would cascade,
then it is optimised for paperwork, not resilience.
The Bill does not eliminate aggregation risk.
It makes ignoring it untenable.
Call to action
If you rely on MSPs, shared platforms or suppliers serving multiple regulated organisations — or if you are one — aggregation risk is now your problem to understand and manage.
Contact Cyber Tzar to map hidden dependencies, identify aggregation risk and assess how failure would propagate across your supply chain — before a single incident becomes a systemic event.
