30 Mar 2026

Vanta adding Cyber Essentials support is the detail worth paying attention to here. That is not a coincidence. Cyber Essentials is the baseline UK government framework, increasingly expected by procurement teams, insurers, and the FCA's own operational resilience guidance. A US-born compliance platform deciding to build native support for it signals that the UK regulated market is large enough to be worth chasing properly.

The bigger shift is what continuous monitoring does to the economics of third-party risk. Most TPRM programmes in consumer finance are still built around annual questionnaires. You send a spreadsheet, someone fills it in six weeks late, a junior analyst reviews it, and you file it. You have no idea what that vendor's security posture looks like in month eight. Continuous monitoring changes that model entirely. It moves vendor risk from a point-in-time audit exercise to something closer to a live feed.

For firms running loan origination platforms, this matters more than it might seem. The average mid-size credit broker has thirty to fifty active technology vendors touching customer data or decisioning logic. Under DORA and the FCA's outsourcing rules, you are expected to understand and manage concentration risk across that whole chain. Doing that manually does not scale.

The honest tension here is that tools like Vanta make compliance look easy, and there is a risk that boards treat automation as a substitute for genuine risk judgement. A platform can tell you a vendor passed its SOC 2 audit. It cannot tell you whether that vendor's engineering team is under-resourced, or whether a key integration creates a single point of failure in your collections process.

Automation handles the evidence collection. The interpretation still requires someone who understands what they are looking at. The question for technology leaders is whether they are investing in that capability, or just buying tools that make the audit pack look tidy.