---
title: Supply Chain Security Firm Risk Ledger Raises $32 Million as UK Tightens Cyber Rules for Critical Suppliers
description: Risk Ledger has raised a $32M Series B led by Axiom Equity for AI tools and US expansion, as the UK moves to put critical suppliers under statutory cyber rules.
author: Darie Nani (Editor-in-Chief)
date: 2026-07-15T13:30:22.993Z
updated: 2026-07-15T13:30:23.005Z
canonical: https://www.sovereignmagazine.com/article/risk-ledger-raises-32-million-series-b
image: https://cdn.nanimediahouse.com/risk-ledger-team.webp
categories: Startups, Business
content_type: Spotlight
region: London
publication: Sovereign Magazine
about:
  - type: Organization
    name: Risk Ledger
    description: Risk Ledger is a London-based supply chain cyber security company founded in 2018 by Haydn Brooks and Daniel Saul. Its network-first platform replaces repeated vendor security questionnaires with a single standardised assessment that each supplier maintains and shares across every connected organisation, surfacing concentration and nth-party risks that point-in-time tools miss. More than 16,000 organisations use the network across financial services, insurance, critical national infrastructure and government. The company raised a $32 million Series B led by Axiom Equity in July 2026 to fund AI security tooling and expansion into the United States.
    url: https://riskledger.com
    foundingDate: 2018-01-01T00:00:00.000Z
    industry: Cyber security
    sameAs:
      - https://www.linkedin.com/company/risk-ledger
      - https://www.twitter.com/riskledger/
      - https://www.github.com/riskledger/
---

Risk Ledger, a London company that maps security weaknesses across corporate supply chains, has raised $32 million in a Series B round as Britain prepares to place the cyber defences of its most important suppliers under statutory oversight for the first time.

The round, worth £24 million, was led by [Axiom Equity](https://www.forbes.com/sites/davidprosser/2026/07/15/risk-ledger-raises-new-funding-to-target-us-cyber-security-market/), a growth equity fund that backs British and Irish software businesses, alongside Mercia Ventures, which first invested at Series A. The money will pay for more customers in the UK, a set of AI tools for spotting supplier risk, and an entry into the United States. It takes the total raised by [Risk Ledger](https://riskledger.com/) since 2018 to about £33.8 million.

The company sells software for what the industry calls third party risk management, or TPRM: the job of checking that a firm's suppliers are not an open door for attackers. Most tools do this one supplier at a time, through [security questionnaires](https://www.sovereignmagazine.com/article/cybersecurity-solutions-trust-management-platform-vanta-hits-2-45b-valuation) that are filled in once and rarely refreshed. Risk Ledger works differently. Each supplier completes a single standardised assessment and keeps it up to date, and every organisation connected to it can see the result. More than 16,000 organisations now sit on the network, according to the company, across financial services, insurance, critical national infrastructure and both central and regional government.

## What Is a Supply Chain Attack and How Does It Work

A supply chain attack [reaches its target through a weaker company](https://www.sovereignmagazine.com/article/when-critical-infrastructure-becomes-prime-target-what-the-european-airport-cyberattacks-mean) that supplies it, rather than through the target's own defences. The weakness that matters is often several steps removed, inside a supplier's supplier, what security teams call fourth party or nth-party risk. It is a growing route in. Verizon's 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled in a year, from 15 percent to 30 percent. IBM's 2025 breach study put the average cost of a supply-chain compromise at $4.91 million and the time to find and contain it at 267 days. In April 2025 attackers reached Marks & Spencer through an IT contractor, in a wave of breaches the retailer and Co-op later counted in the hundreds of millions of pounds.

## How the Cyber Security and Resilience Bill Changes Third Party Risk Management

A bill going through Parliament this year would change how British firms are expected to manage that risk. The [Cyber Security and Resilience Bill](https://www.pwc.co.uk/services/technology/cyber-security-services/insights/understanding-cyber-security-and-resilience-bill.html) introduces a category of "designated critical suppliers", pulling systemically important third parties into the same security and incident-reporting rules that already cover operators of essential services such as water and energy. It also moves firms away from assessing a supplier at a single point in time and towards [continuous assurance](https://www.sovereignmagazine.com/article/compliance-frameworks-take-centre-stage-as-cyber-security-mandates-tighten), monitoring that runs all year rather than a form completed once.

Risk Ledger has not tied its funding to the bill. But the product it sells does much of what the legislation would require.

## Who Invested in Risk Ledger's Series B Round

Axiom Equity led the round. Its founding partner, Jonathan Organ, said: "Risk Ledger is creating a category rather than competing in an old one. The network it has built is hard to replicate and grows more valuable with every organisation that joins, which is exactly the kind of business we look to back. The team has earned real trust with serious customers, and the product reflects that discipline. We are pleased to lead this round as the final investment from our first fund, and to support Risk Ledger through its next stage of growth."

That first fund is now fully committed; Axiom closed a second fund above its target in March. Mercia Ventures, which invests up to £10 million per company and led Risk Ledger's £6.25 million Series A in 2023, returned as a backer. Adam Lovell, a venture capital investor at Mercia, said: "We backed Risk Ledger at Series A because we believed Haydn and the team had identified a fundamentally better way to manage supply chain cyber risk. Three years on, that conviction has only strengthened. The team, customer base and the quality of the product all speak for themselves."

Risk Ledger was founded in 2018 by Haydn Brooks, a former cyber risk consultant at KPMG and then Deloitte, and Daniel Saul, an engineer; both were named to the Forbes 30 Under 30 Europe list in 2019, and the platform launched in 2020. Since the Series A the company says its revenue has quadrupled and its headcount has roughly tripled, to about 75 staff.

## Why Risk Ledger Is Expanding Into the US Market

The Series B also funds a move into the United States, where the company has hired Matthew Fox, a go-to-market lead from the security firm Mimecast, and won its first American customers. Supply chain breaches and regulatory pressure are both rising there, as they are in Britain. Haydn Brooks, chief executive and co-founder, said the company was built on the conviction that "organisations are stronger when they Defend-as-One, sharing intelligence and reducing risk together rather than in isolation", and that the investment "lets us build that vision faster, extending collective defence to more customers, putting AI to work on the manual tasks that consume security teams, and bringing Active Supply Chain Security to the United States."

**About Risk Ledger**

Risk Ledger is a London-based supply chain cyber security company founded in 2018 by Haydn Brooks and Daniel Saul. Its network-first platform replaces repeated vendor security questionnaires with a single standardised assessment that each supplier maintains and shares across every connected organisation, surfacing concentration and nth-party risks that point-in-time tools miss. More than 16,000 organisations use the network across financial services, insurance, critical national infrastructure and government. The company raised a $32 million Series B led by Axiom Equity in July 2026 to fund AI security tooling and expansion into the United States.

[Website](https://riskledger.com)

## FAQ

**Q: What is an example of a supply chain attack?**
The Marks & Spencer breach in April 2025 is a recent one. Attackers did not break through the retailer's own systems; they came in through an outside IT contractor with access to them. That is the shape of a supply chain attack: the target is reached through a supplier, often one it trusts and monitors loosely.

**Q: What is the main goal of a supply chain attack?**
The goal is to reach a hard target by going through a softer one. A large organisation may defend its own network well, but it depends on hundreds or thousands of suppliers that do not, and any of them with access can become the way in. Attackers use that access to steal data, disrupt operations or plant tools for later.

**Q: What is the difference between TPRM and GRC?**
Third party risk management, or TPRM, is the specific work of assessing and monitoring the security of a firm's suppliers. GRC, meaning governance, risk and compliance, is the broader function that covers a firm's own internal controls, policies and regulatory obligations. TPRM sits within that wider picture but points outward, at everyone the firm relies on.

**Q: How do you secure a supply chain?**
It starts with knowing who is in it, including the suppliers of your suppliers, and continues with checking their security regularly rather than once at sign-up. The Cyber Security and Resilience Bill would make continuous monitoring of critical suppliers a legal expectation for some firms, which is the direction platforms such as Risk Ledger are built for.
