SecurityScorecard has conducted a comprehensive analysis revealing alarming data regarding third-party data breaches impacting major U.S. banks. According to their findings, an overwhelming 97% of the top 100 banks in the United States experienced a breach attributed to third-party vendors over the past year. This situation highlights significant vulnerabilities within the banking supply chain as institutions continue to diversify their reliance on external vendors for essential operations.
As the financial sector becomes increasingly integrated with various third-party vendors, the resulting exposure to potential breaches escalates. SecurityScorecard’s experts, utilizing an extensive proprietary dataset on risk and threat intelligence, have scrutinized the effects of these breaches on the banking industry. The analysis points to a pressing need for financial institutions to fully comprehend their external dependencies, thereby minimizing their exposure and fortifying their resilience against such threats.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, emphasized the gravity of these findings. He noted that almost all prominent U.S. banks faced breaches stemming from third-party relationships, revealing critical weaknesses within the interlinked digital ecosystem. The recent incident involving CrowdStrike further illustrated this fragility, demonstrating that issues with a single vendor, even in the absence of a direct breach, can lead to substantial risks across the financial system. These vulnerabilities signify that one compromised vendor could have destabilizing effects not only on individual institutions but the broader financial landscape.
The analysis yielded several critical insights regarding the state of cybersecurity within the banking sector. While 97% of the banks reported third-party breaches, only 6% of the vendors directly involved were compromised, indicating the vast reach of these incidents. Additionally, 97% of the banks also dealt with fourth-party breaches, linked to a mere 2% of vendors. Every one of the top 10 U.S. banks faced incidents of third-party breaches, further underscoring the pervasive risk across the industry.
In response to these findings, the SecurityScorecard STRIKE team has provided strategic recommendations aimed at enhancing cybersecurity within the financial sector. Continuous monitoring of external attack surfaces is vital, involving automated scans to identify IT and cybersecurity risks across vendor and partner environments. Furthermore, mapping critical business processes is crucial to pinpointing single points of failure and maintaining a watch list for high-risk vendors. The proactive identification of new vendors through passive monitoring of IT deployments can also help surface hidden supply chain vulnerabilities.
The methodology applied in this analysis involved rigorous scrutiny of 100 U.S. banks ranked by market capitalization, with more than 9,000 domains assessed, including those of third- and fourth-party vendors. SecurityScorecard’s approach to evaluating cybersecurity performance relies on gathering significant amounts of non-intrusive data to derive an overall score, graded from A to F, based on ten predictive factors associated with the likelihood of a security breach.
The vulnerabilities showcased in this report may correlate with various tactics and techniques as outlined in the MITRE ATT&CK framework, including strategies for initial access and privilege escalation, which adversaries may exploit to compromise systems through third-party channels. As institutions strive to safeguard against these significant threats, a clear understanding of their interconnected networks and the importance of robust vendor management practices will be key in mitigating risks and enhancing overall cybersecurity posture.
