In a striking revelation from the cybersecurity sector, almost all of the top 100 banks in the United States experienced breaches linked to third-party vendors last year, with every one of the ten largest banks facing similar issues. Research conducted by SecurityScorecard highlights that while a staggering 97% of financial firms reported incidents involving third-party breaches, only 6% of the vendors they worked with were actually compromised.
The findings underscore a concerning trend in the financial services industry, wherein not only third-party breaches but also fourth-party breaches are becoming increasingly common. These fourth-party incidents are traced back to a mere 2% of vendors. Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, emphasized the pervasive vulnerabilities within the interconnected digital ecosystem of major U.S. banks. He warned that a single compromised vendor could fundamentally destabilize the entire financial system.
As banks continue to rely more heavily on third-party vendors for essential operations, their exposure to supply chain vulnerabilities has escalated. In this context, financial institutions are urged to maintain a heightened state of vigilance, implementing ongoing monitoring of external attack surfaces. It is crucial for organizations to map their critical business processes and technology dependencies to identify potential points of failure, creating a registry of at-risk vendors.
Additionally, firms should proactively monitor the IT infrastructures of their third-party providers to uncover and mitigate latent supply chain risks. The International Monetary Fund (IMF) has recently cautioned that financial institutions are increasingly targeted by threat actors. In fact, these organizations account for nearly 20% of the global tally of data breaches, illustrating the pressing need for increased scrutiny on third-party partnerships.
The IMF’s report highlights that financial sector incidents could pose threats to economic stability by undermining confidence in the financial system and disturbing critical services. The growing dependence on external IT service providers, particularly in light of emerging artificial intelligence applications, further complicates this landscape. While these third-party solutions can bolster operational resilience, they also expose the financial sector to possible systemic shocks.
On the international front, the UK is experiencing a marked increase in ransomware attacks targeting financial institutions, with incidents nearly doubling in 2023 according to recent data from the Financial Conduct Authority (FCA), which documented 51 cyber incident reports in the first half of the year alone. However, amid this troubling rise, large regulated financial entities in the UK have witnessed a 53% decline in cyber attacks in the same timeframe, suggesting a possible effect of heightened regulatory oversight by the FCA.
Incidents linked to cyber attacks against third-party providers saw a significant decrease of over a third, and data breaches associated with cyber incidents dropped by 29%. This trend may be attributed to the FCA’s expanding requirements for regulated firms, which now must establish impact tolerances, conduct testing to identify vulnerabilities, perform crisis simulations, and devise comprehensive communication strategies.
Starting March 2025, financial organizations will be mandated to implement protective measures against third-party attacks and ensure operational resilience. The ongoing landscape of cyber threats, particularly those affecting the financial domain, suggests that adherence to frameworks such as the MITRE ATT&CK Matrix is essential for organizations seeking to fortify their security protocols. Potential adversary tactics relevant to these vulnerabilities may include initial access through supply chain compromises, persistence through establishing footholds in vendor networks, and privilege escalation to access sensitive financial data.
As the banking sector grapples with these escalating threats, the imperative for robust cybersecurity strategies cannot be overstated. Continuous adaptation and preparedness are essential to safeguard against future breaches, particularly in an environment where the attack surface is continually expanding.
