Research from SecurityScorecard reveals that nearly every major financial institution in Europe has faced third-party and fourth-party cyber breaches over the past year.
The company’s assessment of the continent’s top 100 financial entities based on assets under management (AUM) indicates a concerning 25% increase in third-party breaches within the last year. This underscores significant systemic vulnerabilities entrenched within digital supply chains.
These findings emerge in the wake of the Digital Operational Resilience Act (DORA), which took effect in January 2025. This legislation has intensified regulatory scrutiny on financial entities to improve their third-party risk management and cyber resilience strategies.
A staggering 96% of the top 100 financial institutions in Europe reported at least one third-party breach in the last 12 months, a sharp increase from 78% noted in the previous year.
Furthermore, 97% of these institutions identified a breached entity within their fourth-party network, rising from 84% in a previous assessment.
In contrast, just 7% experienced a direct breach, a slight decrease from the 8% reported last year. Malware and insider threats persist as significant contributors to these breaches.
The study also pointed out that 94% of institutions rated ‘A’ in cybersecurity had no recorded breaches.
Nonetheless, 13% of firms fell into the ‘C’ rating bracket or lower, an improvement from 18%, and they outperformed the European sector average rate of 31%.
According to the report, the UK saw the highest number of third-party breaches, followed by Germany and Switzerland, while Malta, Luxembourg, and Portugal exhibited the lowest exposure levels and the best average cybersecurity grades.
“The 25% increase in third-party breaches among Europe’s leading financial institutions should serve as more than just an alarm bell; it’s a clarion call for action,” remarked Corian Kennedy, senior manager of threat insights and attribution at SecurityScorecard.
Recommended reading
“Cyber threats are no longer limited to perimeter defenses; they are intricately woven into supply chains. Financial institutions must transition from reactive to proactive defense mechanisms to tackle these growing challenges.”
Data from SecurityScorecard highlights that just ten cyber threat actor groups accounted for 44% of global cyber incidents, with C10p, APT28, and Cobalt Group at the forefront of third-party exploitation. The reliance on a limited number of vendors exacerbates risk, as 15 companies currently hold 62% of the global technology market.
Notable incidents, such as the MOVEit vulnerability which resulted in over $65 billion USD in damages, underscore the potential for a single weak point to disrupt operations across numerous downstream entities.
