Recent research reveals a significant uptick in third-party and fourth-party breaches within Europe’s financial sector, impacting nearly all major institutions in the region over the past year. The study, conducted by SecurityScorecard, indicates that breaches of this nature surged by 25% compared to the previous year, with an alarming 96% of financial entities experiencing at least one third-party breach and 97% encountering at least one fourth-party breach.
The UK has reported the highest incidence of third-party breaches, followed closely by Germany and Switzerland. In contrast, Malta, Luxembourg, and Portugal exhibited the lowest levels of exposure along with the highest average cybersecurity grades. Interestingly, Switzerland tops the list for third-party breaches per institution, followed by the Netherlands and the UK. These findings underscore a complex vendor landscape and notable deficiencies in risk oversight among these firms.
“A 25% increase in third-party breaches among Europe’s leading financial institutions serves not only as a warning but a clarion call for action,” stated Corian Kennedy, Senior Manager of Threat Insights and Attribution at SecurityScorecard. Kennedy emphasized that cyber threats have permeated supply chains and institutions must transition from reactive to proactive defensive strategies to address this evolving threat landscape.
Despite a negligible decrease in direct breaches—only 7% of financial institutions reported such incidents, down from 8%—the influence of vulnerable suppliers loomed large, affecting almost all surveyed organizations. Malware and insider threats remain prominent issues, demonstrating that even in the absence of direct breaches, vulnerabilities in supplier networks can lead to substantial risks.
Recent high-profile incidents, such as the MOVEit vulnerability which incurred over $65 billion in damages, exemplify the severe repercussions of third-party breaches. In particular, the breach of Zürcher Kantonalbank exposed customer account details and personal information through its mobile application, while a cyber attack affecting Credit Suisse, shortly before its merger with UBS, compromised sensitive data of 19,000 employees in India.
According to the data from SecurityScorecard, just a small cohort of threat actor groups is responsible for a significant share of global cyber incidents, with Cl0p, APT28, and the Cobalt Group identified as top players in exploiting third-party vulnerabilities. The report illustrates a critical concern regarding vendor dependency, highlighting that a mere 15 companies now control 62% of the global tech market, thereby amplifying risks for organizations reliant on these vendors.
The researchers call for a more unified approach to third-party risk governance across Europe, especially in jurisdictions with substantial exposure to such risks, all of which are subject to regulation under the Digital Operational Resilience Act (DORA). Continuous monitoring of third- and fourth-party vendor networks, alongside enhancements in application and network security standards, is essential for organizations in today’s environment.
Recommendations include fortifying DNS health, endpoint security, and patching protocols in high-risk environments to mitigate threats effectively. SecurityScorecard also encourages organizations to align their practices with DORA requirements by embedding continuous and evidence-based oversight into their procurement and vendor management strategies.
