Virtually all of the top 100 US banks were hit by third party data breaches last year, including every one of the top ten.
Research from SecurityScorecard found 97% of firms reported third-party breaches across the year, although only 6% of vendors were compromised.
A similar number also suffered fourth-party breaches, traced back to just 2% of vendors.
Ryan Sherstobitoff, senior vice president of threat research and intelligence, said the research highlights the increasingly perilous threat landscape faced by financial services.
“Nearly all major US banks faced third-party breaches, exposing serious weaknesses across our interconnected digital ecosystem,” he said.
“For banks, these third-party vulnerabilities mean one compromised vendor could destabilize the entire financial system.”
As banks increasingly rely on third-party vendors for core functions, SecurityScorecard said their exposure to supply chain vulnerabilities grows.
As a result, the banking sector should remain highly vigilant and continuously monitor external attack surfaces. Organizations should also map the critical business processes and technologies to identify any single points of failure, and create a watch list with these vendors.
Meanwhile, they should passively monitor vendors’ IT deployments to identify and resolve hidden supply chain risks.
Earlier this year, the International Monetary Fund (IMF) warned that financial institutions are increasingly targeted by threat actors, with organizations accounting for nearly one-fifth of the total number of breaches globally.
A key risk for financial services firms, the report warned, was the industry’s growing reliance on third-party vendors.
“Incidents in the financial sector could threaten financial and economic stability if they erode confidence in the financial system, disrupt critical services, or cause spillovers to other institutions,” the report warned.
“Another consideration is that financial firms increasingly rely on third-party IT service providers, and may do so even more with the emerging role of artificial intelligence. Such external providers can improve operational resilience, but also expose the financial industry to systemwide shocks.”
In the UK, the number of ransomware attacks on financial institutions nearly doubled in 2023, with the Financial Conduct Authority (FCA) receiving 51 cyber incident reports just in the first half of the year.
However, over the last year, large, regulated financial institutions in the UK have seen a notable drop in the number of cyber attacks, with the number 53% down for the first nine months of this year.
Incidents related to a cyber attack against third-party providers dropped by more than a third, while data breaches tied to cyber incidents fell by 29%.
That may be because of increased oversight by the FCA, which is expanding the requirements it places on regulated financial firms.
Firms are now required to set impact tolerances, carry out testing to identify vulnerabilities, conduct crisis simulation exercises, and develop robust internal and external communication plans.
From March 2025, they will also be expected to take measures to protect themselves from third party attacks and maintain operational resilience.
