A staggering 97% of the top 100 banks in the United States, including all of the top ten, experienced third-party data breaches in 2023, according to new research by SecurityScorecard. The findings shed light on the growing cybersecurity risks facing the financial sector due to its deepening reliance on external vendors.
Although only 6% of third-party vendors were directly compromised, the widespread impact on financial institutions reveals the fragility of the interconnected digital infrastructure. Fourth-party breaches—those linked to the vendors’ vendors—were also reported by nearly the same number of banks, with just 2% of those suppliers being the source.
Ryan Sherstobitoff, Senior VP of Threat Research and Intelligence at SecurityScorecard, emphasized the gravity of these vulnerabilities. “Nearly all major US banks faced third-party breaches, exposing serious weaknesses across our interconnected digital ecosystem,” he stated. “A single compromised vendor could destabilize the entire financial system.”
The report urges financial institutions to stay vigilant by continuously monitoring their external attack surfaces. It recommends mapping out critical business functions and technologies to identify single points of failure, creating watchlists of high-risk vendors, and passively tracking IT infrastructure for hidden supply chain threats.
Earlier this year, the International Monetary Fund (IMF) echoed similar concerns, warning that cyber incidents in the financial sector now account for nearly 20% of global breaches. The IMF stressed that heavy dependence on third-party IT service providers—especially with the rise of artificial intelligence—could expose the sector to systemwide shocks and weaken economic stability.
In contrast, the UK’s financial sector saw notable improvements. The Financial Conduct Authority (FCA) reported that ransomware attacks nearly doubled in early 2023. However, the overall number of cyber incidents dropped by 53% in the first nine months of the year, and third-party-related breaches fell by more than a third.
This decline may be attributed to the FCA’s tightened oversight, including new requirements for firms to define impact tolerances, run crisis simulations, and enhance communication strategies. Beginning March 2025, UK financial firms will also be required to implement stricter protocols to guard against third-party cyber threats and ensure operational resilience.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
