Almost all (96%) of Europe’s largest financial services organisations have been affected by a security breach at a third-party organisation, research has found.
This was 25% higher than when the same survey was carried out two years ago, according to the report’s author, SecurityScorecard.
The risk management company analysed the top 100 finance firms in Europe, in terms of assets under management, and found that 96% suffered at least one third-party breach in the past year. This was compared with 78% in the previous report two years ago.
It also revealed that 97% had a breach via a fourth party, the partners of their partners, which was up from 84% two years ago. A total of 7% suffered a direct breach, which was down from 8% in the 2023 report.
The findings come after the introduction of the Digital Operational Resilience Act (Dora), which entered into application in January this year.
The act covers a number of aspects of cyber resiliency, auditability, and the responsibilities shared between financial institutes and third-party software and IT service providers, when these products and services are used to power business operations. Although a European regulation, affecting companies that operate in the European Union (EU), other regions are also putting in place cyber resiliency.
“A 25% surge in third-party breaches among Europe’s top financial institutions is more than a warning, it is a call to action,” said Corian Kennedy, senior manager of threat insights and attribution at SecurityScorecard. “Cyber threats are no longer confined to the perimeter. They are embedded deep within supply chains. Institutions must evolve from reactive to proactive defence strategies to meet the escalating challenge.”
The figures should not come as a surprise. Financial services firms have complex ecosystems of technology suppliers involved with different aspects of their business, and cyber criminals target them.
One IT security expert in the UK banking sector, who wished to remain anonymous, said he is not surprised by the figures. “I would have expected 100% of firms to be impacted by third-party failures of various types,” they said. “The 4% that claim not to have been affected surprises me more.”
Switzerland recorded the most third-party breaches, with an average of about 172 per firm, followed by the Netherlands (148) and the UK (136).
According to SecurityScorecard’s data, just 10 threat actor groups were responsible for 44% of global cyber incidents. “These incidents underscore how hidden vulnerabilities in interconnected digital environments can severely impact even the most established financial institutions,” it said.
Last month, SecurityScorecard reported that financial technology (fintech) companies that supply tech to the big finance firms are at risk from third-party weaknesses, despite their strong security postures.
It found that the fintech sector ranked highest of all sectors studied when it came to security posture, but that potential third-party weak links could open the door to security breaches.
It revealed that 41.8% of breaches impacting top fintech companies originated from third-party suppliers, and more than 18% of breaches came via fourth parties – the partners of the fintechs’ partners.
