European Financial Sector Grapples with Surging Third-Party Security Breaches

Europe's largest financial institutions are facing an escalating wave of security breaches originating from their vast networks of third-party vendors, posing a significant threat to the continent's financial stability. Recent research from risk management firm SecurityScorecard reveals a dramatic increase in such incidents, highlighting a critical vulnerability within the industry's interconnected digital ecosystem.

According to SecurityScorecard's analysis of Europe's top 100 financial firms, based on assets under management, a staggering 96% experienced at least one security breach stemming from a third-party organisation in the past year. This represents a substantial 25% surge compared to the findings of the same survey conducted two years prior, when the figure stood at 78%. The trend underscores a worrying expansion of the attack surface beyond the direct control of financial institutions themselves.

The problem extends even further into the supply chain, with the report indicating that 97% of these firms suffered a breach via a "fourth party" – the partners of their partners. This figure is also significantly up from 84% in the previous report two years ago, illustrating the complex and often opaque nature of modern digital interdependencies. In contrast, direct breaches affecting these financial giants were relatively low at 7%, a slight decrease from 8% in the 2023 report, suggesting that while direct defenses may be improving, indirect vulnerabilities are proliferating.

These concerning findings emerge on the heels of the Digital Operational Resilience Act (DORA), which officially came into application in January of this year. DORA is a landmark European regulation designed to enhance the cyber resilience of financial entities by establishing clear responsibilities for operational resilience, including the crucial aspect of third-party risk management. The act mandates that financial institutions and their third-party software and IT service providers, whose products and services underpin business operations, share accountability for cyber resiliency. While DORA is a European initiative, it reflects a growing global recognition of the need for robust cyber resilience frameworks across financial sectors worldwide.

Corian Kennedy, senior manager of threat insights and attribution at SecurityScorecard, emphasised the gravity of the situation, stating, "A 25% surge in third-party breaches among Europe’s top financial institutions is more than a warning, it is a call to action. Cyber threats are no longer confined to the perimeter. They are embedded deep within supply chains. Institutions must evolve from reactive to proactive defence strategies to meet the escalating challenge."

The prevalence of these breaches is hardly surprising to industry insiders. Financial services firms operate with exceptionally complex technology ecosystems, relying on a myriad of suppliers for various aspects of their business. This inherent complexity makes them attractive targets for cybercriminals seeking to exploit weaknesses within these extended networks. An anonymous IT security expert within the UK banking sector, commenting on the figures, expressed a lack of surprise, remarking, "I would have expected 100% of firms to be impacted by third-party failures of various types. The 4% that claim not to have been affected surprises me more." This sentiment highlights the widespread understanding within the industry that third-party risk is an almost inevitable component of modern financial operations.

Geographically, the impact of third-party breaches is not uniform across Europe. Switzerland recorded the highest average number of third-party breaches per firm, with approximately 172 incidents, followed by the Netherlands (148) and the UK (136). This regional disparity could be attributed to various factors, including the density of financial institutions, the complexity of their supply chains, or differing levels of cybersecurity maturity and reporting.

SecurityScorecard's analysis further pinpointed the concentration of threat actors responsible for these incidents, noting that just 10 threat actor groups accounted for a significant 44% of global cyber incidents. The report underscored that "These incidents underscore how hidden vulnerabilities in interconnected digital environments can severely impact even the most established financial institutions."

Adding another layer to this complex threat landscape, SecurityScorecard previously reported that even financial technology (fintech) companies, despite often boasting strong security postures, are susceptible to third-party weaknesses. Their research last month indicated that while the fintech sector generally ranked highest in security posture among all sectors studied, potential weak links within their own third-party networks could pave the way for security breaches. Specifically, 41.8% of breaches impacting top fintech companies originated from their third-party suppliers, and over 18% of breaches came via fourth parties, underscoring that even the most technologically advanced and security-conscious entities are not immune to the pervasive risks posed by their extended digital supply chains.