Freely subscribe to our NEWSLETTER

Key takeaways include:

78% of financial institutions experienced a third-party data breach in the past year. In the wake of attacks such as MOVEit and SolarWinds, cybersecurity regulations are increasing the need for comprehensive approaches to manage vendor risk and ensure compliance.

84% of financial institutions have been exposed to a fourth-party breach – illustrating how a vast web of unseen risks are hiding in plain sight. Visibility across the entire third-and fourth-party ecosystem is mission-critical, yet organizations lack consensus on how to measure and track fourth-party risk.

Just 3% of the third-party vendors analyzed were breached – which underscores the massive butterfly effect that hackers are just starting to take advantage of. Spotlights a single supply chain attack’s dramatic impact on the threat landscape. Supply chain attacks attract cybercriminals because when widely used software is compromised, attackers gain access to potentially all organizations that use that software.

18% had a cybersecurity ’C’ rating or below, making them four to seven times more likely to suffer a breach than those with an ’A’ rating. Seven factors that drive cyber risk and can be predictive of a breach, including endpoint security; patching cadence; ransomware score; DNS health; IP reputation; cubit score; and network security.

"If nearly 20% of the most well-resourced financial entities in the EU have grades of C or worse, then it’s likely that the overall cyber resilience for other financial entities is actually much lower," said Matthew McKenna, Chief Sales Officer, SecurityScorecard. "Financial entities need a trusted view of security risk. SecurityScorecard dynamically discovers risk across a customer’s attack surface, including their third- and fourth-party ecosystem, to dramatically reduce the risk of a compromise."

Cyber risk by financial vertical:

Retail banks at highest risk – 82% experienced a third-party breach in the last year, and 8% suffered from a breach in their own domain.

Insurance firms have the lowest security scores – 24% have a ’C’ security rating or below, and 78% reported a third- or fourth-party breach.

Private equity firms prioritize cybersecurity – No breaches on their own domains, and achieved the highest ratings with only 9% at a ’C’ rating or below.

DORA implications for third-party risk management

Managing third-party risk is a core theme of DORA and the EU approach to digital cyber risk more broadly. DORA requires financial entities to identify and assess all third-party risks. This includes threats to the confidentiality, integrity, and availability of data and systems, as well as risks to the financial entity’s ability to continue operating in the event of a third-party incident.

"Who financial entities choose to trust and how they sustain that trust are essential factors for the resilience of the EU’s financial services sector," said Dan Morgan, Senior Government Affairs Director, Europe & APAC, SecurityScorecard. "Financial institutions must adopt an objective, standard measurement for third-party cyber risk to inform regulatory decisions, reduce cyber incidents, and comply with regulations, such as DORA in the EU."

Research Methodology

SecurityScorecard examined the cybersecurity profiles of the largest 240 financial institutions, including their third- and fourth-party vendor operations in Europe in 2023. This aggregates into an ecosystem of 26,142 domains. The top 240 were determined by current revenue, assets under management, or gross written premium. The 240 financial institutions included private equity, asset management, retail banks, Insurance, and pension funds.

This financial institution ecosystem was scored and analyzed against reported data breaches to demonstrate the cybersecurity posture of the financial market in the lead-up to the full implantation of DORA in January 2024.

SecurityScorecard ratings offer easy-to-read A-F ratings across ten risk factors (network security, DNS health, patching cadence, cubit score, endpoint security, IP reputation, web application security, hacker chatter, leaked credentials, and social engineering). Each factor has a numerical weight, which reflects the severity or risk that the factor contributes to an organization’s overall cybersecurity posture.

SecurityScorecard utilizes machine learning to optimize the weights of its risk factors. This data-driven approach maximizes the correlation between SecurityScorecard scores and the relative likelihood of a breach. Organizations with an ’A’ rating are 7x7 times less likely to experience a cybersecurity breach. SecurityScorecard continuously monitors the threat landscape and evaluates new data sources and new analytics to better reflect cybersecurity risk.