Major US banks largely suffered data breaches orchestrated by third parties during the past year.
In the rapidly evolving digital landscape of the financial sector, a recent study has highlighted the increasing peril faced by financial institutions due to third-party data breaches. The research, which analysed the activities of the top 100 US banks, revealed that nearly all of them experienced third-party data breaches last year.
The study also found that for banks, these third-party vulnerabilities could potentially destabilize the entire financial system. A similar number of firms also suffered fourth-party breaches, with these traced back to just 2% and 6% of vendors respectively.
The findings underscore the growing threat landscape that the financial services sector is navigating. The International Monetary Fund (IMF) had earlier this year warned that financial institutions are increasingly targeted by threat actors, with organisations accounting for nearly one-fifth of the total number of breaches globally.
The UK is not immune to these threats. The number of ransomware attacks on financial institutions in the UK nearly doubled in 2023. However, a glimmer of hope emerged as incidents related to a cyber attack against third-party providers dropped by more than a third in the UK.
In response, regulatory bodies are taking action. From March 2025, regulated financial firms in the UK will be expected to take measures to protect themselves from third-party attacks and maintain operational resilience. The Financial Conduct Authority (FCA) is expanding the requirements it places on regulated financial firms, including setting impact tolerances, carrying out testing to identify vulnerabilities, conducting crisis simulation exercises, and developing robust internal and external communication plans.
Financial institutions are adopting a combination of strategies to mitigate these threats. Enhanced third-party risk management and continuous monitoring, implementation of zero trust architecture, advanced AI and machine learning-driven threat detection, supply chain and third-party cybersecurity scrutiny, quantum-resistant cryptography, and regulatory-guided supervisory processes are some of the key strategies being employed.
These strategies represent a layered security posture, involving technological innovation, strict governance oversight, continuous monitoring, and adherence to evolving regulatory standards. The aim is to effectively mitigate third-party and supply chain vulnerabilities in the financial sector.
Despite the efforts, large, regulated financial institutions in the UK have seen a notable drop in the number of cyber attacks, with the number 53% down for the first nine months of 2023. This drop in cyber attacks, coupled with the increased vigilance and proactive measures being taken by financial institutions and regulatory bodies, offers a promising outlook for the future of cybersecurity in the financial sector.
- The financial industry, particularly banks, face an increasing risk of destabilization due to third-party and fourth-party data breaches, as highlighted by a recent study on the top 100 US banks.
- Financial institutions across the globe, including the UK, are becoming more targeted by threat actors, with organizations accounting for nearly one-fifth of the total number of breaches worldwide.
- In response to the growing cybersecurity threats, regulatory bodies such as the UK's Financial Conduct Authority (FCA) are implementing stricter requirements for regulated financial firms, including measures to protect against third-party attacks and maintain operational resilience.
- To combat these threats, financial institutions are adopting various strategies like enhanced third-party risk management, quantum-resistant cryptography, and adherence to evolving regulatory standards, aiming to create a layered security posture that effectively mitigates third-party and supply chain vulnerabilities.
