A staggering 97% of the top 100 U.S. banks faced substantial risks due to third-party data breaches in 2024, as reported by SecurityScorecard. This alarming statistic underscores significant vulnerabilities in their supply chains, primarily driven by the increasing reliance on third-party vendors for critical operational functions. As banks grow more dependent on external partners, the potential for cyberattacks grows exponentially, raising questions about the robustness of their cybersecurity measures. The interconnectedness of modern digital ecosystems means that a vulnerability in a single third-party vendor can cascade through the supply chain, affecting numerous institutions.
SecurityScorecard’s comprehensive study utilized an extensive proprietary risk and threat intelligence dataset to assess the impact of these breaches. Despite only 6% of vendors being compromised, the repercussions were profound, affecting nearly the entirety of the banking sector. This highlights how a breach in even a small number of vendors can have far-reaching consequences, showcasing the need for enhanced oversight and robust security measures. Furthermore, fourth-party breaches, those linked to third-party vendors, compounded the issues, with nearly all banks experiencing these additional risks linked to just 2% of vendors.
Extensive Analysis and Findings
The study’s methodology was meticulous, involving the analysis of the top 100 U.S. banks by market capitalization and assessing over 9,000 domains, including those of third- and fourth-party vendors. SecurityScorecard’s threat intelligence model leverages non-intrusive data collection to grade companies’ cybersecurity performance on a scale from A to F, based on ten predictive factors. This grading system has proven instrumental in identifying areas of vulnerability and directing resources to where they are most needed. The results painted a concerning picture of the current state of cybersecurity within the banking sector, illustrating the critical need for more robust third-party risk management.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, emphasized the complex challenges faced by the banking sector. He highlighted that even non-breach issues, such as software vulnerabilities or misconfigurations within third-party vendors, can lead to significant risks. Citing the CrowdStrike incident as an example, he noted how vulnerabilities in a single vendor can lead to widespread repercussions, potentially destabilizing entire financial systems. This interconnected risk landscape underscores the need for proactive measures and comprehensive cybersecurity strategies to mitigate these threats.
Proactive Measures and Recommendations
To address these growing concerns, SecurityScorecard’s STRIKE team has offered several cybersecurity recommendations aimed at mitigating the risks associated with third-party vendors. One key recommendation is the continuous monitoring of external attack surfaces. This involves maintaining an up-to-date understanding of all potential entry points for cyber attackers and ensuring they are secured against potential threats. Another recommendation is identifying single points of failure in business processes, which can minimize vulnerabilities and enhance overall system resilience.
Additionally, the STRIKE team advises passively monitoring new vendor IT deployments. This approach allows organizations to detect and resolve any hidden vulnerabilities in their supply chain without introducing additional risks. These measures collectively aim to bolster cybersecurity defenses, ensuring that any potential threats are identified and mitigated before they can cause significant damage. By implementing these strategies, banks can enhance their resilience against cyber threats, safeguarding both their own operations and the broader financial system.
Strategic Guidance for Financial Sector
In 2024, an astonishing 97% of the top 100 U.S. banks were exposed to significant risks from third-party data breaches, according to SecurityScorecard. This statistic highlights substantial vulnerabilities within their supply chains, driven by the growing dependence on third-party vendors for essential operations. As reliance on external partners increases, the likelihood of cyberattacks rises sharply, casting doubt on the sturdiness of their cybersecurity protocols. Given the interconnected nature of modern digital ecosystems, a security flaw in a single third-party vendor can ripple through the supply chain, impacting numerous institutions.
SecurityScorecard’s thorough study used a vast proprietary risk and threat intelligence dataset to evaluate the breaches’ effects. Despite only 6% of vendors being compromised, the consequences were significant, affecting nearly the entire banking sector. This reveals that breaches in just a few vendors can have widespread impacts, emphasizing the need for better oversight and stronger security measures. Additionally, fourth-party breaches—linked to third-party vendors—exacerbated the situation, with nearly all banks facing these risks tied to just 2% of vendors.
