Financial services failing to tackle third party cyber threats

Amid looming new rules on third party security risks the financial services sector has been warned it is still failing to address cyber threats.

In a new report the Digital Operational Resilience Act (DORA), by cyber security experts, SecurityScorecard, found that the financial services sector was struggling to manage their third and fourth party risks with insurers falling behind their financial peers.

The report analyses 240 of the largest financial institutions in the European Union that must comply with the DORA by January 2025.

It found 78% of financial institutions experienced a third-party data breach in the past year. In the wake of attacks such as MOVEit and SolarWinds, cybersecurity regulations are increasing the need for comprehensive approaches to manage vendor risk and ensure compliance.

The company said 84% of financial institutions have been exposed to a fourth-party breach. “It illustrates how a vast web of unseen risks are hiding in plain sight,” the report added. “Visibility across the entire third-and fourth-party ecosystem is mission-critical, yet organisations lack consensus on how to measure and track fourth-party risk.”

However, the report said only 3% of the third-party vendors analysed were breached. “ This underscores the massive butterfly effect that hackers are just starting to take advantage of. It spotlights a single supply chain attack’s dramatic impact on the threat landscape. Supply chain attacks attract cybercriminals because when widely used software is compromised, attackers gain access to potentially all organisations that use that software.”

Of greater concern was that 18% of businesses had a cybersecurity ‘C’ rating or below, making them four to seven times more likely to suffer a breach than those with an ‘A’ rating.

The rating considered seven factors that drive cyber risk and can be predictive of a breach, including endpoint security; patching cadence; ransomware score; DNS health; IP reputation; cubit score; and network security.

“If nearly 20% of the most well-resourced financial entities in the EU have grades of C or worse, then it’s likely that the overall cyber resilience for other financial entities is actually much lower,” said Matthew McKenna, chief sales officer, SecurityScorecard.

Retail banks were found to be at highest risk. In all 82% experienced a third-party breach in the last year, and 8% suffered from a breach in their own domain.

Insurance firms had the lowest security scores, with 24% having a ‘C’ security rating or below, and 78% having reported a third- or fourth-party breach.

“Managing third-party risk is a core theme of DORA and the EU approach to digital cyber risk more broadly. DORA requires financial entities to identify and assess all third-party risks,” the report explained. “This includes threats to the confidentiality, integrity, and availability of data and systems, as well as risks to the financial entity’s ability to continue operating in the event of a third-party incident.”

“Who financial entities choose to trust and how they sustain that trust are essential factors for the resilience of the EU’s financial services sector,” said Dan Morgan, senior government affairs director, Europe & APAC, SecurityScorecard. “Financial institutions must adopt an objective, standard measurement for third-party cyber risk to inform regulatory decisions, reduce cyber incidents, and comply with regulations, such as DORA in the EU.”

Retail banks were found to be at highest risk. In all 82% experienced a third-party breach in the last year, and 8% suffered from a breach in their own domain.