European financial firms are battling a huge rise in third-party breaches

Financial services firms across Europe are contending with a sharp rise in third-party and fourth-party breaches, new research shows, with nearly every major financial institution across the region hit during the last year.
Breaches of these kinds increased by a quarter compared to the year prior, according to SecurityScorecard. Indeed, 96% experienced at least one third-party breach in the past year, and 97% at least one fourth-party breach.
Financial services firms in the UK reported the highest number of third-party breaches, followed by Germany and Switzerland, while Malta, Luxembourg, and Portugal had the lowest exposure and highest average cybersecurity grades.
On an individual basis, Switzerland has the most third-party breaches per institution, the study found, followed by the Netherlands and UK. Researchers noted that these findings highlight an increasingly complex vendor ecosystem alongside glaring gaps in risk oversight.
“A 25% surge in third-party breaches among Europe’s top financial institutions is more than a warning, it is a call to action,” said Corian Kennedy, senior manager of threat insights and attribution at SecurityScorecard.
“Cyber threats are no longer confined to the perimeter. They are embedded deep within supply chains. Institutions must evolve from reactive to proactive defense strategies to meet the escalating challenge.”
Only 7% of financial institutions suffered a direct breach, down from 8% the year before, with malware and insider threats remaining key culprits. However, even without direct breaches, supplier vulnerabilities impacted nearly all the institutions surveyed.
Incidents such as the MOVEit vulnerability, which led to over $65 billion in damages, show just how bad the effects of third-party breaches can be, researchers warned.
In Europe, notable cyber attacks over the last year included the breach of Zürcher Kantonalbank, which saw customer account balances and personal information exposed via its mobile app.
In the same month, Credit Suisse – now UBS – reported a cyber attack affecting 19,000 Indian employees, compromising a raft of sensitive personal data.
According to SecurityScorecard’s data, just ten threat actor groups were responsible for 44% of global cyber incidents, with Cl0p, APT28, and Cobalt Group the main culprits in third-party exploitation.
Vendor dependency is a big problem
Crucially, the report from SecurityScorecard noted that a growing dependence on a small group of vendors continues to amplify risk.
Just 15 companies now represent 62% of the global tech market, researchers found, underlining the grave risks faced by organizations if just one were to be compromised.
As a result, the company called for a more harmonized approach to third-party risk governance across Europe, particularly in high-exposure jurisdictions which are all subject to regulation under the Digital Operational Resilience Act (DORA).
Organizations should continuously monitor third- and fourth-party vendor networks and improve application and network security capabilities, researchers said.
Efforts to strengthen DNS health, endpoint security, and patching cadence in high-risk environments were also highlighted by researchers.
Similarly, SecurityScorecard advised organizations to align with DORA requirements by integrating continuous, evidence-based oversight into procurement and vendor management, it said.
MORE FROM ITPRO
Source link