Research Reveals Hidden Cyber Risks in Financial Supply Chain

Cybersecurity vulnerabilities in the financial sector’s supply chain have come to light through new research from BitSight. The study highlights that many technology providers serving financial institutions possess weaker cybersecurity performance than the banks and trading platforms they support. This revelation underscores the potential risks lurking beyond the immediate focus on major financial entities during cyber incidents.

The report, titled “Exposed Cyber Risk in the Financial Sector and its Supply Chain,” analyzed over 41,000 financial organizations and more than 50,000 relationships with third-party technology providers. The findings indicate significant dependencies, uneven monitoring, and major gaps in risk management across the sector’s digital landscape.

Critical Suppliers and Their Cybersecurity Performance

Researchers identified 99 crucial technology suppliers within the financial sector. While names like Microsoft, Google, and Bloomberg were expected, lesser-known companies such as General Dynamics, which supports legacy COBOL systems, and NICE Group, specializing in access control and automation, emerged as vital yet overlooked players. These firms are referred to as “hidden pillars” because they support essential systems that often go unnoticed until a breach highlights their significance.

The research compared the cybersecurity performance of financial organizations against their suppliers across 22 risk categories. Alarmingly, suppliers performed worse in 16 of these categories, with discrepancies reaching up to 15 percent. Although suppliers excelled in email and domain security standards, they fell short in areas related to vulnerability management. The report suggests that suppliers’ larger digital footprints may increase their susceptibility to attacks, compounded by the risks inherited from the services they deliver.

Regulatory Oversight and Monitoring Gaps

Financial institutions face stringent regulatory oversight from bodies such as the FDIC, Federal Reserve, SEC, and FINRA, which mandate ongoing third-party due diligence. Despite these requirements, the research indicates that the technology backbone of the financial sector may be less secure than the institutions that rely on it.

The study also examined the common assumption that larger technology providers are better at cybersecurity. Contrary to expectations, data revealed that suppliers with greater market share often had lower security ratings than their smaller counterparts. This trend may be attributed to the complexity of their infrastructure and the volume of customers, which can increase potential entry points for attackers. The researchers caution that reliance on a few large vendors heightens systemic exposure should any of them experience a significant security breach.

Progress has been made in third-party risk management, yet the data from BitSight shows that financial organizations monitor only an average of 36.3 percent of their supply chain for cyber risks. This figure, while better than the 24.6 percent average in other sectors, still leaves a substantial portion of suppliers unmonitored. The report indicates that unmonitored suppliers possess nearly three times as many critical vulnerabilities as those under observation, reinforcing the importance of active monitoring in enhancing visibility and promoting better security practices among suppliers.

Interestingly, the research uncovered a surprising trend: suppliers monitored by a larger number of organizations tend to exhibit a slight decline in cybersecurity performance. The researchers suggest that this may be related to the concentration of monitoring on larger, more complex firms that already face challenges with exposure.

As the financial sector grapples with these findings, the need for enhanced vigilance and more robust cybersecurity strategies becomes increasingly apparent. The complexities of the sector’s digital supply chain demand attention, ensuring that all links—both visible and hidden—are fortified against evolving cyber threats.