The Expanding Threat Landscape: Third-Party Risk and the future of Financial Cybersecurity
The financial sector is facing a growing and increasingly elegant cybersecurity challenge. It’s no longer enough to focus solely on protecting your own infrastructure. the expanding reliance on third-party fintech providers – while driving innovation – is dramatically increasing your exposure to risk. Recent events, like the breach at financial technology provider situsamc, underscore this critical reality.
What Happened with SitusAMC?
On November 25th, SitusAMC confirmed a data breach impacting accounting records and legal agreements. Their response, focusing on keyword searches within impacted file paths to identify affected clients, highlights the complex process of containment and assessment following such an incident. But this isn’t an isolated case. It’s a symptom of a much larger trend.
The Rise of Third-Party & Fourth-Party Risk
Financial services ecosystems are becoming incredibly interconnected. You’re likely working with numerous fintech partners, and they likely have their own partners. This creates a cascading effect of potential vulnerabilities.
Here’s what the latest data reveals:
* 96% of Europe’s largest financial institutions were affected by a third-party breach in the last 12 months. (Source: SecurityScorecard) – a meaningful jump from 78% just two years prior.
* An astonishing 97% experienced a breach through a fourth party – the partners of your partners – up from 84%.
* Direct breaches to organizations themselves are actually decreasing (7% currently, down from 8%), indicating attackers are strategically shifting their focus.
One UK banking IT security expert, speaking anonymously, wasn’t surprised by these figures, stating they’d expect 100% of firms to be impacted by third-party failures.This sentiment underscores the pervasive nature of the threat.
Why Are Third-Party Breaches So effective?
Cybercriminals are evolving their tactics. They’re moving away from disruptive attacks and towards quiet data exfiltration.this means stealing sensitive information without promptly triggering alarms. As SecurityScorecard’s CISO, Steve Cobb, explains, this shift makes detection far more arduous and significantly raises the stakes for organizations relying on vendor-managed data.
Essentially, attackers are exploiting the weakest link in your chain – your partners. They understand that financial institutions often have robust internal security, making direct attacks more challenging.
What Can You Do to Protect Your Organization?
The good news is, you aren’t powerless. Proactive risk management is crucial.here’s a breakdown of essential steps:
- Elevate Third-Party Risk Management: Treat the security of your partners with the same rigor you apply to your internal systems. This isn’t just a compliance exercise; it’s a business imperative.
- Continuous Visibility: You need constant insight into the security posture of your entire vendor ecosystem. Real-time validation of partner controls is no longer optional.
- Comprehensive Risk Assessments: Regularly assess the risks associated with each third-party relationship. Don’t just rely on self-assessments; conduct independent verification.
- Contractual Safeguards: Ensure your contracts with vendors include clear security requirements, incident response plans, and audit rights.
- Incident Response Planning: Develop a robust incident response plan that specifically addresses third-party breaches. Know how you’ll contain the damage, notify affected parties, and recover your data.
- zero Trust Architecture: Implement a Zero Trust security model, verifying every user and device, regardless of location, before granting access to sensitive data.
The Regulatory Landscape is Changing
The pressure to improve third-party risk management isn’t just coming from the threat landscape; it’s also coming from regulators.
The European Union’s Digital Operational Resilience Act (DORA), effective January 2025, sets a new standard for cyber resiliency, auditability, and shared duty between financial institutions and their third-party providers. While a European regulation, its influence will be felt globally, as other regions are also strengthening their cybersecurity requirements.
DORA emphasizes:
* ICT Risk Management: A comprehensive framework for identifying,assessing,and managing ICT-related risks.
* Incident Management: Strict requirements for reporting and managing cyber incidents.
* **Digital
Related reading