Research | 5 mins
Supply chain attacks have become a critical threat, no longer just an emerging risk. According to Verizon's 2024 Data Breach Investigations Report, the use of vulnerabilities to initiate breaches surged by 180% in 2023 compared to the previous year. Of those breaches, 15% involved a third party or supplier—ranging from software supply chains to hosting partner infrastructures and data custodians.
In recent years, high-profile incidents, such as the MOVEit breach, highlight how even secure organizations can be compromised by third-party vulnerabilities. With over 2,000 organizations and 60 million individuals affected, MOVEit was the largest hack of 2023, exposing the risks that come with interconnected supply chains. To stay ahead of these sophisticated attacks, businesses must rethink how they manage cybersecurity with their third-party vendors, especially as compliance requirements like the EU’s Digital Operational Resilience Act (DORA) impose stricter standards.
The Financial Sector: A Target-Rich Environment
CISOs in financial institutions are facing an uphill battle. Hackers are increasingly targeting the financial sector due to its vast data reserves and heavy reliance on third-party services, creating an extended attack surface. It's not just about securing your own systems anymore. Every third-party vendor, cloud service, and software component opens a potential door for threat actors.
For example, a simple misconfiguration in an AWS S3 bucket or vulnerabilities in a third-party HR tool could give attackers a foothold. Furthermore, shadow IT—software acquired without IT's knowledge—creates blind spots in security that hackers are eager to exploit. In addition to this, there is the inherent risk of using open-source software, and the attack surface becomes even more complex and difficult to manage.
Why Third-Party Risk Is Financial Institutions' Biggest Weak Spot
The financial sector's heavy investment in technology (DevOps, AI, and cloud computing) has introduced even more potential vulnerabilities. McKinsey recently emphasized that many financial institutions are falling short in addressing these risks, particularly when it comes to managing third-party or supply-chain vulnerabilities. As developers incorporate open-source code and APIs to accelerate their work, attackers find new ways to inject malicious code, sometimes splitting their actions across multiple software packages to avoid detection.
Supply chain attacks have surged by 742% from 2019 to 2022, and Gartner predicts that by 2025, nearly 45% of organizations will have experienced some form of supply chain attack. With attackers becoming more sophisticated, targeting not only companies but also their entire supply chains, it’s clear that traditional point-in-time assessments of third-party suppliers are no longer sufficient.
MOVEit: A Wake-Up Call
The MOVEit breach stands as a warning about the limitations of relying on security accreditations alone. In 2023, attackers used an SQL injection vulnerability in the MOVEit file transfer software to infiltrate multiple organizations, resulting in widespread data theft and financial losses. Over $9.93 billion was lost, and the breach affected industries worldwide.
MOVEit exposed the need for continuous monitoring of third-party vendors. Accreditations such as ISO 27001 or PCI DSS, which are typically point-in-time assessments, don’t provide the real-time insights necessary to catch vulnerabilities before they’re exploited.
Building a Stronger Cyber Defense
To effectively protect against supply chain attacks, financial institutions must adopt a more proactive, partnership-driven approach. The UK Ministry of Defence's Cyber Protection Partnership (DCPP) program offers a model worth considering. The DCPP evaluates the entire supply chain, requiring suppliers to demonstrate risk-based controls and continuously monitor cybersecurity practices.
This concept can be applied to financial institutions by implementing flow-down clauses in contracts to ensure third-party vendors across all supply chain levels are held accountable. An automated online system for tracking cybersecurity ratings and certifications would provide real-time insights, offering a clear picture of supply chain risks without the need for extensive manual effort.
DORA and Regulatory Compliance
For financial institutions, DORA adds another layer of complexity. The act mandates resilience testing and monitoring for all third-party ICT providers, expanding the scope of regulatory oversight. This means financial institutions must ensure their third-party vendors meet DORA’s stringent requirements, including continuous monitoring and incident reporting.
To prepare, organizations need a robust digital operational resilience strategy that includes comprehensive monitoring tools, real-time risk assessments, and continuous improvement of their cybersecurity practices.
The Role of Continuous Monitoring and Automation
Continuous assessment is crucial for maintaining visibility into potential risks from third-party vendors. Simply filing away security assessment paperwork isn’t enough—financial institutions need a dynamic, real-time view of their entire supply chain. Tools that provide constant monitoring of suppliers, automatically update risk profiles, and verify ongoing compliance can ensure vulnerabilities are spotted before they’re exploited.
Security ratings services are another valuable tool. These ratings, which assess a supplier’s cybersecurity posture based on compromised systems, diligence, and public disclosures, provide financial institutions with the ability to monitor their entire supply chain. Integrating these ratings into an automated risk management tool will allow organizations to continuously evaluate suppliers and act quickly to mitigate any identified risks.
Future-Proofing Your Supply Chain Security
As the frequency and complexity of supply chain attacks continue to grow, the financial sector must embrace a proactive and continuous approach to cybersecurity. Moving beyond reactive, point-in-time checks and implementing dynamic, real-time monitoring systems will help financial institutions stay ahead of potential threats.
The reality is clear: the supply chain attack surface is expanding, and attackers are becoming more inventive. But with the right tools, strategies, and continuous monitoring, financial institutions can mitigate risks and stay one step ahead of hackers.
It’s time for financial institutions to adopt a defense that’s as dynamic as the threat landscape they face. For a deeper dive into the cybersecurity challenges facing the financial sector and strategies for managing threat exposure, download our whitepaper "The Financial Sector Against Today’s Tough Cybersecurity Risks".
