EU’s financial institutions face cyber resilience crisis

78% of Europe’s largest financial institutions experienced a third-party breach in the past year, according to SecurityScorecard.

In the wake of attacks such as MOVEit and SolarWinds, cybersecurity regulations are increasing the need for comprehensive approaches to manage vendor risk and ensure compliance.

84% of financial institutions have been exposed to a fourth-party breach – illustrating how a vast web of unseen risks are hiding in plain sight. Visibility across the entire third-and fourth-party ecosystem is mission-critical, yet organizations lack consensus on how to measure and track fourth-party risk.

The impact of supply chain attacks

Just 3% of the third-party vendors analyzed were breached – which underscores the massive butterfly effect that hackers are just starting to take advantage of. Supply chain attacks attract cybercriminals because when widely used software is compromised, attackers gain access to potentially all organizations that use that software.

18% had a cybersecurity ‘C’ rating or below, making them four to seven times more likely to suffer a breach than those with an ‘A’ rating. Seven factors that drive cyber risk and can be predictive of a breach, including endpoint security; patching cadence; ransomware score; DNS health; IP reputation; cubit score; and network security.

If nearly 20% of the most well-resourced financial entities in the EU have grades of C or worse, then it’s likely that the overall cyber resilience for other financial entities is actually much lower,” said Matthew McKenna, Chief Sales Officer, SecurityScorecard. “Financial entities need a trusted view of security risk. SecurityScorecard dynamically discovers risk across a customer’s attack surface, including their third- and fourth-party ecosystem, to dramatically reduce the risk of a compromise.”

Cyber risk by financial vertical

Retail banks at highest risk – 82% experienced a third-party breach in the last year, and 8% suffered from a breach in their own domain.

Insurance firms have the lowest security scores – 24% have a ‘C’ security rating or below, and 78% reported a third- or fourth-party breach.

Private equity firms prioritize cybersecurity – No breaches on their own domains, and achieved the highest ratings with only 9% at a ‘C’ rating or below.

Driving financial institutions towards objective cyber risk assessment

Managing third-party risk is a core theme of DORA and the EU approach to digital cyber risk more broadly. DORA requires financial entities to identify and assess all third-party risks. This includes threats to the confidentiality, integrity, and availability of data and systems, as well as risks to the financial entity’s ability to continue operating in the event of a third-party incident.

“Who financial entities choose to trust and how they sustain that trust are essential factors for the resilience of the EU’s financial services sector,” said Dan Morgan, Senior Government Affairs Director, Europe & APAC, SecurityScorecard. “Financial institutions must adopt an objective, standard measurement for third-party cyber risk to inform regulatory decisions, reduce cyber incidents, and comply with regulations, such as DORA in the EU.”