Financial firms are locking the front door but leaving the back open

Financial institutions are building stronger defenses against direct cyberattacks, but they may be overlooking a growing problem: their vendors. According to Black Kite’s new report, third-party risk has become one of the biggest cybersecurity threats facing the financial sector.

Ransomware attacks by finance subindustry (Source: Black Kite)

The vendor blind spot

The report finds that while financial institutions themselves are getting better at defending against ransomware and other threats, the companies they rely on, including software providers, infrastructure partners, and external service firms, often don’t meet the same security standards. That’s putting banks, insurers, and other financial organizations at risk, even when they haven’t been directly targeted.

“Our research found that while direct attacks on the financial industry appear to be decreasing, this sector is far from safe,” said Ferhat Dikbiyik, Chief Research and Intelligence Officer, Black Kite. “A critical area that must be addressed is third-party risk. We uncovered many weaknesses across vendor companies. The reality is that they just do not have the same defenses and regulatory obligations as the financial industry, and when these vendors are breached, the impact can be widespread and significant.”

Attackers are shifting tactics

Research data shows that direct ransomware attacks on financial firms are falling, from 191 in 2023 to 55 in the first half of 2025. That’s good news, but it doesn’t mean attackers are giving up. Instead, many are going after vendors. These firms can serve as a backdoor into financial organizations.

Part of the shift is due to changes in the ransomware landscape. Large groups like LockBit and AlphV have been disrupted, and their absence has made room for smaller, less organized actors using Ransomware-as-a-Service tools. Researchers says this has made the ecosystem more fragmented and unpredictable, with newer groups trying their luck by exploiting weaker links, often third parties.

A troubling picture of vendor security

Black Kite analyzed 140 vendors that serve financial sector clients. What they found:

• 92% received a C, D, or F in information disclosure risk, suggesting widespread issues with how vendors handle sensitive data.
• 65% are not maintaining up-to-date patch levels, leaving them exposed to known vulnerabilities, and in some cases, zero-days.
• 31 vendors have at least one critical vulnerability with a CVSS score of 8 or higher. Of those, 15 had vulnerabilities scoring above 9.
• 90 vendors were flagged with high-risk threat categories, including 35 tagged with Known Exploited Vulnerabilities (KEVs).

CISOs can’t assume that vendor security is “good enough” just because the vendor works in or with the financial sector. Many vendors are failing to meet even basic security hygiene standards.

Recommendations for CISOs

The main takeaway is clear: strong internal defenses are not enough. CISOs need to turn their attention to third-party risk management:

• Identifying and mapping all vendor relationships, including smaller providers and infrastructure partners.
• Regularly assessing vendor security posture, using both risk ratings and deeper due diligence when needed.
• Monitoring for changes in vendor risk over time, not just point-in-time assessments.
• Collaborating with procurement and legal teams to enforce cybersecurity standards in vendor contracts.