Heightened security issues with third-party vendors along with other supply chain issues stood out as a fast-rising IT security concern, according to the recent Verizon Data Breach Investigations Report (DBIR). And for financial services companies, this trend has been particularly impactful, experts said.
Financial services companies of all types and sizes have long been reliant on outside vendors to perform a variety of duties, from the mundane to the critical. And, as wily cybercriminals have focused their attacks more on adjacent businesses and connections through which they can hit larger prey, financial services companies have seen a 63% jump in destructive incidents initiated through third parties, up 17% from last year, according to a recent VMWare report.
And the financial sector remains the second most popular target for supply chain attacks, according to Verizon’s 2022 DBIR report, released last month.
“Hackers can easily exploit that reliance, especially when the third-party ecosystem interacts with thousands — sometimes hundreds of thousands of customers — to breach networks and exfiltrate data from the customer base,” said Demi Ben-Ari, co-founder and chief technology officer for Panorays, an automated third-party risk management provider.
Indeed, the most recent Verizon DBIR findings specifically cite supply chain issues and vulnerabilities as a persistent threat vector for the financial services sector. And although major attacks like SolarWinds are necessary to shed light on the third-party attack surface, the truth is that financial institutions are “susceptible to attack every day due to the sheer amount of third-party vendor technologies they’re using across all of their operations,” Ben-Ari added.
While it is not a financial institution itself, Ben-Ari pointed out the Okta incident as a good example of how a “ubiquitously used identity provider (IdP) can be breached through third-party support service, Sitel.” In the Okta breach, attackers created a supply chain attack to target “Okta’s customers rather than Okta itself, which opened up a number of financial institutions to become targets, including Ally, Amalgamated Bank and Western Union,” he added.
Not only are financial firms facing more third-party launched attacks, but they arguably may be losing more money and paying more to resolve these breaches. Financial services firms face the greatest expense in fighting cyberattacks, according to research from Accenture.
As a consequence of the on-going pandemic, Ben-Ari pointed out that “digital transformation across the financial services sector has taken hold very quickly in the last couple of years.”
This means financial firms have increased their reliance on third-party vendors across a myriad of geographies. In fact, many financial institutions and their service providers are even located off-shore, Ben-Ari pointed out.
“Without proper third-party risk management programs in place, the potential for exposure is exacerbated,” he said. “And, as the third-party landscape grows larger, so too does the attack surface.”
“It takes much less effort to identify the supply chain and exploit to compromise financial institution data than it would to breach a given financial institution itself,” he added. “The major problem is that financial institutions are making tradeoffs between uninterrupted service, customer and frontline support alongside other operational areas.”
At the same time, financial firms’ overall risk exposure has continued to rise as a result of the increasing number of third parties with which they work.
“Financial institutions need a faster, smarter and more automated workflow for vendor assessments, incident response, communication and information sharing among those partners in order to minimize their risk in the long run,” Ben-Ari recommended.