Banks remain most breached sector as attacks hit record | American Banker
The Rising Threat of Third-Party Breaches in Banking
The financial services industry faces an evolving cybersecurity landscape where traditional perimeter defenses are no longer sufficient. Recent data reveals that banks remain the most breached sector, but the nature of these breaches has fundamentally shifted. Rather than direct attacks on banking infrastructure, cybercriminals are increasingly targeting the weak links in the supply chain: professional services firms and third-party vendors that serve as trusted intermediaries.
The statistics are sobering. Supply chain attacks have doubled since 2021, with professional services firms acting as "stepping stones" to access sensitive banking data. This trend represents more than just an increase in breach frequency—it signals a fundamental transformation in how organizations must approach vendor risk management, regulatory compliance, and governance frameworks.
Understanding the Third-Party Attack Vector
Third-party breaches exploit a critical vulnerability in modern business operations: the extensive network of vendors, contractors, and service providers that maintain privileged access to sensitive systems and data. Professional services firms—including legal advisors, accounting firms, IT consultants, and managed service providers—often require deep access to client systems to perform their functions effectively.
These intermediary organizations present an attractive target for sophisticated threat actors. While banks invest heavily in cybersecurity infrastructure and maintain rigorous security protocols, their vendors may operate under less stringent frameworks. A single compromised professional services firm can provide access to multiple banking clients simultaneously, amplifying the impact of a successful breach and creating cascading risks across the financial services ecosystem.
The attack methodology typically follows a predictable pattern: threat actors identify a professional services firm with multiple high-value clients, compromise that firm's systems through phishing, ransomware, or other techniques, then leverage the firm's legitimate access credentials to move laterally into client environments. Because the access appears legitimate and originates from a trusted vendor, these intrusions often evade detection longer than direct attacks would.
The Governance Challenge: Beyond Direct Vendor Oversight
The doubling of supply chain attacks exposes a critical blind spot in traditional vendor risk management frameworks. Most organizations focus their due diligence efforts on direct, first-tier suppliers—the vendors with whom they have contractual relationships and regular interaction. However, the reality of modern business operations involves multiple degrees of separation between an organization and the entities that ultimately access its data.
When a bank contracts with a professional services firm, that firm may rely on its own subcontractors, cloud service providers, and technology vendors. Each additional layer introduces new risk, yet visibility and control diminish dramatically beyond the first tier. Banks find themselves responsible for security outcomes influenced by entities they may not even know exist within their extended vendor ecosystem.
This governance challenge becomes particularly acute when considering regulatory expectations. Financial services regulators increasingly expect institutions to demonstrate comprehensive understanding and management of third-party risks. However, contractual relationships, audit rights, and oversight mechanisms typically extend only to direct vendors. Managing risk across multiple degrees of separation requires fundamentally different approaches to vendor governance, including:
- Enhanced due diligence that examines vendors' own cybersecurity supply chains
- Contractual provisions requiring vendors to impose equivalent security standards on their subcontractors
- Continuous monitoring capabilities that can detect anomalous behavior from indirect access points
- Incident response protocols that account for breach notification delays when incidents originate with third parties
Regulatory Implications and Compliance Complexity
The shift toward third-party attack vectors creates significant complications for regulatory compliance. Frameworks like the Digital Operational Resilience Act (DORA) in Europe and enhanced prudential requirements in the United States establish clear expectations for cybersecurity governance, incident notification, and risk management. However, these frameworks were largely designed with direct attacks in mind.
When breaches originate from vendors rather than direct intrusions, every aspect of the regulatory response becomes more complex. Notification timelines become challenging when banks must first discover that their vendor has been compromised, then determine what data was accessed, before they can begin the formal notification process. Impact assessments require understanding not just what happened within the bank's own systems, but what occurred in vendor environments that may be geographically distant and subject to different legal jurisdictions.
Remediation responsibilities also become murky. If a professional services firm's inadequate security practices led to a breach, who bears responsibility for implementing corrective measures? The bank may lack the authority to mandate specific security improvements at a vendor, yet regulators may hold the bank accountable for failing to ensure adequate vendor controls.
This regulatory complexity extends to enforcement actions and potential penalties. When multiple banks suffer breaches through a common vendor, regulators must determine whether each institution conducted adequate due diligence, whether their vendor management programs met regulatory expectations, and whether they responded appropriately once the breach was discovered. The shared nature of the incident doesn't necessarily lead to shared liability—each institution's specific oversight practices and contractual arrangements will be scrutinized independently.
Liability, Insurance, and Contractual Risk Allocation
The financial implications of third-party breaches extend well beyond immediate incident response costs. When a professional services firm compromises multiple banking clients through a single incident, the resulting liability landscape becomes extraordinarily complex.
Traditional vendor contracts typically include indemnification provisions designed to shift liability to the party responsible for a breach. However, these contractual protections often prove inadequate in practice. Vendors may lack the financial resources to cover damages across multiple affected clients. Indemnification clauses may contain carve-outs, limitations, or conditions that reduce their practical effectiveness. Proving that a vendor's negligence caused the breach—as opposed to a sophisticated attack that would have succeeded despite reasonable security measures—can be legally challenging.
Cyber insurance adds another layer of complexity. Policies may treat third-party breaches differently than direct attacks, with different deductibles, coverage limits, or exclusions. When multiple insurers are involved—covering the bank, the compromised vendor, and potentially other affected parties—coordination and subrogation issues can delay resolution and create gaps in coverage.
The cascade of interconnected risks includes:
- Direct breach response costs (forensics, notification, credit monitoring)
- Regulatory fines and enforcement actions
- Civil litigation from affected customers
- Reputational damage and customer attrition
- Increased insurance premiums and potentially reduced coverage
- Costs of enhanced security measures and vendor oversight programs
Rethinking Vendor Risk Management Frameworks
The doubling of supply chain attacks since 2021 demonstrates that current approaches to vendor risk management are insufficient. Organizations need frameworks that acknowledge the reality of extended vendor ecosystems and the systemic risks posed by shared service providers.
Effective third-party risk management in this environment requires several shifts in approach:
From Point-in-Time to Continuous Assessment: Annual vendor assessments cannot detect emerging risks in real-time. Organizations need continuous monitoring capabilities that can identify behavioral anomalies, security posture degradation, or indicators of compromise as they occur.
From Questionnaires to Validation: Self-reported security questionnaires provide limited assurance. Organizations should implement validation mechanisms including third-party audits, penetration testing results, security ratings from independent services, and direct technical assessments of critical vendors.
From Individual Vendors to Ecosystem Mapping: Understanding risk requires visibility into the full vendor ecosystem, including subcontractors, fourth-party relationships, and shared infrastructure. Organizations need systematic approaches to mapping these extended relationships.
From Compliance to Resilience: Vendor management programs focused solely on regulatory compliance miss the broader objective: building resilience to withstand inevitable incidents. This requires incident response capabilities that account for third-party scenarios, including communication protocols, access revocation procedures, and recovery strategies.
Conclusion: The Path Forward
The banking sector's position as the most breached industry, driven increasingly by third-party attack vectors, represents a fundamental challenge to how organizations approach cybersecurity governance. The doubling of supply chain attacks through professional services providers since 2021 isn't just a concerning statistic—it's a signal that the threat landscape has evolved beyond the capabilities of traditional security and vendor management frameworks.
Financial institutions cannot eliminate third-party relationships. The complexity of modern banking requires specialized expertise, scalable infrastructure, and flexible service delivery that vendors provide. However, organizations can and must evolve their approaches to managing the risks these relationships create.
This evolution requires investment in enhanced due diligence capabilities, continuous monitoring technologies, and governance frameworks that extend visibility and control beyond direct vendor relationships. It requires contractual innovations that create appropriate incentives and accountability mechanisms throughout the vendor ecosystem. Most importantly, it requires acknowledging that cybersecurity is no longer just about protecting the perimeter—it's about managing risk across an extended network of relationships, each representing both business value and potential vulnerability.
As regulatory expectations continue to evolve and threat actors become increasingly sophisticated in exploiting supply chain weaknesses, organizations that treat third-party risk management as a compliance checkbox rather than a strategic imperative will find themselves increasingly exposed. The path forward requires treating vendor cybersecurity not as someone else's problem, but as a core component of organizational resilience and governance.
This analysis is based on reporting by American Banker regarding the ITRC 2025 data breach report, highlighting the banking sector's continued vulnerability to third-party attacks and the doubling of supply chain incidents since 2021.