While banks and financial institutions generally have strong defenses, third-party vendors often lack the same levels of security, something that can offer providing attackers indirect access to the institutions they serve.

A new report from Black Kite examines the shifting landscape of cyber threats in the financial sector, highlighting the critical importance of understanding and mitigating the hidden dangers within the vendor ecosystem.

At the same time as supply chain threats are being highlighted the number of direct ransomware attacks on the financial sector has decreased from 191 companies in 2023 to only 55 as of mid-2025, largely due to the implementation of strong defenses and the disruption of major threat groups.

“Our research found that while direct attacks on the financial industry appear to be decreasing, this sector is far from safe,” says Ferhat Dikbiyik, chief research and intelligence officer at Black Kite. “A critical area that must be addressed is third-party risk. We uncovered many weaknesses across vendor companies. The reality is that they just do not have the same robust defenses and regulatory obligations as the financial industry, and when these vendors are breached, the impact can be widespread and significant.”

The report shows that 65 percent of vendors are not maintaining current patch levels, which exposes financial institutions to inherited risk from known CVEs and potentially unpatched zero-day vulnerabilities in legacy technologies.

A significant number of vendors exhibited critical security weaknesses, including outdated systems, poor patch management, and credential exposures. Black Kite researchers found that 31 out of 140 vendors have at least one critical vulnerability with a CVSS at or above eight, and 15 vendors show an extremely high risk with CVSS scores above nine. In addition, Black Kite FocusTags found 90 vendors are flagged with high-risk threat categories, including 35 marked with KEV tags.

The full report can be downloaded from the Black Kite site.

Image credit: Valeriya Ignatenko/Dreamstime.com