New Report Shows 97% of Top U.S. Banks Affected by Third-Party Data Breaches in 2024

In a world where banks depend on third-party vendors for critical services, a new report from SecurityScorecard paints a concerning picture of the vulnerabilities lurking in the financial sector. According to the findings, a staggering 97% of the top 100 U.S. banks were impacted by third-party data breaches over the past year, revealing just how interconnected—and fragile—the banking supply chain has become.

As financial institutions lean increasingly on external partners to drive their operations, these breaches raise alarms about the hidden risks that could have cascading effects throughout the industry. SecurityScorecard’s analysis, which taps into one of the largest and most sophisticated threat intelligence datasets in existence, provides a chilling reminder: The next major cyber incident could be triggered by something as simple as a vulnerability in a vendor’s system.

A Web of Vulnerabilities
The numbers speak for themselves. While only 6% of vendors were directly compromised in the past year, nearly every major U.S. bank—97% of them, to be exact—suffered the consequences of these breaches. Worse still, a staggering 97% of the banks also faced breaches that originated with fourth-party vendors, impacting only 2% of the original vendors. The ripple effect of these incidents highlights a serious flaw in how banks approach cybersecurity within their supply chains. Even the slightest weakness can spread far and wide, touching every aspect of a bank’s operations.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, didn’t mince words in his assessment: "Nearly all major U.S. banks faced third-party breaches, exposing serious weaknesses across our interconnected digital ecosystem. The recent CrowdStrike incident underscored this fragility, showing how issues with just one vendor—even without a breach—can create widespread exposure and risk. For banks, these third-party vulnerabilities mean one compromised vendor could destabilize the entire financial system.”

The Vulnerabilities in Plain Sight
What’s particularly striking is that these breaches aren’t just affecting a few isolated banks—they're impacting nearly every financial institution in the country, including all ten of the top U.S. banks. These vulnerabilities aren’t confined to just data theft either. A compromised vendor can result in far-reaching operational disruptions, with effects felt across everything from customer trust to market stability.

As financial institutions become more interconnected through third-party relationships, the risks associated with these connections grow exponentially. What was once considered a manageable risk is now a potential threat to the entire sector.

While the risks are clear, the path forward isn’t all doom and gloom. SecurityScorecard’s STRIKE team, a leading group of cybersecurity experts, has offered several key recommendations to help the banking sector bolster its defenses against these increasingly common threats:

• Continuously monitor external attack surfaces: Automated tools can help detect vulnerabilities across vendor and partner environments, providing an early warning system for potential threats.
• Identify and address single points of failure: By mapping out critical business processes, banks can pinpoint vendors that represent a single point of failure and ensure these connections are continuously monitored.
• Automatically detect new vendors: Proactive monitoring of vendors’ IT deployments can help identify hidden risks before they grow into full-scale breaches.

Methodology & Approach
The SecurityScorecard team’s analysis focused on the 100 largest U.S. banks, assessing over 9,000 domains—including third- and fourth-party vendors. With a massive trove of non-intrusive data, SecurityScorecard uses sophisticated algorithms to measure the cybersecurity performance of companies worldwide, assigning a letter grade from A to F based on ten factors that predict the likelihood of a security breach.

As banks continue to depend on an expanding web of third-party providers, their vulnerability to external breaches will only grow. This latest report serves as a wake-up call for financial institutions, urging them to rethink how they manage cybersecurity risks within their supply chains. The growing risks to data security, operational stability, and customer trust demand proactive, forward-thinking strategies.

With these findings in hand, the onus is now on banks to take actionable steps in securing their supply chains and protecting the entire financial ecosystem from the ripple effects of third-party failures. The next breach may be just around the corner, but with the right approach, banks can ensure they’re prepared for whatever comes next.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.