A new report from BitSight reveals a significant security gap between financial firms and their third-party vendors. While the financial sector itself generally has a strong security posture, its suppliers perform worse on 16 out of 22 key risk factors, including web application security, patching cadence, and endpoint security.
Business Impact
This creates a massive supply chain risk. Attackers, unable to breach the “hard target” of a bank, can simply target its less secure vendors (e.g., law firms, tech providers) to steal sensitive data, compromise integrations, or launch attacks, completely bypassing the bank’s direct defenses.
Why It Happened
Vendors, especially smaller or non-tech-focused firms, often lack the resources, budget, or regulatory pressure to maintain a security posture as mature as their financial-sector clients, making them the “soft underbelly” of the supply chain.
Recommended Executive Action
Strengthen your Third-Party Risk Management (TPRM) program. Mandate rigorous security diligence and continuous monitoring (e.g., security ratings) for all critical vendors. Enforce strong security clauses and right-to-audit in vendor contracts.
Hashtags: #SupplyChainSecurity #ThirdPartyRisk #Finance #CyberRisk #InfoSec #CyberSecurity #TPRM #BitSight