Four in Five of Europe’s Largest Financial Institutions Experienced a Third-party Breach in the Past Year

Jul 27, 2023

The deadline for the Digital Operational Resilience Act (DORA) compliance is nearing, but EU financial service companies are struggling with third-party data breaches and dipping cybersecurity ratings.

A staggering 78% of the major financial institutions in the European Union experienced a third-party breach in the past year, said a report by cybersecurity rating platform SecurityScorecard.

The report analyzed the readiness of 240 of the largest financial institutions in the European Union for compliance with the Digital Operational Resilience Act (DORA) by January 2025.

Banking and financial service businesses regularly pop up in the cybersecurity news as a preferred target for cybercriminals.

In the wake of high-profile attacks like MOVEit and SolarWinds, the importance of robust cybersecurity regulations becomes evident, underscoring the need for comprehensive approaches to manage vendor risk and ensure DORA compliance.

Moreover, 84% of financial institutions have been exposed to a fourth-party breach.

Digital Operational Resilience Act (DORA) and third-party data breach

While the number of third-party vendors breached remains relatively low at 3%, the report underscores the potential butterfly effect that hackers can exploit.

A single supply chain attack can have a dramatic impact on the threat landscape, granting attackers access to multiple organizations that use the compromised software.

A notable finding from the report is the correlation between cybersecurity ratings and breach incidents.

Approximately 18% of the financial institutions analyzed received a cybersecurity rating of ‘C’ or below, making them four to seven times more likely to suffer a breach than those with an ‘A’ rating.

The seven factors identified to drive cyber risk and predict breaches include endpoint security, patching cadence, ransomware score, DNS health, IP reputation, cubit score, and network security.

The research also provides insights into the cyber risk landscape across different financial verticals.

Finance verticals and cybersecurity ratings

Retail banks, with the highest risk exposure, saw 82% of them experiencing third-party breaches, and 8% suffering from breaches within their own domains.

In contrast, insurance firms received the lowest security scores, with 24% of them having a ‘C’ security rating or below, and a concerning 78% reporting third- or fourth-party breaches.

Private equity firms, on the other hand, demonstrated a commendable focus on cybersecurity, with no breaches reported on their own domains, and only 9% receiving a ‘C’ rating or below.

The implications of DORA on third-party risk management are significant, shows the study.

Financial entities must prioritize identifying and assessing all third-party risks, including threats to data confidentiality, integrity, and availability, as well as the potential impacts of third-party incidents on their operations.

“Who financial entities choose to trust and how they sustain that trust are essential factors for the resilience of the EU’s financial services sector,” said Dan Morgan, Senior Government Affairs Director, Europe & APAC, SecurityScorecard.

“Financial institutions must adopt an objective, standard measurement for third-party cyber risk to inform regulatory decisions, reduce cyber incidents, and comply with regulations, such as DORA in the EU.”

Digital Operational Resilience Act (DORA): Deadline is near

“With DORA, the EU aims to establish a universal framework for managing and mitigating ICT risk in the financial sector,” said an IBM assessment of the Digital Operational Resilience Act (DORA).

“A shared set of rules can make it easier for financial entities to comply while improving the entire EU financial system’s resilience by ensuring that every institution is held to the same standard.”

Last month, the European Supervisory Authorities (ESAs) launched a consultation package on the first batch of draft regulatory technical standards (RTS) and draft implementing technical standards (ITS).

“The DORA will likely have a 24-month implementation period, but important technical standards will take longer to finalise, leaving firms with less time for preparation to comply with the new requirements they will face,” a Deloitte assessment said.

The consultation covers specific aspects related to the risk management framework, incident classification, contractual arrangements on ICT services, and the establishment of a register of third-party ICT services for financial institutions (FIs).

As the January 2025 deadline for DORA compliance approaches, it is imperative for financial institutions to proactively address cyber risks, safeguard customer data, protect critical systems, and bolster the overall resilience of the European financial sector.

Compliance with DORA and the associated technical standards will be of paramount importance for both financial institutions and their ICT service providers. The new regulations will shape how FIs manage risks, handle incidents, and engage with third-party ICT services.

Get Free Report & Network Analysis

Please check your email for the free report.