When a cyber attack hits a major bank or trading platform, attention usually turns to the institution. But new research suggests the real danger may lie elsewhere. BitSight researchers found that many of the technology providers serving the financial sector have weaker cybersecurity performance than the institutions they support.
For the Exposed Cyber Risk in the Financial Sector and its Supply Chain report, researchers analyzed more than 41,000 financial organizations and over 50,000 relationships with third-party technology providers. The results point to dependencies, uneven monitoring, and gaps in risk management across the sector’s digital supply chain.
A web of critical suppliers
The study identified 99 of the most critical technology suppliers across the financial sector. Some names were predictable, including Microsoft, Google, and Bloomberg, but others were less visible. Companies like General Dynamics, which still supports COBOL systems used on mainframes, and NICE Group, which provides access control and building automation systems, emerged as unexpected but essential players.
This mix of well-known and lesser-known suppliers shows how complex the sector’s digital ecosystem has become. The researchers describe these firms as “hidden pillars” because they hold up critical systems but often attract little scrutiny until a breach exposes their importance.
The supplier security gap
The analysis compared the cybersecurity performance of financial organizations with that of their suppliers across 22 risk categories. Suppliers performed worse in 16 of them, with gaps of up to 15 percent.
While providers scored higher in email and domain security standards such as DMARC, SPF, DKIM, and DNSSEC, they lagged behind in areas tied to vulnerability management and exposure. Researchers suggest that suppliers’ broader digital footprints may increase their attack surface, while the nature of their business exposes them to inherited risks from the services they deliver.
Even so, the finding raises concern. Financial institutions operate under heavy regulatory oversight from the FDIC, the Federal Reserve, the SEC, and FINRA, all of which require ongoing third-party due diligence. Despite those requirements, the sector’s technology backbone appears less secure than the organizations depending on it.
Size does not equal safety
Researchers also tested a common assumption that larger providers, with more resources and staff, perform better on cybersecurity. The data showed the opposite. Among suppliers serving the financial sector, those with greater market share tended to have worse security ratings than smaller ones.
This may be due to the scale of their infrastructure and the number of customers they serve, both of which expand the number of potential entry points for attackers. But it also signals that size alone does not guarantee stronger defenses. The researchers point out that widespread dependence on a few large vendors creates systemic exposure if one of them suffers a serious compromise.
Monitoring falls short
Continuous monitoring is often described as a cornerstone of third-party risk management. Financial organizations have made progress in this area, but Bitsight’s numbers show there is more work to do.
Financial institutions monitor, on average, 36.3 percent of their supply chain for cyber risk. That is better than the 24.6 percent average across other sectors, but it still leaves nearly two-thirds of suppliers unobserved.
The report notes that some organizations may have determined that not all vendors need constant oversight, but the data suggests that unmonitored suppliers pose a significant risk.
Unmonitored suppliers carry higher risk
Researchers found that unmonitored suppliers have almost three times as many critical vulnerabilities as those under observation. Specifically, they have 2.9 times more critical-level CVEs and 2.8 times more known exploited vulnerabilities in their environments.
This gap indicates that active monitoring not only improves visibility but may also encourage better security practices among suppliers. Still, the research showed an unexpected twist. Suppliers monitored by a higher number of organizations tend to show a slight decline in performance. The researchers say this finding needs more study, but it may reflect the concentration of monitoring on larger, more complex firms that already struggle with exposure.
