Third-party cyber breaches surge 25% in Europe’s top banks

Europe's largest financial institutions have seen a 25% increase in third-party cyber breaches over the past year, according to the latest analysis by SecurityScorecard.

The research, covering the top 100 financial institutions in Europe ranked by assets under management, found that nearly all major firms have experienced at least one cyber breach through a supplier or service provider in the previous 12 months. The findings spotlight systemic weaknesses in digital supply chains, with regulatory scrutiny rising after the implementation of the Digital Operational Resilience Act (DORA) in January 2025.

According to SecurityScorecard, 96% of the institutions reviewed in the past year were impacted by at least one third-party breach. This represents a significant increase from 78% recorded in the firm's previous report. The fourth-party ecosystem—where suppliers or partners of direct vendors face breaches—also demonstrated rising exposure, with 97% of institutions affected compared to 84% the year before.

The report found a slight reduction in direct cyber breaches, with 7% of institutions experiencing a direct compromise, down from 8%. Direct attacks most commonly utilised malware and exploited insider threats. Meanwhile, proactive security posture appears correlated with better outcomes: 94% of firms that achieved an "A" rating from SecurityScorecard had no recorded breaches.

There has been some improvement in the cybersecurity posture of the sector's largest players. The proportion of firms rated "C" or lower fell to 13%—down from 18% in the previous year—outperforming the broader European sector, where 31% of firms are rated at that level or below.

Geographical analysis revealed that the UK reported the greatest number of third-party breaches, followed by Germany and Switzerland. At the other end of the spectrum, Malta, Luxembourg, and Portugal reported the lowest figures for third-party incidents. These three countries also achieved the highest average cybersecurity ratings among the top 100 institutions.

Corian Kennedy, Senior Manager of Threat Insights and Attribution at SecurityScorecard, commented on the findings: "A 25% surge in third-party breaches among Europe's top financial institutions is more than a warning, it is a call to action. Cyber threats are no longer confined to the perimeter. They are embedded deep within supply chains. Institutions must evolve from reactive to proactive defense strategies to meet the escalating challenge."

The report's country-level data showed pronounced disparities. Switzerland averaged 171.5 third-party breaches per bank, the highest among the nations reviewed, categorised as a "high" risk level. The Netherlands and the UK followed, with 148.4 and 136.2 breaches per bank, respectively, both ranked at "moderate" risk. France recorded 128.6 breaches per institution at a "lower" risk level, while Malta, Luxembourg, and Portugal saw averages of just 18, 17, and 10 respectively—each marked as having "none" in terms of institutions rated "C" or below.

Sector-specific analysis highlighted fewer breaches and stronger reported cybersecurity performance in Malta, Luxembourg, and Portugal, where most banks earned at least "B" grade cybersecurity ratings. In contrast, Switzerland, the Netherlands, and the UK were most exposed to third-party breaches, a trend attributed to high vendor complexity and gaps in supply chain oversight.

The report cited significant security incidents as examples of ongoing vulnerabilities. On 13 June 2024, Zürcher Kantonalbank suffered a breach in its mobile banking application, resulting in the exposure of customers' account balances and personal information. On 25 June 2024, Credit Suisse—now part of UBS—reported a cyberattack that compromised sensitive personal data of 19,000 Indian employees. Both episodes demonstrate the impact of concealed vulnerabilities in extensive digital networks, affecting even longstanding sector participants.

SecurityScorecard also noted that risks extend well beyond immediate service providers. Just ten cybercriminal groups accounted for 44% of global cyber incidents, with entities such as C10p, APT28, and Cobalt Group most frequently linked to third-party exploitation. The report observed growing dependency on a limited pool of technology vendors, highlighting that 15 companies now represent 62% of the global technology market, which increases exposure to concentrated cyber risks.

Major incidents, such as the MOVEit vulnerability that resulted in losses surpassing USD $65 billion, reveal how a single flaw in the supply chain can disrupt operations across thousands of interconnected networks and businesses downstream.

To mitigate these risks, SecurityScorecard recommended that financial institutions in Europe take several proactive steps. These include continuously monitoring third- and fourth-party vendor networks, strengthening application and network security, improving DNS health and endpoint protection, and maintaining up-to-date patching in high-risk environments. Firms were also urged to align with DORA regulatory requirements by integrating persistent, evidence-based oversight into their procurement and vendor management strategies.

SecurityScorecard highlighted the extent to which cybersecurity risks in finance now penetrate third- and fourth-party ecosystems, noting that supplier weaknesses affected almost all firms even in cases without a direct breach. The company stated that visibility and resilience are now critical as the threat environment and regulatory requirements continue to intensify.