More than three-quarters (78%) of financial institutions in the European Union (EU) suffered a data breach in the last 12 months, a new report from SecurityScorecard has claimed.
The information security company set out to determine the state of cybersecurity among organizations that must comply with the Digital Operational Resilience Act (DORA) by January 2025.
To do that, it analyzed 240 of the largest financial institutions in the EU, as well as their third- and fourth-party vendor operations in Europe. This amounted to an ecosystem of 26,142 domains. It picked the 240 organizations based on current revenue, assets under management, or gross written premium.
The firms analyzed include private equity, asset management, retail banks, Insurance, and pension funds.
Besides the vast majority suffering a cyberattack, an even bigger percentage (84%) were exposed to a fourth-party breach. As per the researchers, there is a “vast web of unseen risks” hiding in plain sight, requiring visibility across the entire third- and fourth-party ecosystem. Despite the findings, businesses lack consensus on how to measure and track fourth-party risks, it was said.
Furthermore, just 3% of the third-party vendors that were analyzed for the report suffered a breach. There is a “massive butterfly effect” here that the threat actors are just now starting to leverage, the researchers say, adding that supply chain attacks are growing more popular among hackers.
In conclusion, almost a fifth (18%) had a poor cybersecurity rating (C or lower), which makes them four to seven times more likely to suffer a data breach, compared to those with the highest rating. To predict a data breach, businesses should pay attention to these factors, the researchers concluded: endpoint security; patching cadence; ransomware score; DNS health; IP reputation; cubit score; and network security.
“If nearly 20% of the most well-resourced financial entities in the EU have grades of C or worse, then it’s likely that the overall cyber resilience for other financial entities is actually much lower,” said Matthew McKenna, Chief Sales Officer, SecurityScorecard.