Banks Are Getting Better at Cyber Defense—But Their Vendors Are Still the Soft Spot

Banks may be tightening their digital vaults, but the doors to their third-party vendors are wide open. That’s the unsettling takeaway from Black Kite’s latest report, 2025 State of Financial Services: Hidden Dangers in the Vendor Ecosystem. While direct ransomware attacks on financial institutions are declining, the report finds attackers are increasingly exploiting security gaps among vendors—giving threat actors a backdoor into the financial sector.

It’s a cybersecurity shift that exposes a critical blind spot: you can have a fortress, but if the bridge into it is cracked, you’re still vulnerable.

“While direct attacks on the financial industry appear to be decreasing, this sector is far from safe,” said Ferhat Dikbiyik, Chief Research and Intelligence Officer at Black Kite. “Vendors simply don’t have the same robust defenses or regulatory pressure. And when they’re breached, the ripple effects are massive.”

Ransomware on the Decline—But Don’t Celebrate Yet

The good news: ransomware attacks targeting financial institutions are down, dropping from 191 disclosed victims in 2023 to just 55 as of mid-2025. That’s due in part to stronger defenses and the takedown of major ransomware groups like LockBit and AlphV, according to Black Kite’s research.

But that’s not the whole story. The vacuum left behind has made room for a chaotic patchwork of smaller, less sophisticated attackers—many armed with off-the-shelf Ransomware-as-a-Service (RaaS) kits. That fragmentation, while reducing the scale of some attacks, has made the threat landscape more unpredictable and opportunistic.

Roughly 27% of current threat actors targeting the financial sector fall into the “Other” category—emerging, fragmented groups operating under the radar. Think of them as cybercrime freelancers: less refined but potentially just as damaging when they find a vulnerable vendor.

65% of Vendors Are Behind on Patching. That’s a Problem.

Black Kite’s researchers analyzed 140 vendors that serve the financial industry. The results aren’t encouraging:

• 65% weren’t maintaining current patch levels—leaving them open to known vulnerabilities.
• 31 vendors had at least one critical vulnerability with a CVSS (Common Vulnerability Scoring System) score of 8 or higher.
• 15 vendors showed extreme risk, with CVSS scores topping 9.
• 90 vendors were flagged with high-risk threat categories via Black Kite’s FocusTags™, including 35 marked with Known Exploited Vulnerabilities (KEV).

In short: too many vendors are playing defense with their eyes closed.

Real-World Fallout: Cl0p’s Cleo Exploit

The December 2024 Cl0p campaign is a textbook example of how supply chain weaknesses cascade into real-world disruptions. Cl0p targeted users of Cleo’s MFT products, exploiting unpatched systems and listing 66 victims on its dark web leak site. But researchers estimate the actual number of impacted organizations is in the hundreds.

And the fallout wasn’t just cyber—it was operational. Retailers struggled with inventory tracking, manufacturers experienced production halts, and the financial sector felt the tremors across its supply chain.

It’s a clear illustration of how a breach in a single vendor can ripple across industries, interrupting everything from shipping to customer service.

The Big Takeaway: Internal Security Isn’t Enough

Black Kite’s message to banks and financial institutions is simple but stark: internal defenses aren’t enough. A hardened perimeter means little if attackers can waltz in through a third-party integration.

The solution? Proactive, intelligence-led vendor risk management. That means real-time monitoring, threat modeling, and vetting vendors not just on capabilities, but on security hygiene.

The financial services sector has historically been one of the most well-defended industries in the world—but it’s only as strong as its weakest (and least regulated) partner.

Stay Ahead of the Curve with GlobalFinTechEdge — Your Daily Edge in Fintech Intelligence. Subscribe Now.