Methodology of the Report
The data presented in this report is the result of a multi-source, intelligence-led investigation by the Black Kite Research & Intelligence Team (BRITE). It synthesizes extensive threat intelligence, ransomware tracking, vendor ecosystem analysis, and cyber risk telemetry to provide a comprehensive view of systemic third-party vulnerabilities in the financial sector.
1. Data Sources and Scope
This report integrates several streams of intelligence curated by BRITE between January 2023 and May 2025. The ransomware-related data specifically includes only confirmed victims where both encryption and data leaks were verified, and attribution to a known ransomware group was clearly established.
All vendor-related data was derived from Black Kite’s proprietary telemetry and publicly available information, supplemented by intelligence gathered from surface, deep, and dark web sources.
2. Industry Classification and Exclusions
To maintain analytical consistency, industry classifications were aligned to NAICS (North American Industry Classification System) codes. While 52 NAICS codes were reviewed, the code 524 (Insurance Carriers and Related Activities) was deliberately excluded from the final figures due to its structural and regulatory segmentation. However, entities under 5251 (Insurance and Employee Benefit Funds) were included, as they represent financial investment mechanisms rather than insurance providers.
3. Company Size and Risk Posture Analysis
For each entity—victim or vendor—BRITE analysts estimated company size using public financial disclosures, reliable third-party databases, and organizational benchmarks. In addition, the Black Kite platform was used to assess and track each organization’s cybersecurity posture before and after ransomware incidents, enabling comparative analysis of susceptibility factors and exposure levels.
4. Vendor Selection Criteria
The core of this report focuses on a targeted analysis of 140 vendors serving the financial sector. Selection was made based on a unique criterion: Vendors whose client base includes at least 10% financial sector customers, regardless of company size. This ensured that the analyzed vendor pool reflected high relevance and potential impact on the financial services supply chain.
5. Standardization and Integrity Controls
To ensure consistency and prevent data inflation, BRITE applies a standardized victim counting methodology. For example, attacks targeting clinic chains, dealer networks, or holding structures are counted as a single incident unless distinct disclosures exist.
6. Technical Ratings Explained
The Black Kite Technical Rating ranges from 1 to 100 and covers 20 risk categories. Scores are also translated into letter grades for clarity:
- A (Excellent): 90–100
- B (Good): 80–89
- C (Fair): 70–79
- D (Poor): 60–69
- F (Failing): 0–59
7. Limitations
This report reflects only publicly disclosed ransomware incidents and observable vendor risk indicators. Many breaches—especially those involving smaller entities or resolved discreetly—go unreported. Consequently, the findings represent a conservative lower bound of systemic third-party risk exposure.