Finance Vendor Trends
Weak Links in the Financial Sector Supply Chain
The lack of ransomware activity directly on financial companies doesn’t mean the sector is safe. We analyzed 140 vendors that primarily serve the financial sector. These vendors offer a wide array of services, including Professional, Scientific and Technical Services (NAICS 54), Computer Systems Design and Related Services (NAICS 5415), Software Publishers (NAICS 5112), and Manufacturing (NAICS 33).
Across 140 vendor companies, there are a lot of weaknesses out there that can impact your business. These companies don’t have the same robust defenses and regulatory obligations as the financial industry. If these vendors are breached or experience system outages, the impact can be widespread.
Financial Sector’s Vendor Risk Data
We looked at multiple factors that assess the cybersecurity of vendors in the financial sector:
- Average Score: Ranging from 1-100, the Black Kite Technical Rating provides easy-to-understand letter grades and defensible data details behind 20 risk categories.
A
(Excellent)
90-100
B
(Good)
80-89
C
(Fair)
70-79
D
(Poor)
60-69
F
(Failing)
0-59
- Ransomware Susceptibility Index® (RSI™): On a scale from 0.0 to 1.0, Black Kite’s RSI shows you which vendors are most likely to experience a ransomware attack.
- Data Breach Index (DBI): A rearview mirror of past breach incidents to provide historical context for vendor risk.
- Data Breaches: How many breaches occurred within the vendor set over the past 2 years.
- Critical Vulnerabilities (CVSS ≥ 8 and CVSS > 9): How many vendors are found to have the most critical CVEs.
POWER OF RSI
Top 20 Vendors Serving Finance
Average Score: 85 (B)
Ransomware Susceptibility Index (RSI)
Data Breach Index (DBI)
Data Breach
Vendors
Critical Vulnerabilities (CVSS ≥ 8)
Vendors
Critical Vulnerabilities (CVSS > 9)
All 140 Vendors Serving Finance
Average Score: 85 (B)
Ransomware Susceptibility Index (RSI)
Data Breach Index (DBI)
Data Breach
Vendors
Critical Vulnerabilities (CVSS ≥ 8)
Vendors
Critical Vulnerabilities (CVSS > 9)
We see some common and concerning risk issues and trends observed among the 140 vendors:
High Common Vulnerability Scoring System (CVSS) Ratings:
31 vendors have at least one critical vulnerability with a CVSS at or above 8, and 15 of those vendors show an extremely high risk with CVSS scores above 9.
Concerning RSI Levels:
The average RSI of 0.437 suggests a notable susceptibility to ransomware, which is particularly alarming for vendors supporting critical financial systems. Companies within this range are 11.6 times more likely to experience a ransomware attack than companies with an RSI below 0.2.
High Risk FocusTag™ Patterns:
Black Kite FocusTags™ give immediate visibility into the most concerning risks in your vendor ecosystem so you can take action. Among the 140 vendors serving the financial sector, 90 are flagged with high-risk threat categories, including 35 vendors marked with Known Exploited Vulnerabilities (KEV) tags, highlighting the active exploitation of the risks they face.
Oracle Data Breach
41 (29%) of the 140 vendors were tagged with an Oracle Data Breach FocusTag.
- This tag highlights vendors that experienced a compromise related to Oracle data, indicating potential exposure of sensitive information or vulnerabilities within cloud security infrastructures.
- Such breaches can have a cascading effect, as many organizations, including those in financial services, rely on Oracle Cloud for critical operations, making the security of their data within these cloud environments a key third-party risk management concern.
Cleo File Transfer
5 vendors were tagged with a Cleo File Transfer FocusTag.
- This tag indicates vendors affected by the exploitation of vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions by the Cl0p ransomware group.
- While Cl0p did not directly breach Cleo, they leveraged vulnerabilities in Cleo's widely used products (like Harmony, VLTrader, and LexiCom) to target companies in various supply chain operations, including those potentially serving the financial sector.
- The exploitation of MFT tools represents a significant supply chain risk, as these solutions are central to data exchange between organizations, and a compromise can lead to widespread operational disruptions and data exfiltration across interconnected businesses.
Case Study: Early Warning System Shields Company from Cleo Ransomware Impact
One company’s rapid response, which was enabled by continuous third-party risk monitoring, allowed them to proactively defend against the impact of Clop’s Cleo ransomware attack in their vendor ecosystem.
Company Profile
Based in United States with 340+ employees and annual revenue exceeding $240 million.
Initial Alert
Black Kite provided its first alert of a possible Cleo ransomware risk in the company’s vendor ecosystem via the CLEO Integration - Ransomware Risk FocusTag™ on November 27.
Clop Ransomware Disclosure
The Cl0p ransomware group disclosed the attack related to Cleo's exploited vulnerabilities three months later, on February 24.
Impact on TPRM
Black Kite's rapid tagging and risk assessment of the affected Cleo software enabled proactive defense measures for the company, demonstrating the value of timely third-party risk intelligence in mitigating potential supply chain fallout.
An example of FocusTags applied to a vendor in Black Kite's platform, highlighting the present risks.
Key Vulnerabilities and Weaknesses in Finance’s Vendor Ecosystem
Information Disclosure Risk
The financial sector depends on a broad range of third-party vendors to support key functions like infrastructure, compliance, and digital transformation. Alarmingly, 129 out of 140 vendors (92%) received a score of C, D or F in Information Disclosure, indicating a systemic issue in how these companies manage and expose sensitive technical information.
The vulnerabilities uncovered include:
- Public exposure of employee email addresses (phishing risk)
- Disclosure of software version numbers (vulnerability mapping)
- WHOIS misconfigurations revealing personal data
- Indexing of private directories and error messages leaking system internals
These are not “low-impact” issues. They provide a blueprint for attackers to plan phishing campaigns, target software-specific exploits, or map the vendor’s infrastructure—all of which can cascade into financial institutions that depend on them.
Information Disclosure Scores for Vendors Serving Finance
Patch Management Scores for Vendors Serving Finance
Patch Management Weaknesses
Patch Management is perhaps the clearest window into an organization’s operational maturity. Unfortunately, half of the most widely used vendors in the financial supply chain are still operating outdated or legacy systems.
5This indicates that 65% of vendors are not maintaining current patch levels, which exposes financial institutions to inherited risk from known CVEs and potentially unpatched zero-day vulnerabilities in legacy technologies.
This is particularly dangerous because financial institutions may be compliant themselves, yet still be indirectly vulnerable through service providers that do not patch actively or still rely on deprecated systems like IIS/7.5, Apache Struts, or outdated OpenSSL libraries.
Application Security Exposure
Web applications form the primary interface between vendor systems and their clients—including financial organizations. Weak application security often results in exploitable login flows, session mismanagement, and improper encryption practices.
Roughly 1 in 5 vendors still operate with major application-layer weaknesses, such as:
- Cleartext transmission of sensitive information
- Missing CSRF tokens
- Improper HTTP headers
- No brute-force or bot detection on login pages
For vendors providing services like client portals, reporting dashboards, and cloud-based finance apps, these weaknesses can serve as a direct entry point to financial systems and data.
Application Security Scores for Vendors Serving Finance
Credential Management Exposure
Credential leaks remain one of the most commonly exploited weaknesses in ransomware and phishing attacks. Encouragingly, only 7 of the 140 vendors received D–F scores, indicating that most vendors have acceptable practices in place for account hygiene.
However, given their high-profile clients in the finance sector, even a single compromised employee credential can enable attackers to escalate privileges or perform reconnaissance across sensitive systems.
This relatively strong performance suggests improved employee awareness and password hygiene, but it must be continuously monitored. Leaked credentials can appear months after a breach, and the absence of recent findings does not always imply security.
Credential Management Scores for Vendors Serving Finance
D-F
A-B
Hacktivist Activity Scores for Vendors Serving Finance
D-F
A-B
Hacktivist Shares
Hacktivist chatter is a proxy for reputation, visibility, and perceived weakness. 13 vendors were mentioned in dark web or underground forums with D–F grades, typically indicating leaked documents, exposed credentials, or direct mentions of their brand or infrastructure.
Even if these mentions don’t always involve active exploits, they signal intent and targeting from ideologically motivated or opportunistic attackers. Financial institutions using these vendors should pay special attention to third-party threat intelligence alerts.
Extended Risk Intelligence: Control-Based Findings
While category-level grades offer a broad view of vendor security posture, individual control failures reveal specific, targeted weaknesses that attackers actively exploit. For vendors most relied upon by the financial industry, these control-level findings highlight systemic risks across phishing, outdated infrastructure, and credential exposure.
Stealer Log Records
Finding: 39 vendors had employee credentials found in stealer logs Credential data harvested from information-stealing malware often appears months after the initial compromise and frequently includes access tokens or passwords for internal services.
Vendors with stealer data present a clear lateral movement risk if connected to critical bank infrastructure.
Missing DMARC Records
Finding: 19 out of 140 vendors lack a DMARC record Without a valid DMARC (Domain-based Message Authentication, Reporting & Conformance) policy, vendors are susceptible to domain spoofing and phishing attacks.
This allows attackers to impersonate these vendors in emails—undermining trust with financial institutions and their clients.
DNS Amplification
Finding: 51 vendors are vulnerable to DNS amplification DDoS attacks These systems can be abused as reflectors in volumetric DDoS (Distributed Denial of Service) attacks—either as victims or as unintentional participants.
This is especially concerning for cloud-hosted services used by multiple financial clients, risking service degradation or takedown.
Outdated / End-of-Life Systems
Finding: 31 vendors run end-of-life or unsupported systems EOL systems do not receive patches and violate most data protection regulations. They are also disproportionately targeted by attackers due to accumulated vulnerabilities.
Continued reliance on EOL technologies in the financial supply chain is a ticking time bomb for compliance and integrity.
Data Breach Exposure
Finding: 20 vendors are tied to previous data breaches
This metric highlights organizations with known data exposure histories—indicating weak historic security programs and a possible pattern of failure.
These vendors are more likely to experience repeat compromises unless they’ve demonstrably hardened their infrastructure.
Bot Attack Weakness
Finding: 30 vendors lack controls for brute-force or bot attacks on login forms This allows attackers to attempt password stuffing or DoS tactics against login interfaces, increasing the risk of unauthorized access.
For vendors with authentication services or financial logins, this is an unacceptable entry vector.
Cross-Site Request Forgery
Finding: 14 vendors are vulnerable to CSRF CSRF flaws enable attackers to trick authenticated users into executing actions without their intent. For instance, changing user data, modifying permissions, or initiating transactions.
If exploited, CSRF in a vendor’s system could propagate fraudulent actions back into banking systems.
Phishing Domains
Finding: 40 vendors are linked to phishing domains or suspicious URLs Black Kite threat intel crawlers detected the use of vendor brands or URLs in phishing campaigns—posing serious reputational and impersonation risks.
These vendors are already being exploited in the wild to deceive end users or target institutions.
These are not isolated issues.
These findings are not outliers. They are symptoms of deeper, systemic fragility. When 28% of vendors have employee credentials circulating in stealer logs, 22% still run outdated systems, and 36% can be abused for DDoS attacks, the conclusion is clear: the security posture of the financial sector’s extended ecosystem is crumbling.
No matter how well-defended a financial institution may be, a single exposed partner becomes the weak link that attackers exploit. Phishing domains, end-of-life technologies, bot-exploitable logins – these aren’t future threats. They’re present realities.
If financial institutions don’t act now by auditing, pressuring, and even replacing underperforming vendors, they’re not just managing risk, they’re absorbing it.
The perimeters have shifted. And so must the defense strategy.