Financial Sector Vendors Are Lagging on Cybersecurity — New Data Puts Numbers to the Risk

New research from, highlighted by Cybersecurity Dive, draws a clean line between how well financial firms secure themselves and how poorly many of their technology vendors keep up.

The conclusion is straightforward: banks, insurers, and other financial institutions can harden their own environments all they want; if their vendors stay weak, the sector’s overall risk remains high.

What the Study Measured

After analyzing more than 41,000 financial organizations and about 50,000 vendor relationships to understand how the sector and its suppliers compare on objective security signals.

The research firm scored both groups across 22 risk vectors, including:

Spam blocking

Open ports

Mobile application security

Endpoint security and patching cadence

Web application and transport-layer security

On 16 of those 22 risk vectors, suppliers performed worse than their financial-sector customers, with gaps up to 15 percentage points. Web app security, TLS configuration, and HTTP headers were among the weakest areas for vendors.

The study notes one exception: suppliers did better on some email and DNS protections, including:

DMARC

DKIM

DNSSEC

Those strengths align with the profile of large, tech-heavy providers that have already industrialized email and domain security.

Why Vendors Look Worse Than Their Financial Customers

Vendors often:

Hold more digital assets than any single customer

Absorb risk tied to the problems they are paid to solve

Present a larger, more complex attack surface, especially at scale.

In other words, higher exposure is built into their business model. That does not excuse poor hygiene on fundamentals like patching, web application security, or secure configuration, but it explains why raw risk ratings skew lower for suppliers than for the financial firms they serve.

The report also surfaces a counter-intuitive pattern: suppliers monitored by more customers sometimes show slightly worse security performance. BitSight suggests this may be because these are the biggest vendors in the ecosystem, with the broadest product footprints and therefore the broadest attack surfaces.

Monitoring Gaps Inside the Financial Supply Chain

Financial firms are ahead of other industries in supply-chain visibility but still far from full coverage.

Key monitoring metrics from the study:

The average financial firm monitors only 36% of its vendors

Across all sectors, the average is 25% monitored suppliers

Unmonitored suppliers in the financial sector have roughly 3x more critical vulnerabilities than suppliers that are actively monitored.

Researchers call this out as a material third-party risk problem, given the regulatory pressure financial institutions already face around vendor oversight and incident accountability.

What This Means for Financial Institutions

The picture that emerges from the data:

Third-party cyber risk is now a primary exposure channel, not a secondary concern

Vendor performance often drags behind the customer’s own security posture

Limited monitoring coverage leaves blind spots exactly where attackers are likely to move next

For security, risk, and procurement leaders in finance, this translates into a few non-optional priorities:

Treat vendor ecosystems as an extension of the institution’s own infrastructure, not a separate problem

Tighten monitoring coverage beyond the current one-third of suppliers, driven by criticality and data access

Use objective, continuous ratings and telemetry to verify that key suppliers are maintaining baselines on patching, web app security, TLS, and configuration

Bake clear security expectations and evidence requirements into contracts, mapped to existing regulations and internal risk appetites

BitSight sums up the concern clearly: given the regulatory requirements and the level of exposure, financial institutions will not be comfortable discovering that many of their most important suppliers are systematically underperforming on security.

This research converts an intuitive worry into measurable reality: financial firms cannot assume their technology providers are “good enough” at security simply because they serve the sector.