The Other Front: Third-Party Risk, Topline Metrics

Direct ransomware attacks on the financial sector are rising again, but they describe only one of the two pressures the industry now faces.

The second is structural and harder to see in headline incident counts. The third-party ecosystem on which financial institutions depend has grown measurably more vulnerable in the past year.

How Vulnerable Is the Vendor Ecosystem Serving Finance?

We analyzed three vendor populations:

  1. A representative sample set of more than 17,000 third-party vendors monitored by Black Kite's financial customers,
  2. The 140 vendors whose client base is meaningfully concentrated in finance;
  3. The Top 20 vendors most relied upon by financial institutions.

These vendors include software publishers, IT and computer systems providers, business support services, and specialized technical service firms.

We assessed the financial sector's vendor ecosystem across two layers:

  1. Black Kite's core scoring metrics and other topline indicators, which describe each vendor's overall security posture (covered in this section)
  2. The specific control-level findings that surface where weaknesses are most concentrated (covered in section 5: Vendor Posture)

Here’s what we found.

Black Kite’s Metrics, Explained

Cyber Rating (1–100, A–F)

A composite score across 20 risk categories, ranging from application security and DDoS resilience to credential management and information disclosure, that captures a vendor's external cyber hygiene and overall cybersecurity posture and translates it into a defensible letter grade.

Ransomware Susceptibility Index® (RSI™), 0.0–1.0

A forward-looking score that estimates the probability of a vendor experiencing a ransomware incident, derived from technical signals known to correlate with ransomware events. The score combines vulnerability exposure, credential leakage, email authentication weaknesses, and active threat indicators into a single 0.0–1.0 value.

Data Breach Index (DBI), 0.0–1.0

A historical metric that captures the frequency and scale of past breach incidents recorded against the vendor.

Cyber Ratings of Vendors Serving the Financial Industry

The Cyber Rating distribution looks reassuring at first glance and weakens with closeness to the financial sector.

What an RSI Score Actually Means: Ransomware Likelihood by Risk Value

  • Across All Vendors, 60% sit in the A band (A+, A, or A−), 37% in the B band, and only 2.6% in the C band.
  • Within the 140 vendors, the picture shifts: roughly 36% reach the A band, 55% sit in the B band, and the C band rises to 9.2%.
  • Among the Top 20 vendors, only 32% earn an A-band rating, while 58% sit in the B band and 11% fall into the C band.

The vendors financial institutions rely on most (the Top 20) carry four times the C-band share of the broader ecosystem.

A Deeper Dive: Ransomware Susceptibility, Data Breach History, and Critical Vulnerability Exposure

How Finance Vendors Score on Black Kite's Core Risk Metrics

Top 20
140 Vendors
Larger Sample of Vendors (17,000)
Ransomware Susceptibility Index (RSI)
0.388
0.404
0.351
Data Breach Index (DBI)

0.150

0.195
0.074
High-severity Vulnerabilities (CVSS ≥ 8)

13 (65.0%)

87 (62.1%)
50.2%
Critical-severity Vulnerabilities(CVSS ≥ 9)
12 (60.0%)
73 (52.1%)
30.1%
Data Breach
7 (35.0%)
39 (27.9%)
13.7%

Critical Vulnerabilities Are Climbing

Critical exposure deepens with proximity to the financial sector.

  • Across All Vendors, 50.2% carry high-severity CVEs (CVSS ≥ 8) and 30.1% carry CVSS ≥ 9 vulnerabilities today.
  • Within the 140 vendors, those shares rise to 62% and 52%, and the change in a single year has been sharp, with CVSS ≥ 8 vendors nearly tripling from 31 to 87, and CVSS ≥ 9 vendors rising almost fivefold, from 15 to 73.
  • Among the Top 20 vendors most relied upon by financial institutions, the picture worsens: 13 of 20 carry CVSS ≥ 8 vulnerabilities (up from 10, a year ago) and 12 of 20 carry CVSS ≥ 9 (up from 9).

The closer a vendor sits to the financial sector, the heavier its critical vulnerability load.

RSI Held While Exposure Grew

Topline scoring metrics across the three vendor pools held broadly steady.

  • Across All Vendors, the average Ransomware Susceptibility Index® (RSI™) sits at 0.351 today.
  • The 140 vendors averaged 0.404, easing slightly from 0.437 a year ago. Cyber Rating in the 140-vendor pool remained at 87 (B+).
  • The Top 20 moved only marginally from 0.387 to 0.388.

What an RSI Score Actually Means: Ransomware Likelihood by Risk Value

Ransomware Susceptibility Index® (RSI™) Distribution for Vendors Serving Finance

Patch Management: The Most Common Weakness in the Pool

Patch management is the single most prevalent weakness across the 140 vendors serving the financial sector.

Vendors with Patch Management Failures

109 vendors (78%) show at least one critical-level patch management failure, more than any other control measured across the ecosystem.

What this means in practice is that the vendor is running an outdated or unpatched version of a software component for which a known, severe vulnerability has been published.

Active Exploitation in the Vendor Pool

The KEV catalog tracks vulnerabilities that have been confirmed to have been exploited in real-world attacks. A KEV-tagged vendor is exposed to an active threat that defenders elsewhere have already encountered.

Vendors with Exploited Vulnerabilities

76 (54%) of the 140 vendors serving finance carry at least one vulnerability listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

  • For financial institutions, a KEV-tagged vendor in the supply chain represents an elevated risk because the same exposure has been weaponized against other organizations, and the vendor has not yet remediated it.
  • This share has more than doubled since the previous edition of this report, reflecting the broader expansion of vendor-side exposure in the past year.

Critical Vulnerabilities Have Multiplied

CVSS scores measure the technical severity of a vulnerability. CVSS ≥ 8 represents high-impact issues; CVSS ≥ 9 represents critical, often remotely exploitable ones.

Vendors with Critical CVEs

2024

2025

increase

Vendors with High CVEs

2024

2025

increase

Vendors carrying CVEs (CVSS ≥ 8) climbed from 31 to 87, and those exposed to vulnerabilities with CVSS scores of 9 or higher rose from 15 to 73 in a single year.

  • The nearly fivefold rise in vendors carrying CVSS ≥ 9 vulnerabilities means that the most severe class of exposure is no longer rare in the financial sector's vendor base, it is widespread.
  • For institutions performing third-party risk reviews, this shift means that point-in-time scoring is no longer sufficient. The exposure surface itself is moving faster than annual review cycles.

The CVE Volume Problem Is Accelerating – And the Gap is Widening

The AI-assisted vulnerability discovery tools, introduced to the market in 2026, are a game-changer.

Over 48,000 CVEs were published globally in 2025 alone, an 18% year-on-year increase, and these tools entering the market are positioned to accelerate that volume further rather than reduce it. For the 2026 Supply Chain Vulnerability Report, Black Kite Research Group analyzed 1,240 of these CVEs as high-priority for third-party risk in 2025, a 59% increase from 780 in 2024, of which roughly 800 had already been exploited in the wild.

The operational implication for financial institutions is direct.

A vendor pool already showing a fivefold rise in critical-severity exposure in twelve months will not be manageable through patch coverage alone. The gap between disclosure volume and remediation capacity widens with each cycle.

This is where prioritization becomes the determining variable

The financial institutions that maintain resilience will be those that can identify, within the daily flow of new disclosures, the small subset of vulnerabilities that are both actively exploited and present in their vendor ecosystem.

  • Black Kite's prioritization framework filters CVE volume down to the high-probability, high-impact zone using exploitability scoring (EPSS), active threat actor targeting, OSINT discoverability, and FocusTag® matching against the vendor list an institution actually depends on.
  • Applied at scale across 2025, this funnel reduced the 48,000+ global disclosures to 329 OSINT-discoverable vulnerabilities flagged with FocusTags®, and within those, 58 "Code Red" CVEs carrying an EPSS exploitation probability above 60%.

The framework converts a deluge into a decision-ready list. Read the 2026 Supply Chain Vulnerability Report for more details.

Sometimes a single vendor breach is enough to compromise an entire national financial sector.

The next section documents exactly how that happened in South Korea.

PREVIOUS
NEXT