2026 Financial Services Cybersecurity Report: Finance Now Faces a Two-Front Attack

by the Black Kite Research Group™

In 2025, the financial services sector confronted two escalating pressures simultaneously. Direct ransomware attacks rebounded sharply after a brief 2024 decline, with incidents climbing from 156 to 202, a 30% year-over-year increase. At the same time, the vendor ecosystem financial institutions depend on grew measurably more dangerous: vendors carrying critical-severity CVEs (CVSS 9+) nearly quintupled within the 140 vendors most concentrated in finance.

Two case studies define what that structural shift looks like in practice. 

• Qilin's compromise of a single South Korean MSP cascaded into 32 financial institutions and more than 2 terabytes of stolen data. 
• A SonicWall vulnerability at Marquis Software Solutions exposed up to 1.35 million customers across 74 or more U.S. financial institutions. The Ransomware Susceptibility Index™ (RSI™) had flagged Marquis at elevated risk one month before the breach.

The old model of strong banks and weak vendors no longer describes the full picture. This report documents how direct attacks and supply chain risk are now rising together, and what financial institutions should be doing to stay ahead of both.

This report is your blueprint for understanding why the gap between heavily regulated financial institutions and the vendors that serve them, who face no comparable compliance pressure, has become the most exploitable seam in the threat landscape, and how the institutions maintaining resilience in 2026 are operating differently.

(No download required)

Key Findings From the 2026 Financial Services Cybersecurity Report

Finance Ransomware Rose 30% in 2025. Q1 2026 Is Already Up 76%

After a brief reprieve driven by law enforcement pressure on dominant groups, direct ransomware attacks on financial institutions rebounded sharply. Incidents climbed from 156 in 2024 to 202 in 2025, reversing the prior year's decline. Early 2026 data reinforces the trend: 65 finance-sector incidents were recorded in Q1 alone, a 76% increase over Q1 2025.

One Compromised MSP Cascaded Into 32 Financial Institutions and More Than 2TB of Stolen Data

The Korean Leaks campaign exposed the concentrated fragility of the sector's vendor dependencies. By gaining access to a single managed service provider, GJTec, Qilin used its standing privileged credentials to move laterally into 32 South Korean financial institutions without breaching each independently, extracting over one million files and more than 2 terabytes of data.

Qilin Claimed 59 Finance-Sector Victims After Dominant Groups Were Disrupted

The dismantlement of major ransomware groups redistributed threat capacity. LockBit and ALPHV/BlackCat fell from 61 combined finance-sector incidents in 2023 to 16 in 2024 following coordinated enforcement actions. Operators rebuilt fast. By 2025, Qilin had claimed 59 finance-sector victims, and the total number of distinct groups targeting finance had grown from 37 to 48.

Finance Vendor Critical CVEs Grew From 15 to 73 in a Single Year

Critical vulnerability exposure across the vendor ecosystem accelerated rather than drifted. Vendors carrying CVSS 9+ vulnerabilities grew 4.9x in a single year, from 15 to 73. Vendors with high-severity exposure (CVSS 8+) nearly tripled, from 31 to 87. Among the Top 20 vendors most relied upon by financial institutions, 12 of 20 now carry critical-severity CVEs, up from 9 a year ago.

54% of Finance's Core Vendors Carry an Actively Exploited CISA KEV Vulnerability

76 of the 140 vendors most concentrated in finance carry at least one CISA Known Exploited Vulnerability, meaning the exposure has been confirmed in real-world attacks. That share has more than doubled since the previous edition of this report. For institutions conducting third-party risk reviews, a KEV-tagged vendor represents an active threat already weaponized elsewhere.

109 of 140 vendors (78%) show at least one critical-level patch management failure, more than any other control category measured. The same exposure spans 50.2% of the broader ecosystem of 17,000+ finance-related vendors. Misconfigured email authentication compounds the picture: 47 vendors carry misconfigured DMARC records, and 37 carry misconfigured DKIM.

The Ransomware Ecosystem Fragmented After Disruption and Emerged More Dangerous

LockBit and ALPHV Fell in 2024. New Groups Rebuilt Faster and Pushed 2025 Incident Volume Higher

The 2024 decline traced directly to coordinated enforcement: 

• The FBI dismantled ALPHV/BlackCat in December 2023
• Operation Cronos seized LockBit's infrastructure in February 2024. 

Together those two groups fell from 61 finance incidents in 2023 to 16 in 2024. The operators dispersed rather than retired, because by 2025, successor groups had not only reclaimed the volume but recovered concentration. The top three groups now account for 42.6% of finance-sector activity.

48 Threat Actor Groups Targeted Finance in 2025 

The number of distinct groups operating against financial institutions grew every year: 

More actors operating simultaneously means a higher baseline of activity, a broader set of entry vectors, and no single disruption capable of collapsing the ecosystem the way the LockBit takedown did. The 2025 rebound to 202 incidents happened with more actors than ever before.

Investment Firms Displaced Banks as Finance's Most-Targeted Subindustry in 2025

Banks, the most-targeted subindustry in 2023 with 71 incidents, fell to 36 by 2025. Investment firms nearly doubled from 44 to 84 incidents, accounting for 41.6% of all finance-sector disclosures. Part of that increase reflects the Korean Leaks campaign, which contributed 32 of the 84 investment-firm incidents. The shift in attacker targeting predates and extends beyond that single campaign.

South Korea Recorded 32 Finance Ransomware Incidents in 2025. Zero the Year Before

The United States held the largest share of finance-sector targets every year tracked:

South Korea recorded zero finance-sector disclosures in both 2023 and 2024, then recorded 32 in 2025. Nearly all fell in a single month, nearly all from Qilin's campaign against one managed service provider. 

The incident illustrates how vendor concentration can transform an entire national financial sector into a single attack surface.

Finance's Vendor Ecosystem Grew More Vulnerable at Every Layer in 2025

Finance's Top 20 Vendors Carry Four Times the C-Band Cyber Ratings Than the Broader Ecosystem

Security posture degrades with proximity to the financial sector. Across the broader sample of 17,000+ finance-related vendors, 60% earn an A-band Cyber Rating. Within the 140 most concentrated vendors, that share falls to 36%. Among the Top 20 most relied-upon vendors, only 32% reach the A band, while 11% fall into the C band. That is four times the C-band share of the broader ecosystem.

Confirmed Breaches Across 140 Vendors Grew From 6 to 39

Topline RSI™ scores held broadly steady across vendor pools, but breach history accelerated. Within the 140 vendors, confirmed breaches climbed from 6 to 39 in twelve months. Among the Top 20, the number with a confirmed breach rose from 1 to 7, a sevenfold increase in the segment carrying the highest exposure sensitivity. The cyber risk intelligence gap between stable scores and rapidly expanding breach records is the defining tension in this year's data.

57.9% of Finance's Core Vendors Already Have Attacker Phishing Infrastructure Targeting Them

Control-level findings reveal active threat indicators, not just theoretical exposure:

• 57.9% carry active phishing infrastructure already impersonating those vendors
• 46.4% show signs of communication with known malicious IP addresses
• 42.1% have employee credentials in stealer logs

These are not latent risks. They are confirmed signals that finance's core vendors are already embedded in attacker workflows.

Marquis Software's RSI™ Flagged 11.6x Elevated Attack Likelihood One Month Before the Breach

One month before the August 2025 attack, Marquis Software Solutions carried an RSI™ of 0.437, sitting above both the broader vendor sample average (0.351) and the 140-vendor finance average (0.404). The institutions running continuous monitoring against that score had a materially different window to act than those waiting on the breach notification, which arrived 10+ weeks after initial intrusion.

The 2026 Financial Services Data Makes the Case for Predictive Vendor Defense

Map Every Nth-Party Dependency Before the Next Vendor Compromise Reveals One You Didn't Know You Had

Korean Leaks and Marquis Software share a root cause: incomplete visibility into the vendor relationships that ultimately created the exposure. Nth-party visibility, mapping the vendors your vendors depend on, is the precondition for every other action a third-party cyber risk management program takes.

Replace Annual Reviews With Continuous Monitoring. Vendor Exposure Can Quadruple in 12 Months.

Inside twelve months, the 140-vendor pool's exposure profile changed fundamentally:

• Vendors carrying critical CVEs grew 4.9x
• KEV-tagged vendors more than doubled
• Confirmed breaches climbed sixfold

A vendor that earned a clean rating at last year's review may carry an actively exploited weakness today. Continuous, automated monitoring across Black Kite's 20 risk categories surfaces those changes when they happen, not at the next assessment window.

Surface Affected Vendors the Moment a New Vulnerability Is Disclosed, Before the Vendor Knows It

Over 48,000 CVEs were published globally in 2025, an 18% increase, and AI-assisted discovery tools entering in 2026 are positioned to accelerate that volume further. The 2026 Supply Chain Vulnerability Report documents how FocusTags® surface the precise vendors in an institution's ecosystem affected by each new disclosure, often before the vendor has issued its own advisory.

Centralize Vendor Engagement So Fast Detection Leads to Fast Resolution 

Identifying a vendor vulnerability is only the first step. The Bridge™ replaces email threads and manual follow-up with a centralized workspace where vendors receive asset-level findings, see real-time ratings impact, and respond directly to outstanding items. The result is a single auditable view of remediation progress across the full vendor ecosystem.

Translate Vendor Cyber Risk Into Probable Financial Exposure So Boards and Regulators Act on It

Boards do not act on technical scores. They act on financial exposure. Black Kite's Financial Cyber Risk Quantification, built on Open FAIR™ modeling, translates each vendor's cyber posture into probable financial impact denominated in dollars, bridging the gap between technical findings and the executive conversations that determine remediation priority and budget.

Automate DORA, GLBA, and FFIEC Compliance Mapping So Vendor Evidence Review Takes Minutes, Not Weeks

Black Kite's AI-powered assessments read vendor documentation including SOC 2 reports and questionnaires, extract verbatim evidence, identify gaps, and map findings directly to the regulatory frameworks (DORA, GLBA, FFIEC, NYDFS, PCI-DSS, and more) against which financial institutions are held. What previously took analysts weeks resolves in minutes.

How Black Kite Built the 2026 Financial Services Cybersecurity Report

Three Years of Verified Finance-Sector Ransomware Disclosures 

The ransomware dataset draws from public extortion sites and verified incident records, covering only confirmed victims where both encryption and data exfiltration were verified and attribution to a known group was clearly established. To prevent data inflation, chain and network attacks were counted as a single incident unless distinct disclosures existed.

The 140-Vendor Pool Had One Qualification: 10% or More Revenue From Financial Clients

Vendor selection was governed by a single threshold: any vendor whose client base includes at least 10% financial sector customers qualified for the 140-vendor pool. The Top 20 represents the vendors most relied upon by financial institutions, ranked by breadth of financial-sector customer base. The broader sample of approximately 17,000 vendors represents companies actively monitored by Black Kite's financial sector customers, serving as a representative baseline.

Insurance Carriers (NAICS 524) Were Excluded. Insurance Benefit Funds Were Retained 

Industry classifications align to NAICS codes for analytical consistency. Code 524 was excluded due to its structural and regulatory segmentation from the core financial sector. Code 5251 was retained, as these entities function as financial investment mechanisms. 52 NAICS codes were reviewed in total.

Pre- and Post-Incident Posture Assessments Power the RSI™ Predictive Analysis

The Black Kite platform assessed each organization's posture at pre-incident and post-incident windows, enabling comparative susceptibility analysis. The findings reflect only publicly disclosed ransomware incidents and observable vendor risk indicators. The figures presented represent a conservative lower bound of systemic third-party risk exposure in the financial sector.

(No download required)

Previous Editions