Blog
Third-Party Data Breaches
In 2026, the financial sector faces a threat landscape defined by escalating geopolitical fragmentation, most notably the spillover of the Iran conflict into cyber space, and increasingly sophisticated supply chain attacks that have made traditional perimeter defence models obsolete. Cyber criminals and state-aligned actors no longer waste their resources attempting to breach heavily fortified Tier-1 banks directly. Instead, they are systematically targeting the sector's soft underbelly: the shared cloud infrastructures, KYC and payment infrastructure providers, open-source dependencies, and even more removed Nth-party vendors that quietly form the backbone of the financial sector’s supply chain ecosystem.
This changing reality has triggered a fundamental paradigm shift in regulatory expectations. Frameworks such as the EU’s Digital Operational Resilience Act (DORA) and the UK’s Operational Resilience regime are no longer just concerned with individual compliance and resilience. The true intent of regulators is also to amass detailed supplier data from industry participants to map the wider supply chain ecosystem of the sector as a whole. The intention behind this aggregation of supply chain data is to identify hidden Single Points of Failure (SPOFs) and systemic concentration risks that could threaten market stability—risks that would remain invisible to individual firms working in isolation. But this will take time that financial firms may not have.
There has emerged a way, however, for individual organisations to proactively do this themselves, and shift towards a collective intelligence approach to supply chain cyber resilience. As demonstrated in a recent collaborative pilot project by Risk Ledger involving six leading financial institutions, structured cooperation between TPRM and cyber security teams within the same industry and network-based mapping provide a viable solution. By securely overlaying their supply chain data, the cohort mapped nearly 1,300 dependencies and uncovered 47 hidden systemic concentration risks—including highly critical, yet smaller and previously unnoticed Nth-party vendors shared across the group. None of these risks would have been visible to any single firm acting alone.
To survive the 2026 threat landscape and meet the true intent of modern operational resilience regulations, the financial sector must abandon isolated defense strategies. True resilience now requires the industry to map the hidden web together.
For years, the financial sector operated under a comforting illusion: if you build the walls high enough and fortify the perimeter, the citadel will hold. But the geopolitical shocks and digital transformations of 2025 and early 2026 have decisively shattered that paradigm. Today, building a fortress is entirely irrelevant if the external foundation it rests upon is quietly compromised.
As geopolitical fragmentation accelerates, cyberspace has become the primary theater for asymmetric warfare. We are seeing this play out in real time with the recent spillover of the Iran conflict into the digital realm. Highly resourced, state-aligned threat actors are increasingly deploying destructive wipers and pseudo-ransomware, but they are no longer wasting their efforts on the heavily defended front doors of Tier-1 banks. Instead, they are targeting the shared cloud infrastructures, IT management tools, and niche third-party and nth-party vendors that those banks rely on for their daily operations. They understand a fundamental truth: the most critical and more easily exploitable vulnerabilities no longer lie within the institutions themselves, but deep within their extended, largely invisible supply chains.
The reality of 2026 is that risk is no longer linear; it is highly systemic. Because the financial sector relies heavily on many shared suppliers, a single compromised supplier can trigger a cascading shockwave across the entire global market.
This article explores this new era of interconnected supply chains and the risks emanating from them in 2026. In the following sections, we will examine the shifting tactics behind the recent surge in supply chain attacks and unpack the sweeping paradigm shift in operational resilience regulations, such as the EU's DORA and the UK’s regulatory frameworks for the financial sector. We will look especially at the true intent behind these regulations, why isolated, proprietary risk management strategies are failing, and how collaborative supply chain mapping is the only viable path to uncovering the hidden concentration risks that threaten the stability of the financial ecosystem.
For threat actors, launching a direct frontal assault on a Tier-1 financial institution is a low-yield, high-risk endeavour. Banks have spent the last decade building formidable internal cyber security apparatuses, deploying advanced endpoint detection, and implementing zero-trust architectures. Recognising this, cyber criminals and state-sponsored groups have fundamentally shifted their tactics. They are no longer trying to break down the front door; they are walking in through the sector’s complex external dependencies.
This "soft underbelly" consists of the countless third-, fourth-, and nth-party suppliers, from niche IT service providers and cloud-native management platforms to the open-source libraries that form the building blocks of modern financial software.
The events of 2025 and early 2026 have illustrated this growing risk factor. We have witnessed a rapid rise in cloud-native exploitation groups, such as TeamPCP, which specialise in compromising shared cloud environments to harvest credentials across multiple client environments simultaneously. Furthermore, the escalation of the Iran conflict has brought a wave of aggressive cyber operations directly into the supply chains of Western financial infrastructure. State-aligned actors have increasingly deployed "pseudo-ransomware", such as the Pay2Key and CanisterWorm variants, whose primary goal is not financial extortion but pure systemic disruption and data wiping, weaponising shared IT management tools to maximise the blast radius.
The danger extends deep into the code itself. The March 2026 compromise of the widely used Axios npm package was a massive wake-up call for the industry. By injecting malicious code into a single, ubiquitous open-source dependency, attackers didn't just breach one company; they instantly gained a foothold into millions of applications globally, including critical trading and retail banking platforms.
The core takeaway from these recent campaigns is that the blast radius of a modern cyber attack extends well beyond a single entity. When a shared direct supplier or an nth-party dependency is compromised, it often only represents the first domino in a systemic chain reaction.
The surge in systemic supply chain attacks has triggered a fundamental reckoning among global regulators. The traditional approach, treating supplier risk as a decentralised, firm-by-firm compliance exercise, is no longer fit for purpose. We are therefore witnessing a definitive transition from siloed Third-Party Risk Management (TPRM) aimed at preventing incidents to a much broader mandate of achieving holistic operational resilience to attacks, which are inevitable.
This shift has now been codified into law. As we navigate 2026, the European Union’s Digital Operational Resilience Act (DORA) and the UK’s Operational Resilience and Critical Third Party (CTP) regimes are re-shaping the compliance agendas of every major financial institution. These frameworks demand a level of visibility that extends far beyond a bank's immediate tier-one suppliers, requiring firms to actively identify and manage the risks posed by their extended Information and Communication Technology (ICT) supply chains.
However, to view DORA or the UK's CTP regimes merely as enhanced TPRM mandates is to misunderstand their core objective. These regulations are not simply about ensuring individual banks are doing their best to stay safe. Another intent of authorities like the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) is far more ambitious. Regulators are actively collecting mass supplier data from regulated entities and designated critical suppliers. Their goal is to map the wider supply chain ecosystem of the entire financial sector to uncover the macro-level vulnerabilities that no single bank can see on its own.
Regulators are hunting for hidden systemic risks and Single Points of Failure (SPOFs) that cross institutional boundaries. They are looking to preempt nightmare scenarios, such as discovering that 80% of the UK’s retail banks inadvertently rely on the exact same niche data aggregator or managed service provider at the fourth- or fifth-party level. By mapping this macro ecosystem, regulators aim to identify these highly concentrated, shared dependencies before a targeted cyber attack or an operational outage can trigger a systemic collapse of the financial markets.
Despite the mounting regulatory pressure and the escalating threat landscape, a glaring disconnect remains: the tools most financial institutions use to manage supply chain risk are fundamentally broken. Traditional Third-Party Risk Management (TPRM) programmes were built for a simpler era. They rely heavily on static, point-in-time spreadsheets and siloed compliance questionnaires. While these tools might provide a snapshot of a direct, Tier-1 supplier's security posture, they offer virtually zero visibility into the sprawling networks of fourth-, fifth-, and nth-party suppliers sitting behind them.
This creates a massive blind spot with respect to where the most dangerous vulnerabilities today reside. To understand the gravity of this blind spot, we must distinguish between two critical, overlapping concepts:
The fundamental problem is an insurmountable information gap. By design, traditional TPRM is inward-looking and proprietary. An individual bank, regardless of its size or the sophistication of its internal security team, can only see its own direct contracts. It has absolutely no visibility into the supply chains of its competitors and often only limited visibility into its own nth-party dependencies.
Therefore, a bank cannot possibly know if its peers are all relying on the exact same niche cloud-hosting provider or specialised payment gateway. Without a macro view of the ecosystem, these hidden dependencies remain entirely invisible. Institutions are left blind, hoping that their critical downstream paths do not intersect with those of the rest of the market, a gamble that, as recent breaches have proven, is highly likely to fail. You cannot solve a macro-level systemic problem with micro-level visibility.
To help financial services firms take the initiative, and ensure they don’t have to wait for the data collection and analysis of the regulators to yield tangible insights and be distributed to market participants, Risk Ledger recently facilitated a groundbreaking pilot project—Identifying Concentration Risks in Financial Services Supply Chains—bringing together six leading financial institutions in the UK. The goal was simple but unprecedented: to prove that by securely pooling data, competitors could uncover the hidden systemic risks that their individual compliance programmes were entirely blind to.
Moving away from isolated spreadsheets, the participants utilised Risk Ledger’s social-network-style supply chain risk management platform. They began by mapping their critical third-party suppliers. Because the platform operates as an interconnected network rather than a series of silos, mapping those immediate suppliers organically reveals the underlying infrastructure, naturally extending visibility into the fourth-, fifth-, and nth-party layers.
The true breakthrough occurred in the second phase. The cohort’s supply chain maps were securely overlaid in a collaborative environment, allowing participants to see where their supplier networks intersected.
The results of this overlay were eye-opening and definitively validated the concerns of modern regulators. Across a cohort of just six institutions, the project revealed a deeply interconnected web:
This case study irrevocably proves our core narrative: you cannot defend against an ecosystem-wide threat using a solitary defence. Systemic concentration risks are, by definition, a collective challenge. If just six institutions can uncover 47 critical blind spots by overlaying their data, the concentration risk across the entire global financial market is staggering. The project demonstrated that collaborative, network-based mapping provides the only functional mechanism to achieve the visibility required by the 2026 regulatory landscape without having to wait for regulators to do the job for the regulated entities.
The events of recent years have made one thing abundantly clear: the era of isolated cyber defence is over. As geopolitical conflicts continue to escalate, and threat actors are increasingly focussed on weaponising organisations’ nth-party dependencies to maximise the blast radius of attacks, defending only your own perimeter is no longer enough. The modern threat landscape preys on the interconnectedness of the global financial system and other sectors, turning shared supply chain dependencies into the most critical, yet often least visible, attack vectors.
To survive in this new reality, financial institutions must urgently adopt the mindset that regulators are now enforcing through DORA and the UK’s Operational Resilience regime. Regulators no longer view supply chains as linear chains of contracts; they view them as a complex, highly interdependent ecosystem supporting critical business functions. Banks, asset managers, and insurers must do the same. Compliance can no longer be a box-ticking exercise confined to proprietary spreadsheets. It must evolve into an active, ongoing effort to map the macro ecosystem of the sector as a whole.
As the Risk Ledger pilot project demonstrated, in order to tackle systemic vulnerabilities, the first step ought to be achieving a clear view of individual and collective supply chain dependencies at all tiers, from the 3rd to the nth-party level. By embracing transparency and pooling intelligence in secure, collaborative environments, competitors can collectively illuminate the blind spots that threaten them all.
True operational resilience in 2026 demands a fundamental shift away from proprietary risk management toward shared responsibility and collective intelligence. The financial sector shares the same critical infrastructure, the same software dependencies, and the same systemic concentration risks. It is time we start defending against the risks emanating from them together.
Monthly research, case studies and practical guides you won't find anywhere else.
Join thousands of security managers turning their TPRM programmes into success stories.
.png)
