Estimated reading time: 5 minutes
Financial institutions now face danger from two directions at once. Attackers are striking them directly again. Their vendors are springing new leaks at the same time. Black Kite calls it a two-front crisis. Direct ransomware attacks jumped 76% in the first quarter of 2026, year over year. Half of the sector’s vendors now carry critical flaws. The firm lays out this financial services cyber risk in a new report. It is titled 2026 State of Financial Services: The Dual Storm of Ransomware and Vendor Ecosystem Risk.
Financial Services Cyber Risk – A Two-Front Cyber Storm
For years, finance faced one main threat direction. Direct attacks declined in 2024 as a brief relief. That relief has ended. Direct attacks are rising again. Vendor ecosystems are growing more vulnerable at the same time. Black Kite frames this financial services cyber risk as a structural crisis, not a tactical one. Ferhat Dikbiyik is Chief Research and Intelligence Officer at Black Kite. He said, “Direct attacks are climbing again, and the vendor ecosystem is measurably more vulnerable.” Financial institutions cannot solve this with internal controls alone. The sector itself faces heavy regulation. Many of its vendors face far less pressure to keep pace. That gap widens exposure across the supply chain.
Ransomware Returns To Finance
The 2024 calm came from law enforcement action. Takedowns hit major groups like LockBit and Clop. The reprieve did not last. Operators rebuilt under new banners in 2025. Reported finance incidents rose 30% from 2024 to 2025. The total climbed from 156 to 202 disclosures. Early 2026 data shows the trend accelerating. Q1 2026 recorded 65 disclosures, a 76% jump over Q1 2025. The number of distinct groups targeting finance also grew. It rose from 37 in 2023 to 48 in 2025. Qilin, Akira, and Kill Security now lead the field. Qilin alone caused 59 finance-sector incidents in the past year.
Investment Firms Become The Top Target
The target mix has shifted sharply since 2023. Back then, banks led with 71 disclosures. Investment firms trailed with 44. By 2025, those positions had reversed. Banking incidents fell to 36. Investment firm disclosures nearly doubled to 84. That figure is 41.6% of all finance incidents. A September 2025 campaign against South Korean asset managers drove much of the surge. It accounted for 32 of those disclosures.
The Vendor Vulnerability Deluge
The second front is the vendor ecosystem. Over 48,000 CVEs were published globally in 2025. That marks an 18% rise year over year. Black Kite flagged 1,240 of them as high-priority for third-party risk. That high-priority count rose 59% since 2024. These figures come from the firm’s 2026 Supply Chain Vulnerability Report. Across all finance vendors, 50.2% carry high-severity flaws. Critical vulnerabilities are multiplying fast. They rose 387% across vendors serving finance from 2024 to 2025. Among the 140 vendors most concentrated in finance, they rose 181%. The exposure is also moving faster. Vulnerability exploitation overtook phishing as the top initial access vector. Verizon’s latest breach report recorded that shift for the first time.
One Vendor, Many Victims
A single weak vendor can now cascade across the sector. In September 2025, Qilin compromised a South Korean managed service provider. The breach spread to 32 financial institutions. Attackers stole over two terabytes of data. The campaign triggered a regulatory investigation in South Korea. The Marquis Software breach showed the same pattern in the United States. Akira hit the Texas vendor in August 2025. The attack exposed data across 74 or more financial institutions. Estimates put the affected customers between 672,000 and 1.35 million. Black Kite had scored Marquis at elevated risk a month earlier. The score signaled high attack likelihood before the breach. Among 140 vendors concentrated in finance, 54% carry an actively exploited flaw. These flaws sit in CISA’s Known Exploited Vulnerabilities catalog. Patch management failures appear in 78% of those same vendors. Exposed credentials and stealer logs add another layer of risk.
What The Storm Means For Cyber Insurance Underwriting
The report lands directly on the cyber insurance question. Carriers building cyber insurance for financial institutions face a wider exposure map. Internal controls no longer define an institution’s true risk. The vendor layer now shapes loss potential. Many security teams still cannot see third-party risk clearly. Continuous monitoring and quantified risk are becoming basic requirements. Black Kite argues they are no longer mere differentiators. For underwriters, vendor concentration is now a pricing factor. Cyber risk quantification helps translate that exposure into financial terms.
FAQ – Financial Services Cyber Risk
It found a two-front cyber threat. Direct ransomware on financial institutions is rising again. Vendor ecosystem vulnerabilities are surging at the same time.
Reported incidents rose 30% from 2024 to 2025. Q1 2026 incidents jumped 76% over Q1 2025. Investment firms are now the most-targeted segment.
Half of finance vendors carry high-severity flaws. A single vendor breach can cascade across many institutions. The Korean Leaks campaign hit 32 firms through one provider.
Vendor concentration now shapes an institution’s true risk. Continuous monitoring and quantified risk are becoming basic requirements. Underwriters must price exposure at the vendor layer.
Related Cyber Insurance Posts
- Resilience Launches Private Equity Cyber Risk Program Powered by Arc
- Agentic AI and Cyber Insurance: The Authorization Gap – NEW PODCAST
- Shocking NFL Draft Prank Exposes Cybersecurity Flaws in Remote Work(Opens in a new browser tab)
- Ransomware Claims Jump in Q1 2023: Marsh (Opens in a new browser tab)