2025 State of Financial Services: Hidden Dangers in the Vendor Ecosystem

90 third-party vendors are flagged with high-risk threat categories. Among these, 35 vendors are marked with Known Exploited Vulnerabilities (KEV) tags.

65% of third-party vendors are not maintaining current patch levels, which exposes financial institutions to inherited risk from known vulnerabilities (CVEs) and potentially unpatched zero-day vulnerabilities in legacy technologies.

There were 191 disclosed ransomware victims in the financial sector in 2023.

Cl0p claimed responsibility for targeting companies using unpatched versions of Cleo's MFT products in December 2024.

Nearly one-third (26.6%) of finance threat actors are attributed to "Other", which includes emerging or short-lived groups, highlighting a more fragmented and unpredictable ransomware landscape.

As of mid-2025, only 55 ransomware victims have been disclosed in the financial sector.

There were 156 disclosed ransomware victims in the financial sector in 2024.

Black Kite researchers found that 31 out of 140 third-party vendors have at least one critical vulnerability with a CVSS at or above 8. 15 vendors show an extremely high risk with CVSS scores above 9.