US breach reinforces need to plug third-party security weaknesses

pinkeyes – stock.adobe.com

Cyber breach at US financial sector tech provider highlights the risk of third-party vulnerabilities in finance ecosystems

- Advertisement -

Karl Flinders,
Chief reporter and senior editor EMEA

- Advertisement -

Published: 26 Nov 2025 11:00

The finance sector has been dealt another reminder that security postures are only as strong as the weakest link, as a tech supplier hack leaves US banks exposed.

- Advertisement -

This week, SitusAMC, which provides loans and mortgage services to US banks, admitted that “certain information” from its systems had been compromised in a cyber attack.

SitusAMC manages billions of loan documents for US banks and mortgage lenders, with a single compromise spreading risk across the financial sector.

In a statement on 22 November, it said: “On November 12, 2025, [we] became aware of an incident that we have now determined resulted in certain information from our systems being compromised. Corporate data associated with certain … clients’ relationship with SitusAMC such as accounting records and legal agreements has been impacted.” It added: “Certain data relating to some of our clients’ customers may also have been impacted.”

- Advertisement -

US banks that use SitusAMC include JPMorgan Chase and Citigroup.

According to reports, the FBI has been made aware of the breach.

In an update on 25 November, SitusAMC said: “[We have] been diligently working on our data review process, and the current phase of that process includes conducting keyword searches to identify our clients’ names in certain file paths that we know were impacted.”

- Advertisement -

Wide supplier links
Financial services ecosystems are becoming more complex, with large numbers of firms offering technology platforms (fintech services) to banks and other finance firms.

A security breach at one of these firms can leave the data of financial organisations vulnerable.

It is a growing problem in the finance sector as banks increase the number of fintech partners they work with.

Recent research by risk management company SecurityScorecard found that in the latest 12-month period measured, 96% of Europe’s largest financial services organisations have been affected by a security breach at a third-party organisation. This was compared with 78% in the previous report two years earlier.

It also revealed that 97% of firms had a breach via a fourth party, the partners of their partners, which was an increase from 84% on the previous survey.

This came amid a drop in direct breaches. According to SecurityScorecard, during the period, 7% suffered a direct breach, which was down from 8%.

One IT security expert in the UK banking sector, who wished to remain anonymous, said he was not surprised by the figures. “I would have expected 100% of firms to be impacted by third-party failures of various types,” they said. “The 4% that claim not to have been affected surprises me more.”

SecurityScorecard’s chief information security officer, Steve Cobb, said: “Hackers breached financial technology provider SitusAMC, stealing accounting records and legal agreements from its systems.”

He warned how cyber criminals are changing their approach. “The breach illustrates how attackers are shifting toward quietly extracting sensitive information instead of causing immediate disruption,” said Cobb. “That change in tactics makes detection harder and raises the stakes for organisations that depend on vendor‑managed data.”

He added that banks, and their suppliers, must improve partner risk management to the level of internal security. “Every partner that touches non-public data is a potential exposure point,” said Cobb. “Organisations need continuous visibility into the health of their vendor ecosystem, along with real-time validation that partner controls are functioning.”

In January 2025, the European Union’s [EU’s] Digital Operational Resilience Act, entered into application. It covers a number of aspects of cyber resiliency, auditability, and the responsibilities shared between financial institutes and third-party software and IT service providers, when these products and services are used to power business operations. Although a European regulation, affecting companies that operate in the EU, other regions are also putting in place cyber resiliency.