3 Truths About the Financial Sector’s Digital Supply Chain Uncovered by Bitsight TRACE

Audio Recap

When it comes to managing cyber risk, the financial sector is squarely at the top of the food chain. It’s simple economics (and the plot of many movies): financial institutions have the money, and cybercriminals are always looking for ways to take it. As a result, institutions have invested heavily in strengthening their internal systems and cybersecurity controls. Those investments have paid off. The industry continues to lead others in the maturity of its cyber risk management practices and the protection of its core infrastructure.

One of the larger and newer challenges that financial companies face is that “internal” systems represent only a portion of the sector’s total attack surface. In an ecosystem defined by digital-first financial products, expanding fintech ecosystems, and AI-driven outputs, the supply chain of technology providers grows continuously. Dubbed by many as the “SaaS proliferation” problem, each new connection, integration, and dependency adds another layer of potential exposure. This expanding web of third-party relationships is creating material, and often unseen/unmanaged, risk for individual institutions and for the financial sector as a whole. 

To put it in the words of one of the strongest CISOs in the game today (on the SaaS model and Supply Chain Risk):

“SaaS has become the default and is often the only format in which software is now delivered, leaving organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure. While this model delivers efficiency and rapid innovation, it simultaneously magnifies the impact of any weakness, outage, or breach, creating single points of failure with potentially catastrophic systemwide consequences.”
-Patrick Opet, “An open letter to third-party suppliers,” 2025 

Using observable data to uncover supply chain risk in finance

So what does this mean for the companies that house the backbone of our financial system? 

Bitsight TRACE's Ben Edwards recently conducted an in-depth analysis of the state of supply chain risk in finance today. The findings are clear: the web of dependencies supporting modern organizations is extraordinarily complex, and the financial sector is no exception. Within the dataset, more than 1.6M third-party technology relationships were identified. This vast digital supply chain fuels the operational speed and efficiency we’ve all (read, the markets) have become accustomed to. Systems to enable systems to enable systems, to drive profits at a record-setting pace.

Alongside the efficiencies come risks. Every vendor connection represents a potential point of exposure, collectively forming the true perimeter of today’s financial enterprise. Each provider adds a new layer of assumed trust that organizations must be willing to accept. Given the sheer number of these relationships, conducting diligence on every provider is nearly impossible without the help of specialized tools like Bitsight. The once well-defined network boundary has evolved into a dynamic, constantly shifting digital ecosystem, which represents the real digital footprint of modern finance.

Understanding this footprint is the first step toward managing it. The data also shows that most financial institutions see only a fraction of their full supplier ecosystem. Beneath this growing complexity, three critical truths about digital supply chain risk in finance begin to emerge.

1. Finance companies rely heavily on “hidden pillar” vendors unique to the industry.

When examining the top critical suppliers most common to financials, the well-known tech giants are all present. These are the obvious foundational vendors of tech architecture, such as Bloomberg L.P. Group, Microsoft, and Google. Open source providers also play a big role, including Python and JQuery, which is actually the number one supply chain provider in the critical list.

Interesting, but so what? These companies are the de facto standard when it comes to the technology supply chain. 

Digging deeper into the data reveals a layer of vendors that do not often make the headlines but quietly hold up the financial world’s core infrastructure. When we compare overall market share against their presence in finance, a distinct pattern emerges. 

Providers like Plaid, Murex, FactSet, Dow Jones & Company, and Fiserv sit at the center of this web, supplying the specialized tools, data, and connectivity that keep capital flowing. The picture becomes more interesting the further we look. Identity and access management providers such as CyberArk and Entrust also appear disproportionately critical to finance. This is not surprising, as few industries are as sensitive to authentication, authorization, and the control of digital identities. Protecting how money moves demands more than encryption; it demands trust in access.

From my perspective, a few unexpected names also surface in the data. General Dynamics, though primarily a defense contractor, plays a quiet but critical role in finance. Its expertise in maintaining and modernizing legacy mainframes running COBOL, many of which still handle core transaction systems, helps keep the global financial infrastructure stable and secure amid ongoing digital transformation.

These firms form the connective tissue of the modern financial system, often operating behind the scenes but essential to its stability and resilience.

2. Finance leads in monitoring, but most of its supply chain remains unobserved.

Unsurprisingly, the financial sector is the most diligent among all other industry verticals in monitoring its third-party relationships for cyber risk factors. Bitsight supplies nearly 600 financial companies with third-party risk management telemetry for more than 46,000 organizations with which these customers have relationships. Our data shows that these organizations monitor an average of 36.3% of their overall supply chain, compared to 24.6% monitored by organizations in other industry sectors. This is good relative to the others, but it does raise the point that the majority of the industry’s supply chain still remains mostly unwatched.

3. Unmonitored financial suppliers carry higher critical risk.

In the grand scheme of things, financial institutions are the most likely to have set up concise processes and criteria to decide which vendors get continuous monitoring. Even still, there’s more we can learn about how much risk slips through the cracks when big parts of the supply chain go unmonitored. Our analysis shows that these unmonitored suppliers tend to lag on basic security upkeep. They have 2.9 times more critical CVEs and 2.8 times more known exploited vulnerabilities (KEVs) than those under continuous watch.

As the financial sector continues to digitize and expand its network of technology partners, third-party risk will only grow in importance. The industry may be ahead of most when it comes to managing these relationships, but there is still work to do. Greater visibility into the full digital supply chain is not just good hygiene; it is essential to keeping the system resilient. To get the full report details, download the report here.