While many regional banks appear to be stable community banks on the exterior, the reality is that most of them will still depend heavily on historic vendor partnerships that have been established over time (some even for decades). In addition to the ongoing modernization of customer-facing systems, most banks continue to work with their vendor infrastructure that is based on the outdated business model of the vendor. The result is that even as banks upgrade and implement new software delivery systems for their customers, the vendor's supporting infrastructure is generally based on older frameworks.

This hidden relationship between banks and their vendors creates many vulnerabilities in terms of cybersecurity. Cybercriminals are aware that if they can gain access to the bank's vendor network, they can steal information from the bank without actually breaking into the bank's systems. When vendors manage sensitive data (e.g., customer names, dates of birth, financial accounts and identification numbers), it creates an additional exposure to identity theft and fraud for customers of the bank.

A recent example of this issue is the data breach of Norway Savings Bank(Marquis Software Solutions) was interrupted in this manner. In this case, the bank's own internal systems were not compromised. However, the data that was compromised was stored by a vendor, Marquis Software Solutions. This serves to highlight the fact that as cybercriminals seek to gain access to bank systems through the use of third-party vendors, they may do so through their own weaknesses.

Integrations with legacy vendors typically use outdated methods for transferring data, have little or no encryption, employ authentication methods that are no longer secure, and give access permissions to a number of people that were never evaluated again. As time passes, the weaknesses created by these integrations become ideal entry points for malicious actors to gain access to the data and the systems. The use of multiple systems makes it difficult to identify unusual activity and to discover incidents quickly.

For consumers, the networks of vendors are often very complex, and when a vendor experiences a data breach, their financial and personal information can still be compromised, even though the consumer’s financial institution has not been breached. Because of this, it is essential for regional banks and their vendors to have a continual process for updating integrations, auditing data flows, and retiring obsolete systems.

The rising rate at which breaches come from third parties is redefining the phrase “third-party risk,” especially in cases such as the exposure of Marquise Data. It imparts onto banks and financial institutions the cognitive awareness necessary to monitor and mitigate the technology risk introduced by third-party(s), including those firms using an outdated technology stack.