The Announcement
Black Kite released its 2026 State of Financial Services report on June 3, detailing a significant escalation in cyber threats facing the financial sector. The firm’s research documents a simultaneous rise in direct ransomware attacks and vendor ecosystem vulnerabilities, a combination Black Kite describes as a “dual storm” and what ECI Research would characterize as a structural risk compounding problem rather than a cyclical one. Q1 2026 direct ransomware attacks on financial institutions surged 76% year-over-year, while 50% of financial services vendors now carry high-severity CVEs. The core finding is unambiguous: the brief reprieve financial institutions experienced in 2024 is over, and the threat landscape has become materially more complex.
Our Analysis
The 2026 Black Kite report is significant not because it reveals a new threat category, but because it quantifies the convergence of two previously separable risk vectors into one compounding operational problem. Financial institutions have historically managed direct attacks and vendor risk as adjacent concerns with different owners. That organizational separation is now a liability.
The Ransomware Ecosystem Restructured, Not Retreated
The 2024 decline in direct attacks was real, but it was a consequence of law enforcement disruptions to groups like LockBit and Clop rather than any structural improvement in the financial sector’s security posture. Black Kite’s data shows the number of distinct threat groups targeting finance grew from 37 in 2023 to 48 in 2025. Operators from dismantled groups did not exit the market. They regrouped under new banners. Qilin, Akira, and Kill Security filled the vacuum quickly, with Qilin alone responsible for 59 finance-sector incidents in the past year.
The shift in targeting is also worth examining closely. Banks, which were the primary target in 2023 with 71 ransomware disclosures, saw that figure fall to 36 by 2025. Investment firms, by contrast, saw disclosures nearly double to 84, representing 41.6% of all financial sector incidents. A single September 2025 campaign by Qilin against South Korean asset managers accounted for 32 of those disclosures. This is a textbook supply chain concentration attack: one MSP compromised, 32 downstream financial institutions affected, over two terabytes of data exfiltrated.
The CVE Volume Problem Is Not a Patch Problem
Over 48,000 CVEs were published globally in 2025, an 18% year-over-year increase. Black Kite’s own research identified 1,240 CVEs as high-priority for third-party risk, a 59% increase from 2024. Among the 140 vendors most concentrated in finance, critical vulnerabilities increased 387% from 2024 to 2025, and 54% of those vendors carry at least one vulnerability in CISA’s Known Exploited Vulnerabilities catalog.
These numbers reframe a common misconception. This is not a patch management failure that better tooling alone can fix. It’s a visibility and prioritization problem. The organizations responsible for managing these vendor relationships typically lack real-time intelligence into which CVEs within their supplier ecosystem are being actively exploited and in what timeline. According to the Verizon DBIR cited in the Black Kite report, vulnerability exploitation has overtaken phishing as the leading initial access vector for breaches, a first in the report’s history. When exploit timelines compress and volume increases simultaneously, the window for reactive remediation narrows to the point of being operationally unworkable.
ECI Research data reinforces the severity of this visibility gap. According to ECI Research, 72% of IT decision-makers lack visibility into dependencies outside their application code and supporting infrastructure, including SaaS providers, CDNs, DNS, and ISPs. In the financial services context, those external dependencies extend directly to the vendor ecosystem described in the Black Kite report. The organizations best positioned to respond to the dual storm Black Kite describes are those that have already invested in continuous monitoring with genuine external coverage.
What ITDMs Need to Act On
For IT decision-makers in financial services, the report has a direct procurement implication. Third-party cyber risk management can no longer be treated as an annual assessment exercise. The September 2025 South Korean MSP incident illustrates what happens when a single vendor compromise is not detected in time to isolate downstream exposure. Black Kite’s framing of “continuous monitoring, predictive analytics, and quantified risk” as operational requirements rather than differentiators is a position ECI Research shares.
There is also a regulatory dimension that deserves attention. Financial institutions operate under extensive compliance scrutiny, but many of their vendors do not face equivalent pressure. The 78% critical-level patch management failure rate among finance-concentrated vendors demonstrates that the regulatory perimeter ends at the institution’s own boundary. The exposure gap this creates is now measurable and attributable.
ECI Research data adds further context here. According to ECI Research, organizations faced an average of 1,876 weekly cyberattack incidents per organization in Q3 2024, representing a 75% year-over-year increase. Projecting that trajectory into the 2026 data Black Kite presents, the attack volume financial institutions must screen through, and route to the right owners, has grown at a pace that manual processes cannot sustain.
What Developers and Security Engineers Should Understand
For security engineers and developers working within financial institutions or their vendor organizations, the report highlights a specific failure mode that deserves direct attention. The 387% increase in critical vendor vulnerabilities is partly a reflection of CVE volume growth, but it is also a reflection of where vulnerability management maturity has and has not kept pace with deployment velocity.
ECI Research’s own research has found that nearly one-third of enterprise applications contain at least one known critical vulnerability at the time of release. That figure, combined with Black Kite’s vendor ecosystem data, suggests the problem is upstream in the development lifecycle, not just in the patch queue. Supply chain security practices, including software bill of materials (SBOM) adoption and verified source requirements, remain startlingly underdeveloped across the industry. Black Kite’s data on active exploitation across vendor ecosystems is, in part, a downstream consequence of that gap.
Looking Ahead
The Consolidation of Third-Party Risk Into the Security Stack
The market trajectory here is clear. Third-party cyber risk management is moving from a GRC (governance, risk, and compliance) function into the operational security stack. The Black Kite platform’s AI-native architecture, which spans over 40 million companies, is designed precisely for this integration. Vendors that can connect continuous risk intelligence to security operations workflows, rather than delivering periodic reports to compliance teams, will define the category over the next 18 to 24 months.
The financial services sector will lead this consolidation, given the regulatory pressure and direct exposure documented in this report, but the dynamic is not sector-specific. Any organization with a significant vendor ecosystem and accelerating CVE exposure faces structurally similar conditions.
Investment Implications for 2026 and Beyond
Growing AI adoption will accelerate CVE volume from two directions: 1. AI-assisted vulnerability discovery will surface more previously unknown weaknesses, and 2. AI systems themselves are emerging as new attack surfaces. Black Kite’s report specifically calls this out as an expected driver of continued CVE growth beyond the 48,000 published in 2025. Organizations that have not yet invested in continuous vendor monitoring with AI-assisted prioritization are accumulating technical debt in their risk posture at a measurable rate.
Financial institutions evaluating third-party risk platforms in 2026 should prioritize three capabilities. First, real-time KEV correlation across their vendor base, not periodic scoring. Second, concentration analysis that identifies single-vendor compromises with multi-institution blast radius potential, the pattern the South Korean MSP incident exemplified. Third, quantified financial exposure modeling that translates vendor risk into business impact terms, both for internal prioritization and regulatory reporting. The dual storm Black Kite has documented is unlikely to abate. The institutions that manage it best will be those that have operationalized intelligence, not just purchased it.
Stay Ahead of Application Development Trends
Get weekly analyst insights, research notes, event coverage, and AppDevANGLE updates delivered directly to your inbox.
Subscribe for Weekly Insights
Join technology leaders, practitioners, and GTM teams following the trends shaping modern software delivery.
Looking for deeper research access?
Explore ECI Research reports, survey insights, and market analysis through the ECI Research Portal.
