US breach reinforces need to plug third-party security weaknesses

The finance sector was dealt another reminder that security postures are only as strong as the weakest link as tech supplier hack leaves US banks exposed.

This week, SItusAMC, which provides loans and mortgage services to US banks, admitted that “certain information” from its systems had been compromised in a cyberattack.

SitusAMC manages billions of loan documents for US banks and mortgage lenders, with a single compromise spreading risk across the financial sector.

In a statement on November 22, it said: “On November 12, 2025, [We] became aware of an incident that we have now determined resulted in certain information from our systems being compromised. Corporate data associated with certain of our clients’ relationship with SitusAMC such as accounting records and legal agreements has been impacted.” It added: “Certain data relating to some of our clients’ customers may also have been impacted.”

US banks that use SItusAMC include JPMorgan Chase and Citigroup.

According to reports the FBI has been made aware of the breach.

In an update on November 25, SitusAMC said: “[We have] been diligently working on our data review process, and the current phase of that process includes conducting keyword searches to identify our clients’ names in certain file paths that we know were impacted.”

Wide supplier links

Financial services ecosystems are becoming more complex, with large numbers of firms offering technology platforms (fintech services) to banks and other finance firms.

A security breach at one of these firms can leave the data of financial organisations vulnerable.

It is a growing problem in the finance sector as banks increase the number of fintech partners they work with.

Recent research by risk management company SecurityScorecard found that in the latest 12 month period measured, 96% of Europe’s largest financial services organisations have been affected by a security breach at a third-party organisation. This was compared to 78% in the previous report two years earlier.

It also revealed that 97% of firms had a breach via a fourth party, the partners of their partners, which was an increase from 84% on the previous survey.

This came amid a drop in direct breaches. According to SecurityScorecard, during the period, 7% suffered a direct breach which was down from 8%.

One IT security expert in the UK banking sector, who wished to remain anonymous, said he is not surprised by the figures. “I would have expected 100% of firms to be impacted by third-party failures of various types,” he said. “The 4% that claim not to have been affected surprises me more.”

Security ScoreCard’s chief information security officer, Steve Cobb, said: “Hackers breached financial technology provider SitusAMC, stealing accounting records and legal agreements from its systems.”

He warned how cyber criminals are changing their approach. “The breach illustrates how attackers are shifting toward quietly extracting sensitive information instead of causing immediate disruption. That change in tactics makes detection harder and raises the stakes for organisations that depend on vendor‑managed data.”

He added that banks, and their suppliers, must improve partner risk management to the level of internal security. “Every partner that touches non-public data is a potential exposure point. Organisations need continuous visibility into the health of their vendor ecosystem, along with real time validation that partner controls are functioning.”

Eli Ben-Sasson,  CEO of at StarkWare which supplies security infrastucture the financial system, said, “Our banks know everything: our income, our debts, even the school fees we’re paying. We treat them as vaults of discretion. But in reality, they share that data with a web of third-party vendors, often with about as much restraint as Joey from Friends keeping a secret. These third parties hold the same sensitive information, but with far less security oversight or regulatory pressure."

In January this year the EU’s Digital Operational Resilience Act (Dora), entered into application. It covers a number of aspects of cyber resiliency, auditability, and the responsibilities shared between financial institutes and third-party software and IT service providers, when these products and services are used to power business operations. Although a European regulation, affecting companies that operate in the EU, other regions are also putting in place cyber resiliency.