Third-Party Cyber Risk in Financial Services: Ion Group, Finastra and the Supplier Exposure Gap
In January 2023, a ransomware attack on Ion Group — which provides derivatives trading and clearing software used by dozens of global financial institutions — forced more than 40 firms to revert to manual processing for days. In November 2024, Finastra, a software provider to 8,000 financial institutions worldwide, suffered a data breach that exposed customer data across its entire client base. Neither attack targeted those 40-plus institutions or Finastra's thousands of clients directly. They targeted the suppliers those firms trusted — and that trust became a liability. For FCA-regulated firms, third-party cyber risk is now the most significant unmanaged exposure in most security programmes.
Ion Group ransomware attack in January 2023 disrupted derivatives trading at 40+ financial institutions globally — none of them the primary target.
Why Financial Services Is Uniquely Vulnerable to Supply Chain Attacks
Financial services firms are connected to an unusually large and complex supplier ecosystem: core banking and portfolio management platforms, custodians and fund administrators, market data providers, payment processors, cloud services, and managed service providers. Each connection is a potential attack vector:
- Portfolio management systems (e.g., Iress, FNZ) — access client holdings and trade histories
- Custodians and clearing firms — hold assets and process settlements; an ION-style attack can halt clearing
- Market data providers — Bloomberg, Refinitiv, and smaller providers integrated directly into trading infrastructure
- Outsourced IT and managed service providers — often have privileged access to firm systems
- Regulatory reporting platforms — contain sensitive transaction data reported to the FCA and HMRC
- CRM and financial planning tools — hold complete client financial pictures including protected personal data
The DORA and FCA Requirements on Third-Party Risk
Both the FCA and DORA have strengthened their expectations on third-party risk management. FCA SS2/21 (outsourcing) requires firms to maintain a register of material outsourced arrangements, conduct due diligence before engagement, include specific contractual provisions (audit rights, SLAs, exit plans), and monitor providers' performance and security posture on an ongoing basis. DORA goes further, requiring a complete ICT third-party register, mandatory contract terms, and concentration risk assessment where multiple firms use the same critical provider — the exact scenario the Ion Group attack exposed.
Why Questionnaire-Based Vendor Risk Management Fails
Most financial firms manage third-party risk through annual questionnaires — a PDF or spreadsheet completed by the supplier and filed. This approach has three fatal weaknesses: it measures controls at a point in time, not continuously; it relies entirely on supplier self-reporting, with no independent verification; and it cannot detect the security deterioration that typically precedes a breach. Ion Group and Finastra both had vendor risk management programmes in place at the firms they served. Those programmes did not detect the vulnerabilities that attackers exploited.
How Panorays Provides Continuous Third-Party Risk Visibility
Panorays replaces point-in-time questionnaire assessments with continuous external monitoring of your suppliers' security posture. By scanning the external-facing infrastructure of every vendor in your supply chain — looking for unpatched systems, exposed services, leaked credentials, and security misconfigurations — Panorays provides a real-time risk score for every supplier. When a supplier's posture deteriorates, you are alerted immediately rather than discovering the problem after a breach. For DORA and FCA SS2/21 compliance, Panorays provides the documented, continuous oversight that regulators now expect.
Frequently Asked Questions
How many vendors should we be monitoring?
FCA SS2/21 requires enhanced due diligence for material outsourced arrangements — typically defined as any arrangement where disruption would materially impact the firm's ability to deliver important business services. Most wealth managers and IFAs have 10–30 material vendors; larger firms may have hundreds. Panorays scales to monitor your entire supply chain continuously, prioritising by risk and materiality.
Can we require our vendors to have Cyber Essentials or equivalent?
Yes, and increasingly firms do. Requiring Cyber Essentials Plus from material vendors is becoming standard practice in financial services procurement. However, certification is a point-in-time snapshot — a vendor can be CE Plus certified in January and suffer a serious breach in March. Continuous monitoring provides assurance that CE does not.
What contractual protections does SS2/21 require us to have with vendors?
FCA SS2/21 requires that contracts with material outsourced providers include: defined SLAs and performance metrics; audit and access rights for the firm and the FCA; data return and deletion provisions on termination; business continuity and disaster recovery obligations; and a documented exit plan. Reviewing existing vendor contracts against these requirements is a common starting point for SS2/21 compliance programmes.
Map and monitor your supplier cyber risk
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.