Black Kite’s 2026 Financial Services Report Warns of a Growing Cybersecurity Crisis Across Banking and Investment Firms

A new report from Black Kite suggests the financial sector is entering a more dangerous phase of cyber risk, one in which traditional ransomware attacks and rapidly expanding third-party vulnerabilities are converging into what the company describes as a “dual storm.” In its newly released 2026 Financial Services Report: The Dual Storm of Ransomware and Vendor Ecosystem Risk, Black Kite’s research team found that financial institutions are simultaneously facing a resurgence in direct ransomware attacks while becoming increasingly exposed through the vendors and service providers that support their operations.

The report draws on ransomware intelligence collected between January 2023 and the first quarter of 2026, alongside an analysis of more than 17,000 vendors monitored by Black Kite, including 140 companies whose customer bases are heavily concentrated in financial services. The findings point to a threat landscape that has evolved beyond isolated incidents and now represents a systemic challenge for banks, investment firms, asset managers, and other financial institutions.

Ransomware Returns After a Brief Pause

Financial institutions experienced a temporary decline in ransomware activity during 2024, largely due to international law enforcement operations targeting major ransomware groups such as LockBit and Clop. However, Black Kite’s research indicates that the decline was short-lived.

Reported ransomware incidents targeting financial organizations rose from 156 in 2024 to 202 in 2025, representing a 30% increase. The acceleration appears to be continuing in 2026. During the first quarter alone, researchers documented 65 ransomware incidents, a figure that exceeds the same period in 2025 by 76%.

Rather than disappearing, ransomware operators reorganized. The number of distinct threat groups targeting the financial sector increased from 37 in 2023 to 45 in 2024 and then climbed again to 48 in 2025. New leaders emerged, with Qilin, Akira, and Kill Security becoming among the most active groups targeting financial institutions. Qilin alone was responsible for 59 finance-sector incidents over the past year.

Investment Firms Have Become the Primary Target

One of the more notable shifts documented in the report is the changing profile of ransomware victims.

In 2023, banks were the most targeted financial subindustry, accounting for 71 reported incidents. Investment firms recorded 44 incidents that year. By 2025, the situation had reversed. Investment firms became the most targeted segment with 84 incidents, representing 41.6% of all ransomware disclosures in the financial sector. Banking incidents fell to 36.

According to the report, a significant driver behind this shift was a campaign against South Korean asset managers during September 2025. That single campaign generated 32 disclosures and accounted for more than 38% of all ransomware incidents recorded within the investment management segment that year.

The geographic distribution of attacks also reveals how concentrated certain campaigns can become. While the United States remained the most targeted country throughout the study period, South Korea emerged as a major hotspot following a large-scale supply chain compromise that affected dozens of financial organizations.

Vendor Risk Is Escalating Faster Than Direct Attacks

While ransomware headlines often focus on attacks against individual institutions, Black Kite argues that vendor ecosystems now represent an equally important source of risk.

The report highlights a September 2025 incident in which the compromise of a single managed service provider in South Korea cascaded into 28 financial institutions and resulted in the theft of more than two terabytes of data. Researchers describe the event as an example of how a single breach can create systemic consequences across an entire sector.

The vulnerability profile of vendors serving financial institutions appears to be deteriorating rapidly. Among the 140 vendors analyzed in detail, the number carrying critical vulnerabilities with CVSS scores of 9 or higher increased from 15 in 2024 to 73 in 2025, a 4.9-fold increase. Vendors carrying high-severity vulnerabilities with scores of 8 or higher rose from 31 to 87 during the same period.

Researchers also found that 54% of finance-focused vendors carried at least one vulnerability listed in CISA’s Known Exploited Vulnerabilities catalog, meaning attackers are already actively exploiting those weaknesses in real-world attacks.

Patch Management Failures Remain Widespread

Many of the weaknesses identified in the report are not exotic zero-day vulnerabilities but rather long-standing security issues that organizations have struggled to address.

Among the 140 vendors examined, 109 organizations, or 78%, showed at least one critical patch management failure. Misconfigured email authentication systems were also common, with 47 vendors operating with misconfigured DMARC records and 37 vendors showing misconfigured DKIM implementations.

The report further found evidence of broader security hygiene problems across vendor ecosystems. Nearly 18% of finance-focused vendors had leaked credentials exposed in public sources, while more than 42% showed evidence of credentials appearing in stealer logs. Researchers also identified phishing infrastructure indicators, malicious IP communications, and botnet infections across significant portions of the vendor population.

The Vulnerability Explosion Is Just Beginning

The findings arrive as organizations face a rapidly expanding volume of newly discovered software vulnerabilities.

According to the report, more than 48,000 Common Vulnerabilities and Exposures (CVEs) were published globally during 2025, an 18% increase from the previous year. Black Kite researchers identified 1,240 of those vulnerabilities as high-priority risks for third-party supply chains, up 59% from 2024.

The report argues that artificial intelligence is likely to accelerate this trend. AI-assisted vulnerability discovery tools are increasing the speed at which security flaws can be identified, while AI systems themselves are creating new attack surfaces that organizations must secure. As a result, financial institutions may soon face a larger and faster-moving stream of exploitable vulnerabilities than traditional risk-management processes were designed to handle.

Financial Cybersecurity Is Becoming a Supply Chain Problem

The central conclusion of Black Kite’s 2026 Financial Services Report is that financial institutions can no longer view cybersecurity solely through the lens of their own internal defenses. The report’s analysis shows that ransomware activity is rising again at the same time that vendor ecosystems are becoming significantly more vulnerable. Critical vulnerabilities among finance-focused vendors have surged, exploit timelines continue to shrink, and a single compromised supplier can now affect dozens of institutions simultaneously.

As the report notes, resilience increasingly depends on an organization’s ability to continuously identify, prioritize, and respond to risks across both its internal environment and its extended supply chain. For an industry built on interconnected software, service providers, and outsourced infrastructure, third-party risk management is no longer a compliance exercise. According to Black Kite’s research, it is becoming a foundational component of financial sector security.