Black Kite's 2026 Financial Services Report, published this week, contains one number that should reframe every third-party risk discussion in Swiss finance. Among the 140 vendors on which financial institutions are most concentrated, confirmed breaches rose from 6 to 39 in twelve months — a six-and-a-half-fold increase. Within the top 20 most relied-upon vendors, the count went from one breached vendor to seven. Add the sector's own tally — 65 finance-sector incidents in the first quarter of 2026 alone, 76% more than the same quarter last year — and the picture is unambiguous: the attack surface of a financial institution is no longer its own estate. It is the shared vendor layer the entire industry sits on, and that layer is being worked through systematically.
Concentration Is the Vulnerability
The report's core finding is not that vendors get breached — it is that breach probability now correlates with concentration. The vendors serving the most financial institutions are the most attractive targets, because a single intrusion yields data or access spanning dozens or hundreds of downstream firms. Attackers have internalised the same lesson the industry learned from MOVEit and the CDK and Change Healthcare outages: compromising one systemically embedded provider outperforms compromising any single bank. When seven of the twenty most relied-upon financial vendors confirm breaches in a year, the sensible planning assumption for any institution is that at least one of its critical providers is compromised at any given time — the question is which one, and whether the institution would detect the consequences before its regulator or its clients do.
This inverts the logic that has governed vendor selection for decades. The large, widely used provider was the safe choice — vetted by everyone, certified against every framework, too big to fail an audit. Concentration was a proxy for quality. It is now also a proxy for targeting priority, and the two effects do not cancel out. Nothing in a SOC 2 report or an ISO 27001 certificate changes the fact that the certified vendor holds credentials, data, and network paths into four hundred financial institutions and is therefore worth a top-tier adversary's sustained attention.
The Correlated-Loss Problem Swiss Risk Models Miss
For Swiss banks and insurers, the report's numbers describe a risk that most operational-risk models still book incorrectly: vendor incidents are treated as independent events, when concentration makes them correlated. If three Swiss private banks use the same core-banking provider, the same e-banking platform, and the same regulatory-reporting service — a realistic description of the Swiss mid-market, where a handful of providers dominate each function — then a single vendor breach is not one institution's bad day but a sector event, arriving simultaneously at every client of that provider, competing for the same forensic responders, the same legal advisers, and the same regulator's attention.
Switzerland has already rehearsed this at national scale: Xplain put federal data on the dark web, and the Radix leak two weeks ago exposed federal office documents through a health-promotion foundation. The financial sector's version will look the same but with client identifying data, and the Black Kite trendline says the probability of that event is rising, not falling. The institutions that will distinguish themselves are those that can answer, within hours of a vendor's disclosure, three questions: what data of ours does this vendor hold, what access does it have into our estate, and what is our client and regulatory exposure if both are compromised. Institutions that need weeks to answer are the ones that end up in supervisory findings.
What FINMA and DORA Already Expect
The regulatory framework has moved faster than most inventory systems. FINMA's operational-resilience expectations, in force since the start of the year, require institutions to identify critical functions, map the third parties they depend on, and demonstrate the ability to absorb disruption — not merely to have contracts that assign blame for it. Swiss groups with EU entities carry DORA on top: the Register of Information must enumerate every ICT third-party arrangement with a precision that national competent authorities have begun cross-checking automatically, and the first supervisory actions for register deficiencies are already being issued this cycle. A vendor-concentration figure like Black Kite's 6-to-39 jump is precisely the kind of external evidence supervisors cite when they ask an institution to justify its dependence on a provider it cannot exit within contractual notice periods.
The gap between regulatory expectation and operational practice is the questionnaire. Annual self-attestation measures a vendor's posture once a year, in the vendor's own words, on the vendor's schedule. A threat landscape in which the top-20 breach count moves from one to seven within a single year makes that cadence structurally inadequate: the assessment is stale before the ink dries. Continuous external monitoring, contractual breach-notification deadlines measured in hours, and pre-negotiated audit and forensic-access rights are what close the loop — and they are considerably cheaper to negotiate before an incident than after one.
◆ Key Takeaway
Black Kite's data turns vendor concentration from an intuition into a measured trend: breaches among the most relied-upon financial vendors grew 6.5x in a year, and 7 of the top 20 were hit. For Swiss institutions the planning assumption must be that a critical vendor is already compromised — and the differentiator is how fast you can map that vendor to your data, your access paths, and your reporting obligations.
- Build a concentration view, not just a vendor list. Rank third parties by breadth of data held and depth of access granted, and flag providers that also serve your Swiss peers — shared dependence is shared fate, and it changes your incident-response assumptions.
- Answer the three-hour question in advance. For each critical vendor, maintain a current record of data categories held, network and API access granted, and the nDSG, FINMA, and DORA obligations a breach would trigger — so a vendor disclosure starts your response, not your research.
- Replace annual questionnaires with continuous signals. External attack-surface monitoring on critical vendors, tied to defined escalation thresholds, detects deterioration between attestation cycles.
- Contract for hours, not "without undue delay". Breach notification within 24–48 hours, named security contacts, forensic cooperation, and post-incident audit rights belong in every critical-vendor agreement at renewal.
- Test the exit you claim to have. FINMA and DORA both expect documented exit strategies for critical providers; a strategy that has never been rehearsed against realistic timelines is documentation, not capability.
- Feed vendor scenarios into resilience testing. Tabletops and TLPT scoping should include the compromise of a systemically shared provider — the scenario the Black Kite data says is most likely — not only direct attacks on your own perimeter.
- Report concentration to the board quarterly. Vendor concentration is now a measurable, trending risk with regulatory teeth; it belongs on the same dashboard as credit and market exposure, with movement tracked over time.
The direction of travel is set. Attackers will keep prioritising the vendor layer because its economics are unbeatable, and supervisors will keep tightening third-party expectations because systemic events keep proving the point. Somewhere in the gap between those two forces sits each institution's actual resilience: the completeness of its dependency map, the speed of its vendor-incident playbook, and the honesty of its exit plans. Black Kite's 2026 numbers do not predict which vendor fails next — they establish that one will, soon, and that the institutions caught explaining their dependency map to a supervisor after the fact will wish they had treated this week's report as the deadline it quietly is.