Third parties that service financial institutions are considered one of their greatest risks. The financial institutions develop a really strong security program but then can be weakened by an external party. Third party risk is something taken very seriously by the financial institutions.
I think one of the issues is that people believe that cybersecurity is an overly complicated domain when a lot of breaches occur due to the basics being missed. I think that proper education, in terms of what the basics are and how to go about resolving them, can greatly mitigate that risk. We are seeing financial institutions start to basically mandate that their third parties have certain minimum controls inside of contracts and that there is an assumption of risk along with them. In Canada we have OSFI that regulates the banks. If a third party is the reason for a breach, OSFI doesn't really care that it was a third party. It still holds the bank liable, so the banks are taking this very seriously and are going through heavy risk programs to mitigate this issue.