The finance sector has been dealt another reminder that security postures are only as strong as the weakest link, as a tech supplier hack leaves US banks exposed.

This week, SitusAMC, which provides loans and mortgage services to US banks, admitted that “certain information” from its systems had been compromised in a cyber attack.

SitusAMC manages billions of loan documents for US banks and mortgage lenders, with a single compromise spreading risk across the financial sector.

In a statement on 22 November, it said: “On November 12, 2025, [we] became aware of an incident that we have now determined resulted in certain information from our systems being compromised. Corporate data associated with certain … clients’ relationship with SitusAMC such as accounting records and legal agreements has been impacted.” It added: “Certain data relating to some of our clients’ customers may also have been impacted.”

US banks that use SitusAMC include JPMorgan Chase and Citigroup.

According to reports, the FBI has been made aware of the breach.

In an update on 25 November, SitusAMC said: “[We have] been diligently working on our data review process, and the current phase of that process includes conducting keyword searches to identify our clients’ names in certain file paths that we know were impacted.”

Wide supplier links

Financial services ecosystems are becoming more complex, with large numbers of firms offering technology platforms (fintech services) to banks and other finance firms.

A security breach at one of these firms can leave the data of financial organisations vulnerable.

It is a growing problem in the finance sector as banks increase the number of fintech partners they work with.

Recent research by risk management company SecurityScorecard found that in the latest 12-month period measured, 96% of Europe’s largest financial services organisations have been affected by a security breach at a third-party organisation. This was compared with 78% in the previous report two years earlier.

It also revealed that 97% of firms had a breach via a fourth party, the partners of their partners, which was an increase from 84% on the previous survey.

This came amid a drop in direct breaches. According to SecurityScorecard, during the period, 7% suffered a direct breach, which was down from 8%.

One IT security expert in the UK banking sector, who wished to remain anonymous, said he was not surprised by the figures. “I would have expected 100% of firms to be impacted by third-party failures of various types,” they said. “The 4% that claim not to have been affected surprises me more.”

In January 2025, the European Union’s [EU’s] Digital Operational Resilience Act, entered into application. It covers a number of aspects of cyber resiliency, auditability, and the responsibilities shared between financial institutes and third-party software and IT service providers, when these products and services are used to power business operations. Although a European regulation, affecting companies that operate in the EU, other regions are also putting in place cyber resiliency. 

Read more on IT for financial services

• 
  

  Over half of India-based companies suffer security breaches

  By: Karl Flinders

• 
  

  Monzo’s £21m fine highlights banks’ cyber security failures

  By: Nicholas Fearn

• 
  

  UBS employee data leaked after cyber attack on supplier

  By: Karl Flinders

• 
  

  Third-party security weaknesses threaten Europe’s big banks

  By: Karl Flinders