It may not be surprising that the financial sector is the hardest hit by cyberattacks. After all, most of us know that following the money may be the surest way to get rich quick. But a report released by the European Union’s (EU) financial services watchdog, the Financial Conduct Authority (FCA), shows a massive surge in reported cyber incidents–up 1086% from last year. We can learn a lot from what’s reported because if it’s happening in the EU, it’s very likely happening in the U.S.

As part of the EU’s 2018 GDPR (General Data Protection Regulation), all businesses must report cyber incidents or face strict penalties. A result of this reporting shows growth in cyberattacks against financial services companies and it breaks down the data to find what’s causing these incidents. In addition, it finds email phishing and ransomware are the biggest attack vectors by far. Surprisingly, the reporting finds that hackers may not be the biggest threat to financial data security after all.

The report shows overall, financial services reported 819 incidents, compared to just 69 the year before–an alarming 1086% increase. Of that gigantic uptick, retail banking came in first with 486, or 68% of the total reported. Financial markets came in second with 115 reports and investment firms took third place with 53 accounts. Those in charge of the data can’t deny that GDPR regulations may be causing an overall increase in cyber incident reporting. A look at the source of the incidents sheds light on just what is hiding behind these statistics.

Coming in at 21% of all financial incidents, the largest type reported were third-party, sometimes known as supply chain incidents. Third party vendors a company uses can have weaknesses in their own cybersecurity, resulting in malware and data theft for their clients. Hardware and software issues create 19% of incidents, while change management is behind 18% of all incidents. Changes in IT systems that aren’t managed correctly makes them vulnerable to weaknesses. Perhaps the biggest surprise of all–only 11% of all financial incidents were due to cyberattacks.

While there is little an organization can do directly to prevent attacks against third parties, it is important to create a relationship of trust and transparency with those businesses. Find out their cybersecurity strategies and mitigation plans and work with them to a point you feel comfortable with them. In your own organization, make sure all systems are property configured, particularly cloud servers, and make sure perimeter security tools are in place. Don’t forget that physical security plays a role in any cybersecurity strategy.

Regardless of who or what is behind the growing number incidents, it’s clear the financial industry needs to protect from inside factors as well as those coming from the outside.