SecurityScorecard released its 2025 sector report, Defending the Financial Supply Chain: Strengths and Vulnerabilities in Top Fintech Companies, revealing that 41.8% of breaches impacting top fintech companies originated from third-party vendors. Based on a comprehensive analysis of the cybersecurity posture of 250 of the world’s top fintech companies, the report highlights the growing disconnect between strong internal controls and external supply chain risk.
Ryan Sherstobitoff, SVP of SecurityScorecard’s STRIKE Threat Research and Intelligence Unit, said: “Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure,” said Ryan Sherstobitoff, SVP of STRIKE Threat Research and Intelligence at SecurityScorecard. “Third-party breaches aren’t edge cases—they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure.”
Cyber Technology Insights : TIER IV Selects PlaxidityX to Provide Cyber Security Expertise
Key Findings:
Fintech firms had the strongest security posture of any industry analyzed, with a median score of 90 and 55.6% earning an “A” rating.
18.4% of fintech companies experienced publicly reported breaches. 28.2% of those had multiple incidents.
Third-party attack vectors were responsible for 41.8% of breaches. Fourth-party exposures accounted for an additional 11.9%, more than double the global average.
Technology products and services were linked to 63.9% of third-party breaches, with file transfer software and cloud platforms being the most frequent points of compromise.
Application Security and DNS Health were the most common weaknesses, with 46.4% of companies scoring lowest in application security.
Cyber Technology Insights : UTC Partners with ISASecure to Advance ISA/IEC 62443 Cybersecurity Standards Adoption
Cybersecurity Recommendations for Fintech Companies
Based on this analysis, the SecurityScorecard STRIKE team offers the following recommendations to strengthen cybersecurity across the fintech ecosystem:
Strengthen Third- and Fourth-Party Risk Oversight: Fintech companies should tier vendors based on exposure and breach history, not just spend or business value. Disclosing downstream dependencies and requiring incident notification clauses in contracts can reduce cascading risk from fourth-party breaches.
Secure Shared Infrastructure and Technical Enablers: File transfer software, cloud storage platforms and customer communication tools were the most common vectors for third-party breaches. Fintechs must audit these integrations regularly and require partners to demonstrate secure implementation practices.
Close Critical Application Security and DNS Gaps: Nearly half of fintechs scored lowest in application security. Unsafe redirect chains, misconfigured storage and missing SPF records were common. Remediating these foundational weaknesses should be a priority, starting with customer-facing assets.
Enforce Strong Credential Protections: Credential stuffing campaigns and typosquatting attacks impacted a majority of firms. Enforcing MFA, monitoring for reused credentials and taking down spoofed domains are essential to protect users and prevent cross-platform compromise.
Treat Repeat Breaches as a Leading Risk Signal: Companies with multiple breaches accounted for the majority of total incidents. Vendors with prior breach history, especially those with known third-party exposures, should face enhanced scrutiny during onboarding and renewals.
Cyber Technology Insights : 2025 Small Business Survey Shows Spike in AI
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: businesswire
