Third-Party Risks Drive Nearly Half of Fintech Breaches

SecurityScorecard has published its 2025 sector report, Defending the Financial Supply Chain: Strengths and Vulnerabilities in Top Fintech Companies, highlighting that 41.8% of cybersecurity breaches affecting leading fintech firms stemmed from third-party vendors.

The report, based on an in-depth analysis of the cybersecurity posture of 250 of the world’s top fintech companies, underscores a growing disparity between robust internal controls and external supply chain vulnerabilities.

said Ryan Sherstobitoff, Senior Vice President of SecurityScorecard’s STRIKE Threat Research and Intelligence Unit.

Among the key findings, 18.4% of fintech companies had experienced publicly reported breaches, with 28.2% of those reporting multiple incidents.

Third-party vectors were responsible for 41.8% of breaches, while fourth-party exposures accounted for an additional 11.9%, more than double the global average.

Technology products and services played a significant role in third-party breaches, particularly file transfer software and cloud platforms.

Despite these challenges, fintech firms recorded the strongest cybersecurity posture of any industry studied, with a median SecurityScorecard rating of 90.

Notably, 55.6% of companies received an “A” grade.

However, application security and DNS health were cited as the most prevalent weaknesses.

Nearly 46.4% of companies scored lowest in application security, with issues such as unsafe redirect chains, misconfigured storage, and missing SPF records being common.

In response to these findings, the STRIKE team outlined several recommendations for the fintech sector.

First, firms should enhance oversight of third- and fourth-party risks by classifying vendors based on their exposure and breach history, rather than just financial value or business importance.

Including contractual clauses for breach notifications and disclosing downstream dependencies can help mitigate the risk of cascading incidents.

Additionally, fintechs are encouraged to secure shared infrastructure and technical enablers, especially file transfer systems, cloud storage, and communication tools.

Regular audits and requiring partners to follow secure implementation practices are advised.

Closing critical application security and DNS gaps should be a priority, with an emphasis on securing customer-facing assets.

To address credential-based threats, companies should enforce multi-factor authentication (MFA), monitor for reused credentials, and act swiftly to take down spoofed domains.

These steps are essential in combating credential stuffing and typosquatting attacks, which have impacted a majority of firms.

Finally, the report stresses the importance of treating repeat breaches as a significant risk signal.

Vendors with a history of multiple incidents, particularly involving third-party exposure, should be subjected to stricter scrutiny during onboarding and contract renewals.