Growing Cybersecurity Risks in Fintech Sector: Third-Party Vendor Breaches on the Rise
Recent research from SecurityScorecard unveils troubling insights into data breaches affecting leading fintech companies, revealing that nearly 42% of these incidents can be traced to third-party vendors. Additionally, 12% of breaches are linked to risks stemming from fourth-party suppliers, underscoring a significant vulnerability within the financial technology sector.
This analysis, which examined 250 prominent fintech firms globally, highlights systemic risks that persist despite robust internal cybersecurity protocols. The report, titled Defending the Financial Supply Chain: Strengths and Vulnerabilities in Top Fintech Companies, exposes a widening gap between strong internal security measures and the inherent vulnerabilities introduced by external partners.
Fintech has emerged as one of the industries with the most formidable security postures, achieving a median score of 90 in SecurityScorecard’s evaluations. Over half of the firms, specifically 55.6%, received an "A" rating. Nonetheless, these high scores do not provide a foolproof barrier against cyber threats. The study indicates that 18.4% of the evaluated fintech companies have publicly reported data breaches, with over a quarter (28.2%) experiencing multiple incidents.
The report identifies technology products and services as significant contributors, accounting for 63.9% of third-party breach incidents. Among these, file transfer software and cloud platforms were pinpointed as primary vulnerabilities. Further analysis revealed concerning trends in application security and Domain Name System (DNS) health. Nearly 46.4% of companies scored poorly in application security assessments, revealing issues such as unsafe redirect chains, misconfigured storage, and absent Sender Policy Framework (SPF) records.
Ryan Sherstobitoff, Senior Vice President of SecurityScorecard’s STRIKE Threat Research and Intelligence Unit, emphasizes the critical implications of these findings. He notes that vulnerabilities posed by a single exposed vendor can have cascading effects on essential financial infrastructures. In a sector where operational outages can disrupt payment systems and digital asset platforms, the risks cannot be underestimated.
The threat landscape is further complicated by fourth-party exposures, which now account for 11.9% of incidents in the fintech space, surpassing the global average. This highlights the intricate vulnerabilities woven into the digital supply chains that characterize modern financial technology.
In light of these findings, the SecurityScorecard STRIKE team has recommended a multi-faceted approach to enhance cybersecurity across the fintech supply chain. They suggest that companies intensify their oversight of both third- and fourth-party risks. Specifically, firms should classify vendors not only by financial value but also by breach history and potential exposure. Contracts should include clauses mandating downstream transparency and timely incident notifications, helping to mitigate cascading risks from fourth-party breaches.
Securing shared infrastructure is deemed essential, as tools such as file transfer software and cloud storage have emerged as common vectors for breaches. Regular audits of these systems, paired with requirements for partners to uphold stringent security practices, are critical steps in bolstering defenses.
With application security and DNS settings representing additional vulnerabilities, the report stresses the necessity to remediate foundational weaknesses. The document highlights that nearly half of the firms scored low on application security metrics, indicating an urgent need for prioritization in securing customer-facing assets.
Robust credential protection practices are also critical, given that credential stuffing and typosquatting attacks have impacted numerous firms. The report advocates for the implementation of multi-factor authentication (MFA), monitoring for reused credentials, and the removal of spoofed domains as vital strategies to shield users from cross-platform compromises.
Finally, the report advises heightened scrutiny for companies with a prior history of breaches, indicating that multiple incidents often correlate with a higher risk profile. Vendors that have experienced breaches should face thorough vetting during the onboarding process and contract renewals.
The study encompasses a wide array of fintech subsectors, including payments, digital assets, neobanking, financial planning, and technology infrastructure. The selected firms were recognized for their global influence and operational scale within the industry. Understanding these dynamics is crucial for business owners striving to navigate the complexities of cybersecurity risks in the fintech landscape.
