Recent analysis from SecurityScorecard reveals that 41.8% of data breaches affecting prominent fintech organizations can be traced back to third-party vendors. This alarming statistic is part of the 2025 sector report, which scrutinized the cybersecurity frameworks of 250 leading fintech firms globally. The findings underscore the disparity between robust internal controls and the vulnerabilities introduced by external supply chain risks.
Ryan Sherstobitoff, senior vice president of STRIKE Threat Research and Intelligence at SecurityScorecard, stated, “Fintech companies anchor global finance, but one exposed vendor can disrupt critical infrastructure.” He emphasized that these breaches aren’t isolated incidents but rather indicative of systemic vulnerabilities. In the fintech space, the implications can extend to significant operational interruptions affecting payment systems, digital asset platforms, and core financial services.
Even though fintech firms achieved the highest median security score of 90 among analysed industries—55.6% receiving an “A” rating—they remain susceptible to cyber threats. The survey notes that 18.4% of these companies acknowledged publicly disclosed data breaches, with 28.2% experiencing multiple incidents. These figures reveal the persistent security challenges that permeate the sector.
Impact of Third and Fourth-Party Exposures on Breaches
Risks associated with third-party vendors are further amplified by vulnerabilities posed by fourth parties, contributing an additional 11.9% to the overall breach statistics—over double the global average. A significant 63.9% of breaches were related to technology products and services, highlighting file transfer software and cloud platforms as frequent vectors of compromise.
The report identifies critical areas needing attention, including application security and DNS health, with 46.4% of firms scoring poorly in application security protocols. In response to these findings, the SecurityScorecard STRIKE team has proposed several recommendations tailored to strengthen cybersecurity practices throughout the fintech landscape.
It is advised that fintech organizations prioritize vendor risk assessments based on exposure and past breach incidents rather than solely on financial considerations. Enhancing transparency regarding downstream dependencies and embedding incident notification clauses in contracts can aid in mitigating risks associated with third-party breaches.
Securing shared infrastructure and enabling technologies is vital. Regular evaluations of file transfer tools, cloud storage services, and customer interaction platforms are essential to ensure that partners adhere to secure implementation practices.
Improving application security is imperative. Remediation strategies should target high-risk areas such as unsafe redirect chains, misconfigured storage solutions, and missing SPF records, particularly for customer-facing assets.
The report also underscores the importance of robust credential protection in light of ongoing threats, including credential stuffing and typosquatting incidents. Deploying multi-factor authentication (MFA), monitoring for credential reuse, and dismantling fraudulent domains are critical measures for safeguarding users and thwarting cross-platform compromises.
Lastly, the survey points out the significance of treating incidents of repeat breaches as indicators of systemic risk. Vendors with histories of multiple breaches should undergo comprehensive assessments during their onboarding and contract renewal processes to prevent future incidents. This proactive approach aims to enhance the cybersecurity framework within the fintech sector, particularly in light of vulnerabilities exposed through third-party interactions.
