SecurityScorecard Report Links 41.8% of Breaches Impacting Leading Fintech Companies to Third-Party Vendors

Report reveals growing exposure in the financial supply chain as even top-rated fintech firms face systemic third- and fourth-party cyber risks

NEW YORK — May 21, 2025 — SecurityScorecard today released its 2025 sector report, Defending the Financial Supply Chain: Strengths and Vulnerabilities in Top Fintech Companies, revealing that 41.8% of breaches impacting top fintech companies originated from third-party vendors. Based on a comprehensive analysis of the cybersecurity posture of 250 of the world’s top fintech companies, the report highlights the growing disconnect between strong internal controls and external supply chain risk. Ryan Sherstobitoff, SVP of SecurityScorecard’s STRIKE Threat Research and Intelligence Unit, said: “Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure,” said Ryan Sherstobitoff, SVP of STRIKE Threat Research and Intelligence at SecurityScorecard. “Third-party breaches aren’t edge cases—they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure.” Key Findings:

Fintech firms had the strongest security posture of any industry analyzed, with a median score of 90 and 55.6% earned an “A” rating.
18.4% of fintech companies experienced publicly reported breaches. 28.2% of those had multiple incidents.
Third-party attack vectors were responsible for 41.8% of breaches. Fourth-party exposures accounted for an additional 11.9%, more than double the global average.
Technology products and services were linked to 63.9% of third-party breaches, with file transfer software and cloud platforms being the most frequent points of compromise.
Application Security and DNS Health were the most common weaknesses, with 46.4% of companies scoring lowest in application security.

Cybersecurity Recommendations for Fintech Companies Based on this analysis, the SecurityScorecard STRIKE team offers the following recommendations to strengthen cybersecurity across the fintech ecosystem:

Strengthen Third and Fourth-Party Risk Oversight: Fintech companies should tier vendors based on exposure and breach history, not just spend or business value. Disclosing downstream dependencies and requiring incident notification clauses in contracts can reduce cascading risk from fourth-party breaches.
Secure Shared Infrastructure and Technical Enablers: File transfer software, cloud storage platforms and customer communication tools were the most common vectors for third-party breaches. Fintechs must audit these integrations regularly and require partners to demonstrate secure implementation practices.
Close Critical Application Security and DNS Gaps: Nearly half of fintechs scored lowest in application security. Unsafe redirect chains, misconfigured storage and missing SPF records were common. Remediating these foundational weaknesses should be a priority, starting with customer-facing assets.
Enforce Strong Credential Protections: Credential stuffing campaigns and typosquatting attacks impacted a majority of firms. Enforcing MFA, monitoring for reused credentials and taking down spoofed domains are essential to protect users and prevent cross-platform compromise.
Treat Repeat Breaches as a Leading Risk Signal: Companies with multiple breaches accounted for the majority of total incidents. Vendors with prior breach history, especially those with known third-party exposures, should face enhanced scrutiny during onboarding and renewals.

Download the report Methodology This report evaluates the cybersecurity posture of 250 leading fintech companies, selected for their global reach, industry influence, and operational scale. The companies span a wide range of financial technology segments, including payments, digital assets, neobanking, financial planning, and infrastructure providers. About SecurityScorecard SecurityScorecard created Supply Chain Detection and Response (SCDR), transforming how organizations defend against the fastest-growing threat vector—supply chain attacks. Our industry-leading security ratings serve as the foundation and core strength, while SCDR continuously monitors third-party risks using our factor-based ratings, automated assessments and proprietary threat intelligence, to resolve threats before they become breaches. MAX enables response and remediation capability, working through our service partners to protect the entire supply chain ecosystem while strengthening operational resilience, enhancing third-party risk management and mitigating concentrated risk.

Trusted by over 3,000 organizations—including two-thirds of the Fortune 100—and recognized as a trusted resource by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Backed by Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, NGP, Intel Capital and Riverwood Capital, SecurityScorecard delivers end-to-end supply chain cybersecurity that safeguards business continuity.

Learn more at securityscorecard.com or follow us on LinkedIn. Media Contact Allison Knight 10Fold for SecurityScorecard securityscorecard@10fold.com

Platform

2026 Supply Chain Cybersecurity Trends Report

Solutions

2026 Supply Chain Cybersecurity Trends Report

Featured

Collateral

Learning

Tools

Explore other posts