Ryan Sherstobitoff, SVP of SecurityScorecard’s STRIKE Threat Research and Intelligence Unit, said: “Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure,” said Ryan Sherstobitoff, SVP of STRIKE Threat Research and Intelligence at SecurityScorecard. “Third-party breaches aren’t edge cases—they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure.”
Key Findings:
- Fintech firms had the strongest security posture of any industry analyzed, with a median score of 90 and 55.6% earned an “A” rating.
- 18.4% of fintech companies experienced publicly reported breaches. 28.2% of those had multiple incidents.
- Third-party attack vectors were responsible for 41.8% of breaches. Fourth-party exposures accounted for an additional 11.9%, more than double the global average.
- Technology products and services were linked to 63.9% of third-party breaches, with file transfer software and cloud platforms being the most frequent points of compromise.
- Application Security and DNS Health were the most common weaknesses, with 46.4% of companies scoring lowest in application security.
Cybersecurity Recommendations for Fintech Companies
Based on this analysis, the SecurityScorecard STRIKE team offers the following recommendations to strengthen cybersecurity across the fintech ecosystem:
- Strengthen Third and Fourth-Party Risk Oversight: Fintech companies should tier vendors based on exposure and breach history, not just spend or business value. Disclosing downstream dependencies and requiring incident notification clauses in contracts can reduce cascading risk from fourth-party breaches.
- Secure Shared Infrastructure and Technical Enablers: File transfer software, cloud storage platforms and customer communication tools were the most common vectors for third-party breaches. Fintechs must audit these integrations regularly and require partners to demonstrate secure implementation practices.
- Close Critical Application Security and DNS Gaps: Nearly half of fintechs scored lowest in application security. Unsafe redirect chains, misconfigured storage and missing SPF records were common. Remediating these foundational weaknesses should be a priority, starting with customer-facing assets.
- Enforce Strong Credential Protections: Credential stuffing campaigns and typosquatting attacks impacted a majority of firms. Enforcing MFA, monitoring for reused credentials and taking down spoofed domains are essential to protect users and prevent cross-platform compromise.
- Treat Repeat Breaches as a Leading Risk Signal: Companies with multiple breaches accounted for the majority of total incidents. Vendors with prior breach history, especially those with known third-party exposures, should face enhanced scrutiny during onboarding and renewals.
Methodology
This report evaluates the cybersecurity posture of 250 leading fintech companies, selected for their global reach, industry influence, and operational scale. The companies span a wide range of financial technology segments, including payments, digital assets, neobanking, financial planning, and infrastructure providers.
About SecurityScorecard
SecurityScorecard modernizes Third Party Risk Management (TPRM) using AI and threat intelligence to continuously manage, detect, and respond to global supply chain risk. The TITAN AI Platform unifies threat intelligence and third-party data to deliver real-time visibility and insights that accelerates both risk reduction and compliance. The AI platform is built to deliver the full spectrum of modern TPRM outcomes while strengthening resilience. It reduces compliance burden and administrative friction, drives measurable risk reduction, and prioritizes the most critical exposures. With robust reporting and streamlined workflows, it modernizes TPRM from a reactive compliance exercise into a proactive, risk-driven program.
Learn more at securityscorecard.com or follow us on LinkedIn.
View full press release.
Media Contact
10Fold for SecurityScorecard
securityscorecard@10fold.com
