SecurityScorecard has officially published the results from its 2025 sector report called Defending the Financial Supply Chain: Strengths and Vulnerabilities in Top Fintech Companies.
Going by the available details, this particular report would effectively reveal how more than 41.8% of breaches, which affected top fintech companies, actually originated from third-party vendors. More on the same would reveal how these results were reached upon after considering cybersecurity posture of 250 different fintech companies.
Talk about the given survey on a slightly deeper level, we begin from the way fintech firms emerged with the strongest security posture of any industry analyzed, boasting a median score of 90 and 55.6% earning an “A” rating.
Next up, we must dig into how 18.4% of fintech companies were found to experience publicly reported breaches, while 28.2% of those had multiple incidents.
Another detail worth a mention is rooted in a piece of data claiming that third-party attack vectors were actually responsible for more than 41.8% of all breaches. As for fourth-party exposures, they would go onto account for an extra 11.9%, which is also more than double the global average.
Moving on, technology products and services were deemed as linked to 63.9% of third-party breaches. Here, file transfer software and cloud platforms revealed themselves to be the most frequent points of compromise. Beyond that, we must also mention that Application Security and DNS Health were the most common weaknesses, with 46.4% of companies scoring lowest in application security.
SecurityScorecard further took this opportunity to bring forth a variety of measures for the purpose of enhancing cybersecurity across the fintech ecosystem.
These measures begin from strengthening third and fourth-party risk oversight. In essence, SecurityScorecard suggests that fintech companies should tier vendors based on exposure and breach history, rather than basing it all on spend or business value. On top of it, disclosing downstream dependencies and requiring incident notification clauses in contracts were also preached to reduce cascading risk from fourth-party breaches.
The next suggestion in line relates to securing shared infrastructure and technical enablers. Due to file transfer software, cloud storage platforms and customer communication tools being the most common vectors for third-party breaches. Fintechs are now encouraged to rigorously audit these integrations regularly, and at the same time, make it possible for partners to demonstrate secure implementation practices.
Then, there is a recommendation to close critical application security and DNS gaps with a particular focus on unsafe redirect chains, misconfigured storage and missing SPF records emerging as common. Hence, fixing these foundational weaknesses should be a priority, starting with customer-facing assets.
Hold on, we are not done yet, considering we haven’t yet touched upon how the companies must also enforce strong credential protection. This happens to be the case because credential stuffing campaigns and typosquatting attacks were found to affect a majority of firms. Against that, these firms are advised to enforce MFA, monitoring for reused credentials, alongside taking down spoofed domains.
Finally, SecurityScorecard says that companies ought to treat repeat breaches as a leading risk signal. As companies with multiple breaches accounted for majority of total incidents, it would be absolutely critical for such organizations to have enhanced security in place during vendor renewals and onboarding.
“Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure,” said Ryan Sherstobitoff, SVP of STRIKE Threat Research and Intelligence at SecurityScorecard. “Third-party breaches aren’t edge cases—they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure.”
