SecurityScorecard has released its 2025 sector report, spotlighting Third-Party Risk in Fintech as a rising cybersecurity concern. The report, titled Defending the Financial Supply Chain, found that 41.8% of breaches in top fintech companies came from third-party vendors. This extensive study assessed the cyber posture of 250 leading fintech companies, exposing a sharp gap between internal controls and external risk.
“Fintech powers global financial systems, but even one vulnerable vendor can trigger major failures,” said Ryan Sherstobitoff, SVP of SecurityScorecard’s STRIKE Threat Research unit. “These third-party breaches represent systemic weaknesses in fintech infrastructure.”
Despite strong internal protections, fintech firms remain exposed. The report highlights that fintech companies earned the highest median security score of 90 across all sectors, with 55.6% achieving an “A” grade. Still, 18.4% suffered reported breaches, and 28.2% of those experienced more than one incident.
Third-Party Risk in Fintech caused 41.8% of total breaches, with an additional 11.9% traced to fourth-party exposures. That fourth-party number is more than twice the global average. Notably, technology services and software accounted for 63.9% of third-party incidents. File transfer systems and cloud platforms emerged as frequent points of compromise.
Application security and DNS health remained two of the weakest areas. The report found that 46.4% of fintech firms scored lowest in application security. Common gaps included unsafe redirect chains, misconfigured storage, and missing SPF records.
To help fintech leaders mitigate Third-Party Risk in Fintech, SecurityScorecard’s STRIKE team issued clear recommendations. First, they advise prioritizing vendors based on breach history, not just spend. Requiring contract clauses around incident disclosures can also limit fourth-party exposure.
Second, fintechs must secure shared systems. File transfer apps, cloud storage, and customer messaging tools need regular audits. Partners should prove they’ve followed best security practices during integrations.
Third, firms should urgently fix gaps in application and DNS security. These basic flaws continue to be entry points for attackers and must be patched swiftly.
Additionally, the report urges strong credential protections. Many firms experienced credential stuffing and typosquatting attacks. Enabling multi-factor authentication and removing spoofed domains are now essential defenses.
Lastly, SecurityScorecard emphasized treating repeat breaches as serious warning signs. Vendors with prior incidents especially involving third-party connections must face stricter onboarding and renewal evaluations.
As Third-Party Risk in Fintech continues to grow, SecurityScorecard’s insights urge the industry to build better digital defense across the extended supply chain.
Want to stay ahead of the curve in personal finance? Dive into more expert-driven insights at Finance Tech News.
News Source: Businesswire.com
