Third-party vendors are responsible for 41.8% of data breaches impacting prominent fintech companies, according to a new survey conducted by SecurityScorecard. This finding is part of the 2025 sector report, which examined the cybersecurity posture of 250 leading fintech firms worldwide. The report reveals a significant gap between strong internal controls and vulnerabilities posed by external supply chain risks.
“Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure,” said SecurityScorecard STRIKE Threat Research and Intelligence senior vice president Ryan Sherstobitoff. “Third-party breaches aren’t edge cases—they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure.”
Despite earning the highest security scores among industries analysed, with a median score of 90 and 55.6% receiving an “A” rating, fintech companies are not immune to cyber threats. The survey shows that 18.4% of these firms experienced data breaches that were publicly disclosed, with 28.2% facing multiple incidents. These figures underscore the persistent security challenges within the sector.
Third and fourth-party exposures seen as key contributors to breaches
Third-party breaches are exacerbated further by exposures from fourth parties, which contribute an additional 11.9% to the overall breach statistics, which is more than two times the global average. Most of these breaches, 63.9%, are linked to technology products and services, pointing to file transfer software and cloud platforms as frequent sources of compromise.
The report identifies application security and DNS health as common areas of weakness, with 46.4% of firms scoring poorly in application security measures. To address these issues, the SecurityScorecard STRIKE team has put forth several recommendations aimed at fortifying cybersecurity across the fintech landscape.
The team advises that fintech companies should prioritise vendor assessment based on risk exposure and previous breach history instead of focusing solely on financial metrics or business value. Enhancing transparency about downstream dependencies and integrating incident notification clauses into contracts can reduce risks from third-party breaches.
Securing shared infrastructure and technical enablers is essential. Regular evaluations of file transfer tools, cloud storage services, and customer interaction technologies are recommended to ensure partners adhere to secure implementation practices.
Addressing deficiencies in application security is critical. Remediation efforts should begin with unsafe redirect chains, misconfigured storage solutions, and missing SPF records, prioritising assets that are customer-facing.
Robust credential protection is vital due to ongoing risks such as credential stuffing campaigns and typosquatting attacks affecting numerous firms. Implementing multi-factor authentication (MFA), monitoring for reused credentials, and dismantling fraudulent domains are key steps to safeguard users and prevent cross-platform compromises.
Finally, the survey emphasises treating repeat breaches as significant indicators of risk. Vendors with a history of multiple breaches should undergo thorough assessments during onboarding and contract renewals to avert future incidents. This strategy aims to bolster the cybersecurity framework within the fintech sector while specifically targeting vulnerabilities revealed by third-party interactions.
Read more: 68% of UK fintechs report rising fraud cases, losses reach millions
