Widespread Vendor Risk Among Fintech Leaders
SecurityScorecard’s 2025 report reveals a concerning trend: 41.8% of breaches in top fintech firms stem from third-party vendors. An additional 11.9% involve fourth-party suppliers. These findings highlight growing systemic risks in the financial supply chain. The study analyzed 250 leading fintech companies. Despite strong internal controls, vendor exposure continues to compromise digital finance ecosystems.
Strong Ratings, Yet Still Vulnerable
The report showed fintechs lead in cybersecurity ratings. Their median security score hit 90. Over half (55.6%) earned an “A” rating.
Yet 18.4% of these companies suffered at least one public breach. Among those, 28.2% had multiple incidents—companies with repeated breaches accounted for over half of all events.
Ryan Sherstobitoff, SVP of STRIKE Threat Research at SecurityScorecard, said: “One exposed vendor can disrupt global finance. These aren’t outliers—they’re structural threats.”
Third-Party Breach Enablers
Technology products caused most breaches. File transfer software and cloud platforms were the top breach enablers. These tools appeared in 63.9% of vendor-related incidents.
Email and customer communication platforms also contributed. These tools often lacked secure configurations, enabling credential theft and phishing.
Fintechs must audit and secure shared tools. Vendors must show proof of safe deployment and usage.
Weak Points: Application Security and DNS Health
Application security emerged as the weakest area. Nearly 46.4% of companies scored the lowest in this domain. DNS Health was another major concern.
Many fintechs used unsafe redirect chains or misconfigured object storage. Missing SPF or DMARC records made them vulnerable to spoofing and spam.
Credential Theft and Domain Spoofing Rampant
Credential abuse proved widespread. About 79.2% of companies had compromised login details. Median compromised credential count was 26, but some firms had over 30,000.
Spoofed domains were also common. Typosquatted URLs targeted 73.6% of companies. High-profile firms in digital assets and payments were the most frequently impersonated.
Fourth-Party Risks Double Global Averages
Fourth-party suppliers contributed to 11.9% of breaches—more than twice the global average. These hidden risks amplify breach impact.
Fintechs must require breach notifications from all vendors with which they are linked. Contracts should include incident disclosure clauses to prevent cascading failures.
Credential Stuffing Still a Top Concern
Credential stuffing remains a pressing threat. Attackers test stolen credentials across platforms. PayPal, Payoneer, and Alipay were among the impacted platforms.
Companies must enforce multi-factor authentication and block reused credentials. Monitoring spoofed domains and login anomalies is also key.
Get The Cyber Insurance News Weekly Upload Delivered
Every Sunday
Subscribe to our newsletter!
Cybersecurity Recommendations
SecurityScorecard recommends five key actions for fintech firms:
- Rank vendors by breach history and exposure—not budget.
- Audit technical integrations like cloud storage and email systems.
- Fix application security issues and DNS misconfigurations.
- Strengthen credential protections with multi-factor authentication (MFA) and active monitoring.
- Treat repeat breaches as red flags for future risk.
These controls must become part of routine security practices and the vendor onboarding process.
Fintech Faces Ongoing Cyber Pressure
The fintech sector shows strong defenses. However, third- and fourth-party vulnerabilities pose a threat to trust, infrastructure, and revenue.
SecurityScorecard’s findings are a call to action. Vendors, not just internal teams, must meet security expectations in today’s connected ecosystem.
Other Fintech Cybersecurity and Cyber Insurance News: Fintech Cyber Insurance From Markel(Opens in a new browser tab)
