A growing disconnect between strong internal controls and external supply chain risk has been highlighted in the latest report by SecurityScorecard, the supply chain detection and response firm.
In its report, Defending the Financial Supply Chain: Strengths and Vulnerabilities in Top Fintech Companies, which looked at the cybersecurity posture of 250 fintech companies, SecurityScorecard uncovers that 41.8 per cent of breaches impacting top fintech companies originated from third-party vendors. Furthermore, fourth-party exposures accounted for an additional 11.9 per cent, more than double the global average.
It also highlights that 18.4 per cent of fintech companies experienced publicly reported breaches, 28.2 of which had multiple incidents. When identifying the source of the breach, technology products and services were linked to 63.9 per cent of third-party breaches, with file transfer software and cloud platforms being the most frequent points of compromise.
Application Security and DNS Health were the most common weaknesses, with 46.4 per cent of companies scoring lowest in application security.
Ryan Sherstobitoff, SVP of SecurityScorecard’s STRIKE Threat Research and Intelligence Unit, said: “Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure. Third-party breaches aren’t edge cases—they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure.”
Nonetheless, the report highlighted that fintech firms had the strongest security posture of any industry analysed, with a median score of 90 and 55.6 per cent earned an ‘A’ rating.
Cybersecurity recommendations for fintech companies
Based on this analysis, the SecurityScorecard STRIKE team offers the following recommendations to strengthen cybersecurity across the fintech ecosystem:
Strengthen third- and fourth-party risk oversight
Fintech companies should tier vendors based on exposure and breach history, not just spend or business value. Disclosing downstream dependencies and requiring incident notification clauses in contracts can reduce cascading risk from fourth-party breaches.
Secure shared infrastructure and technical enablers
File transfer software, cloud storage platforms and customer communication tools were the most common vectors for third-party breaches. Fintechs must audit these integrations regularly and require partners to demonstrate secure implementation practices.
Close critical application security and DNS gaps
Nearly half of fintechs scored lowest in application security. Unsafe redirect chains, misconfigured storage and missing SPF records were common. Remediating these foundational weaknesses should be a priority, starting with customer-facing assets.
Enforce strong credential protections
Credential stuffing campaigns and typosquatting attacks impacted a majority of firms. Enforcing MFA, monitoring for reused credentials and taking down spoofed domains are essential to protect users and prevent cross-platform compromise. –
Treat repeat breaches as a leading risk signal
Companies with multiple breaches accounted for the majority of total incidents. Vendors with prior breach history, especially those with known third-party exposures, should face enhanced scrutiny during onboarding and renewals.
Source: https://thefintechtimes.com/
