CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom
Guides
#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
healthtech
Search
Story image
#
MFA
#
Fintech
#
Application Security

Fintech sector faces mounting third-party security breach risks

Today
Author image
By Catherine Knowles, Journalist

SecurityScorecard has published new research indicating that almost 42% of data breaches impacting top fintech companies can be traced back to third-party vendors, with a further 12% linked to fourth-party exposures.

The findings, drawn from an analysis of 250 leading fintech firms worldwide, highlight the systemic risks facing the financial sector's supply chain despite robust internal cybersecurity practices. The report, titled Defending the Financial Supply Chain: Strengths and Vulnerabilities in Top Fintech Companies, exposes a growing separation between strong internal controls and vulnerabilities introduced through external partners.

Fintech companies emerged as the industry with the strongest overall security posture, registering a median score of 90 in SecurityScorecard's assessment. More than half (55.6%) achieved an "A" rating. However, these scores did not fully shield the industry from cyber intrusions.

According to the report, 18.4% of analysed fintech companies experienced breaches that were publicly reported, and over a quarter of these organisations (28.2%) suffered multiple incidents. Technology products and services featured in 63.9% of third-party breaches, with file transfer software and cloud platforms identified as the primary points of compromise.

Application security and DNS health deficiencies were noted as the most prevalent weaknesses within the sector. Nearly half of the firms (46.4%) scored the lowest in application security assessments. These weaknesses included unsafe redirect chains, misconfigured storage, and missing Sender Policy Framework (SPF) records.

Ryan Sherstobitoff, Senior Vice President of SecurityScorecard's STRIKE Threat Research and Intelligence Unit, commented on the findings: "Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure. Third-party breaches aren't edge cases - they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure."

The report highlights that the threat emanating from an organisation's indirect partners - referred to as fourth-party suppliers - now exceeds double the global average, making up 11.9% of incidents in the fintech sector. These risks underscore the complexity and depth of digital supply chains in financial technology.

In response to its analysis, the SecurityScorecard STRIKE team issued a series of recommendations for fintech companies to bolster their cybersecurity defences across the supply chain ecosystem.

Among the recommendations is the need to strengthen oversight of both third- and fourth-party risks. The team advises that, "Fintech companies should tier vendors based on exposure and breach history, not just spend or business value. Disclosing downstream dependencies and requiring incident notification clauses in contracts can reduce cascading risk from fourth-party breaches."

Securing shared infrastructure and the technical tools that enable financial operations is also critical. The team states, "File transfer software, cloud storage platforms and customer communication tools were the most common vectors for third-party breaches. Fintechs must audit these integrations regularly and require partners to demonstrate secure implementation practices."

Another key area is the remediation of deficiencies in application security and Domain Name System (DNS) settings. According to the report, "Nearly half of fintechs scored lowest in application security. Unsafe redirect chains, misconfigured storage and missing SPF records were common. Remediating these foundational weaknesses should be a priority, starting with customer-facing assets."

The report also advises enforcing robust credential protection measures. It recommends, "Credential stuffing campaigns and typosquatting attacks impacted a majority of firms. Enforcing MFA, monitoring for reused credentials and taking down spoofed domains are essential to protect users and prevent cross-platform compromise."

Finally, the research suggests that companies which have experienced multiple breaches should be considered higher-risk and subject to extra scrutiny. The report notes, "Companies with multiple breaches accounted for the majority of total incidents. Vendors with prior breach history, especially those with known third-party exposures, should face enhanced scrutiny during onboarding and renewals."

The study encompassed a range of fintech segments, including firms specialising in payments, digital assets, neobanking, financial planning, and technology infrastructure. The companies involved were selected for their international presence, influence within the industry, and operational scale.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Bravura boosts Midwinter team as assets reach AUD $9 trillion
Airwallex secures USD $300 million to drive global expansion
DenizBank taps Red Hat OpenShift AI to speed up model rollout
QuantumLight closes USD $250 million debut fund & launches playbook
TransferGo unveils GBP wallets & savings for UK businesses
Top stories
Exclusive: CyXcel urges UK firms to rethink supply chain risk
Google AI Ultra subscription launches at USD $249.99 per month
SEO poisoning attack diverts wages using fake payroll websites
Proofpoint acquires Nuclei to boost AI workplace compliance tools
Vitality partners with FICO to offer personalised digital care