Financial technology (fintech) companies have a strong security posture but are at risk from third-party weaknesses, according to analysis.
In its latest report, SecurityScorecard stated that the fintech sector ranked highest of all sectors studied when it came to security posture, but it found potential third-party weak links could open the door to security breaches.
The risk management specialist said there is “growing exposure in the financial supply chain as even top-rated fintech firms face systemic third- and fourth-party cyber risks”.
In its report, Defending the financial supply chain: Strengths and vulnerabilities in top fintech companies, SecurityScorecard revealed that 41.8% of breaches impacting top fintech companies originated from third-party suppliers, and more than 18% of breaches came via fourth parties – the partners of the fintechs’ partners.
SecurityScorecard, which analysed the security posture of 250 fintechs, said the report “highlights the growing disconnect between strong internal controls and external supply chain risk”. It stated that fintech companies are now “essential components of the global financial infrastructure”, powering payments, wealth management, compliance, fraud detection, and more.
It said today, traditional financial institutions increasingly rely on fintechs to modernise their systems and remain competitive. “This rapid integration has created a new kind of interdependency – one where vulnerabilities in a single vendor can cascade across the broader financial ecosystem. As this report shows, even fintech companies with strong internal cyber security programmes can expose their partners to significant third-party and fourth-party risks,” it stated.
Third-party breaches aren’t edge cases – they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms and core financial infrastructure
Ryan Sherstobitoff, SecureScorecard
The fintechs analysed include companies operating in payments, digital assets, neobanking, financial planning and infrastructure.
“One exposed vendor can take down critical infrastructure,” said Ryan Sherstobitoff, senior vice-president in SecurityScorecard’s threat research and intelligence unit. “Third-party breaches aren’t edge cases – they reveal structural risk. In fintech, that means operational outages across payment systems, digital asset platforms and core financial infrastructure.”
Finance firms rely on many third parties to support their operations, and the finance sector is highly interconnected.
One senior security professional, who has 30 years’ experience in the UK banking sector, said attackers target multiple technologies in a highly interconnected industry.
“You’re reliant on software from multiple different suppliers, and it’s the weakest link that’s going to take you down, and that could be anywhere,” he added.
“When you go online and you look at, say, Marks and Spencer’s website, that’s the bit of the iceberg above the water. But below that, there are thousands of components holding it up. That’s where the baddies are going. They’re looking around underwater for the weakest link in the iceberg and then chipping away.”
The security professional said attackers will work their way through the software stack. “You’ve got the operating system at the bottom, then you’ve got network software, then you’ve got security software, and you’ve got various components of applications from multiple suppliers,” he added.
SecurityScorecard found that file transfer software and cloud platforms were the most commonly compromised points, with about 46% of companies scoring lowest in application security. It recommended that fintechs strengthen third-party and fourth-party risk oversight, and tier suppliers based on exposure and breach history rather than spend or business value.
