Fintech companies are all about simplifying finance and providing high transaction value services by making it cheaper, faster and seamless for the customers. The value of Fintech services will depend on the type of data they can receive from their providers and on their ability to partner with banks/financial institutions to perform the financial transactions. This is what will make the services frictionless for FinTech customers. The business opportunities generated by Fintech come with risks, and cybersecurity is one of them. Handling sensitive data such as financials, NPI (non-public personal information) and PII (personally identifiable information) by Fintech to create high valued services for customers comes with a large risk. While the banks/financial institutions have come under increasing regulations, the myriad of Fintech startups does not have to abide by similar financial regulations as yet.
Success in the Fintech arena depends on cybersecurity
In the area of information security, banks/financial institutions are regulated by financial InfoSec regulations such as GLBA and FFIEC and are supported by sizable in-house security teams to maintain an adequate level of security posture. The absence of regulatory compliance on FinTech companies and in many cases not having security leadership in place potentially leaves them vulnerable to security threats.
The biggest security threat to FinTech business in the near term comes from a loss in confidence by its customers and investors and less from future regulatory compliances. This threat comes from damage that can occur from various attacks, such as potential leakage of customer sensitive data with Big Data amplifying this risk, malicious transactions leading to financial loss and legal impact on customers. If such a cyber attack were to take place, the damage will be profound and immediate. It will cause reputational damage to the young FinTech brand resulting in loss of customer and investor confidence. There also could be potential regulatory fines due to data breach notification laws such as SB 1386 already enforced in several states. Not to mention, the providers of financial data – such as the banks/financial institutions will become increasingly reluctant to do future business. This ultimately would lead to erosion of the value created by the Fintech brand.
Compliance & security tradeoffs
The adage “compliance does not ensure good security, but good security almost always ensures compliance” always holds true. Meeting compliance does not substitute for fundamental security hygiene because it is only a starting point to reduce risk. Just compliance is incomplete because it often fails to provide effective protection against determined attackers. Even if it is implemented correctly, security risks could exist from session hijacking, leakage of sensitive data from vulnerabilities and architecture flaws that may exist in the software. The impact of session hijacking could lead to impersonation of the consumer by the attacker who can then perform malicious actions on his/her behalf including fraudulent transactions resulting in financial impact.
Furthermore, many FinTech companies are using Big Data to harness value. This significantly increases the security and privacy risks. Some of the reasons for this risk amplification comes from –
- Distributed computing architectures such as “map reduce NoSQL” for data analytics has extensive scaling properties and security that scales needs to be built-in to prevent data leakage.
- Large data sets that are not PII, may result in reconstituting a person’s identity (identification and re-identification) making it sensitive data.
- Discovery of sensitive information through combination of different non-sensitive data sets.
As part of the compliance requirements, just performing penetration tests is not enough although a good first step in the right direction. It may expose some of the vulnerabilities but often will not expose design flaws in the software. A penetration test is a “point in time” test and is usually limited to the instance of the software being tested and does not account for other types of threats in the environment that can be exploited.
Effective security for risk management
Developing a cyber security strategy that includes strong data governance will play a central role for FinTechs. This will serve the dual purpose of protecting sensitive data and drive value from Big Data analytics to translate to new service offerings. Security for Big Data analytics is by no means easy and challenges are many in terms of technologies, policies and procedures.
Risks will always be present in any business and cannot be avoided. The key here is to develop a holistic understanding of the risks affecting the business. Companies need to create an effective plan to manage the risks to an acceptable level and to implement, monitor and improve the plan on a continuous basis.