Some FinTechs have become so successful over the recent months that they are challenging some of the world’s oldest major banks and insurances in revenue and market cap. Where no FinTech can compete, however, is on a track record of trust that dates back centuries, as in the case of some banks. When your entire business model is dealing with intangible assets, the trust of your customers and counterparties remains the only true currency you have. Today’s cyber security capability is yesterday’s bank vault.
Unfortunately, there are more than enough recent examples of digital companies, including prominent FinTechs such as Kreditech, being brought down by cyber security events, hacks or compliance failures. In light of seemingly overpowering, anonymous and omnipresent cyber criminals, a young FinTech organisation might despair. At second glance however, the majority of cyber attacks have not been complex. In most cases, the attacks were either through social engineering or exploiting very basic weaknesses or a combination of both.
The basics, risk mitigations, assets and vision every FinTech should have about cyber security
At Alyne, we believe that even small organisations can lay the right foundations and encourage the right behaviours to safeguard their digital assets sufficiently without excessive cost. For the sake of this exercise, I would like to recommend cyber security fundamentals, some key capabilities to minimise risk, some cyber capabilities that can become an asset and point to security topics that should be on a successful FinTech’s radar.
Regardless whether you have just started up or have already gone to market, there are some fundamental cyber security capabilities and decisions you need to have in place.
Cyber security revolves essentially around people - and your team needs to operate in a culture of security awareness, valuing your company’s and customers’ digital assets while being legally bound to certain principles by non-disclosure agreements and appropriate employment contracts.
If a specific service is not part of your core competency and value delivery, don’t build and operate it yourself. There is a wealth of “as a service” capabilities available to digital companies that offer security capabilities far exceeding what an average FinTech can put in place. Typical services you should consider leveraging are payments, server and database hosting, platform operations, access management and internal communication tools. Smart service architecture dramatically reduces complexity of your cyber security and compliance requirements.
Basic Data Protection Controls
Additionally, you should have your basic data protection controls defined and implemented. These should contain identifying your most sensitive data assets (i.e. the “crown jewels”), your operating principles around data privacy to meet your legal requirements, define key roles and responsibilities in protecting digital assets, mandate secure passwords and the use of two factor authentication wherever possible and specify your protection measures for workstations and mobile devices such as disk encryption, firewalls, screen locks, etc.
The Risk Mitigators
Depending on your FinTech’s business model, risk appetite, size and maturity, executives may want to further reduce cyber security risk. For FinTechs, I believe there are three major levers to achieve this.
If you’ve followed our advice and are using services rather than building your own capabilities, you will be procuring services from a considerable amount of vendors. If you’re operating in Germany, formalised vendor management is legally required (Auftragsdatenverarbeitung as defined in the Bundesdatenschutzgesetz), and even if you’re not, it’s a good idea. Formalise your contracts, make sure you are using secure vendors and regularly check that their security capabilities haven’t changed. Also, make sure you clearly understand the “Shared Responsibility” limitations of your particular service providers and for which security controls you remain fully or partly responsible and you cannot hold them liable.
I highly recommend having a security professional penetration test your application. For this check, the tester will act as a hacker and try to gain access to your service with either no prior knowledge (black box test) or some prior knowledge of the system setup (white box test). The test report will provide transparency of current weaknesses with recommendations on how to mitigate them. This approach should be formalised in further development cycles and extended to such topics as secure development training for your dev team and secure source code analysis (e.g. VeraCode or Checkmarx).
Business Continuity Management
Many people associate being resilient when a plane crashes on your data centre with business continuity management. While this may be a hypothetically valid scenario, I’m suggesting young FinTechs should develop plans to deal with more basic disruptions such as, what to do if a provider fails, you have been hacked, an executive’s laptop is lost, half your staff quits or part of your platform fails. Understanding the impact to your company and having continuity strategies defined can significantly reduce your risk. For these processes to be effective, you will also need to test and train your responses to incidents.
Cyber security can be more than “not being hacked” or being compliant. Especially for digital organisations, cyber security can also be an asset, as shown in these three examples:
Social Media Policy
Defining how your organisation acts on social media and how you want your employees to interact with customers can be a huge asset for your credibility and development of sales channels. Developing a social media policy helps prevent leakage of information and can foster positive interactions with customers.
Access Management Processes
Getting access management right is a huge task for banks and other large organisations. In order for your business to scale, you will need more people on board. Your team can only be productive, if they can easily and quickly get the right access to your systems. Having effective access management processes in place can be a real asset for your growth - and can also mitigate significant risks by defining robust access revocation processes as well.
Alignment with Standards
Many FinTechs end up as major suppliers or partners for banks or being bought by other financial institutions. One major requirement for doing business with highly regulated financial institutions is complying or aligning with industry standards. You can be more attractive to banks by aligning your organisation while it is growing to industry standards such as the ISO/IEC 27000 family for Security Management or COBIT 5 for IT governance.
Traditional companies had many years to grow, mature and develop the structures they required along the way. FinTechs often skyrocket within three to five years to the size of major banks. With that in mind, young FinTechs need to start thinking of critical cyber security elements for their future growth early.
Formalising the Security Team
Initially, everyone at a young organisation does a bit of everything to get the product running and out to the customers. Once the organisation grows and matures, the need for dedicated tasks arises. For digital companies, the security team should be one of the first dedicated responsibilities that are formed after finance, technology, operations and sales. In addition, it becomes more and more important how you integrate your service providers’ security management teams, as well as how and where to leverage specialised security service providers.
Security Information and Event Management
Security management is becoming more about combining information of external threats, internal incidents, weaknesses, risks and controls to form actionable information for executives. While this SIEM technology is not something to invest in the early months of a FinTech, you should prepare yourself for developing this capability before you lose oversight. Many industry analysts currently predict that large investments will be made to bolster detective capabilities and react appropriately and swiftly to a security incident rather than trying to prevent every possible scenario.
Identity and Access Management as a Service
Once a team reaches a critical size, managers no longer can easily maintain transparency of who has access to what asset. Manual access management processes work for a while, but quickly take up significant amount of time to manage quickly growing or changing teams. Transitioning to some really great IAMaaS providers in time can save you a lot of time and effort.
It’s both an exciting and challenging time for FinTechs and we predict that cyber security is one of the key factors that will separate success from failure. Our advice to young FinTechs: Make sure every Euro you spend on cyber security today actually earns or saves you more than that Euro tomorrow. Find solutions that have a low entry price and scale with your success. If you do that right and can demonstrate a mature and secure organisation, you are sure to build trust with clients and impress potential investors.