With companies all over the globe having to shift to remote working as well as offering digital services due to the coronavirus pandemic, cybersecurity threats have increased, particularly for fintech and financial companies.
Robert Prostko is Allegion’s deputy general counsel for intellectual property and cybersecurity and its chief privacy officer, as well as a principal with Allegion’s $50M corporate venture fund, Allegion Ventures.
Here he shares his advice on how fintech companies can better protect themselves from cyber-attacks.
Robert Prostko, Deputy General Counsel for Intellectual Property and Cybersecurity and Chief Privacy Officer, Allegion
A cybersecurity attack can be an existential threat to any company – but especially a fintech company. As fintech becomes ubiquitous throughout both the consumer and commercial economy, fintech services are exposed to many of the same privacy and cybersecurity threats that have afflicted other services and connected products. No service or device is immune in today’s digital world. But there are a number of actions fintech companies can take to better protect themselves.
- Establish a Demonstrable Cybersecurity Program
Depending on the nature of the service offering, your company may be subject to various laws or regulations. Some of these laws or regulations may have cybersecurity requirements – and some may be difficult to comply with, and demonstrate compliance with, like anti-money laundering (AML) and know-your-customer (KYC) requirements, without a robust cybersecurity program. This may be especially true for a fintech company that will likely never meet their customers in person. Often, your company may have to authenticate who a customer is and maintain a secure digital identity for that customer over the Internet.
That’s why obtaining certifications of industry standards like ISO 27001, SOC2, and the like is becoming more and more important – they will help fintech companies demonstrate robust cybersecurity programs.
Keep in mind that, if your company has a cybersecurity incident or is otherwise subject to an inquiry (e.g., cryptocurrency transactions, which have been subject to heightened scrutiny), a regulator may investigate and ask about the cybersecurity program. These industry standards generally require formal documentation of company policies and procedures that you could then provide to the regulator. You might also expect partners and customers to inquire about cybersecurity practices, and these industry-standard certifications may be useful allaying any concerns.
In addition, if a fintech company is a startup seeking investments from venture capital firms, industry-standard certifications may be crucial in standing out from competitors. While customers may not understand nuances of the industry standards, the fact that the startup has them can be a competitive advantage, particularly as startups generally do not yet have the brand recognition that larger financial institutions do.
- Ensure Availability of Funds and Services
Another top concern for customers as well as fintech companies, alike, is the availability of services and funds (e.g., not being able to transfer funds, buy/sell stocks or cryptocurrencies, access an account, etc.). These types of failures almost always draw immediate regulatory scrutiny, negative publicity in the press, and damage to your brand.
How to ensure that there will be continued availability of funds and services will be highly dependent on a number of factors: the nature of the service; if there is a cloud and/or mobile component; and who the partners or vendors are in the company’s supply chain. Obviously, if there is a cloud component to a fintech company’s offering, cloud security is critical. Similarly, if there is a mobile device app, then application security will be critical, too.
This is where it is important to understand the service from an architecture level to make sure each piece is addressed in business continuity and/or disaster recovery plan. Also, these plans should be tested periodically to ensure they work – and so that the first time they are used is not when the service is actually unavailable.
- Evaluate Third-Party Risk
The recent SolarWinds breach highlighted, yet again, how cybersecurity threats may manifest themselves in a supply chain. While your fintech company, itself, may have a robust cybersecurity program and be in compliance with all applicable laws and regulations, your fintech company’s partners or vendors may create additional risks that should be considered.
For example, consider a fintech company that relies on a partner or a vendor that utilises some legacy financial system that it is difficult to update or otherwise has reliability issues. The ability for software on any platform in the fintech company’s ecosystem should be updated easily and swiftly throughout their expected lifetime.
Bottom line: Your fintech company, and your partners and vendors, must take all of these things into consideration and mitigate these risks when building a new service for consumers.
- Protect Customers’ Privacy
Fintech services unquestionably offer a multitude of benefits, including convenience, to consumers. In this day and age, however, they are often the targets of cybersecurity attacks and regulatory scrutiny, too. That’s why it is critical for CEOs to establish a well-documented, robust cybersecurity program to address the unique risks facing fintech companies.