Cybersecurity: Ten Things Fintech Leaders Need to Know
Business leaders in the financial technology industry face a daunting array of technical challenges and risks, with cybersecurity near the top of the list. Faced with an evolving cyber threat landscape, rapid development lifecycles, and significant regulatory and compliance obligations, fintech leaders face the same security challenges as behemoth incumbents of the financial world, but have significantly smaller budgets and far less in-house cybersecurity expertise than their larger peers. With attack patterns constantly evolving, proactive implementation of cybersecurity best practices is more important now than ever before. Chances are, you are already considering how to build the cybersecurity capability that your fintech company needs.
The following are ten things you need to ask yourself to help devise an action plan:
1. Is Your Software Development Lifecycle Secure?
You depend on software to run your business, so it is imperative that it be secure from data breach and disruption. If your company develops software internally, but does not have a formal software security initiative drawing from best practice frameworks (and encompassing architecture risk analysis, source code review and external penetration testing for production applications), you’re lacking foundational application security capability and potentially exposing insecure code to cyber threats. Perversely, many companies lack a true, proactive approach to software security, which is unfortunate because finding and fixing vulnerabilities in an existing design is far costlier than designing for security upfront. Even a cursory architecture risk analysis by an experienced security consultant will often identify potential security weaknesses, such as poor network segmentation, or the use of insecure protocols to transmit sensitive data.
Once you’ve implemented a formal software security initiative, encompassing architecture risk analysis, source code review, and external penetration testing for production applications, your company should seek to feed lessons learned into effective policy in order to find defects earlier, to avoid recurring vulnerabilities, and to eliminate blind spots. Consider seeking software security advisory services to help unify cybersecurity best practices with DevOps principles, and to derive greater value from penetration tests.
2. What Steps Should You Consider to Ensure Your Outsourced Applications and Infrastructure (including Cloud Services) are Secure?
Unfortunately, there is a mistaken belief among many fintech leaders that data stored with giant cloud service providers such as Amazon, Microsoft and Google are secure by default. On the contrary, sophisticated password spray attacks designed to evade detection by staying below account lockout thresholds are being effectively leveraged by attackers to obtain unauthorized access to companies’ cloud deployments. While cloud service providers provide some level of security, in reality, much of the work is left to consumers of cloud services. From a regulatory and legal perspective, outsourcing to cloud service providers does not abrogate company leadership of ultimate responsibility for protecting sensitive data.
Proactive fintech leaders need to evaluate their use of outsourced applications and infrastructure to ensure their data is in fact secure. Pay particular attention to vulnerability management, data protection, password policies, and multi-factor authentication.
3. Have You Identified Your Most Sensitive Data and Devalued It Through Encryption?
Fintech firms are subjected to regulatory and compliance scrutiny, including regulations with data breach management and notification requirements such as the General Data Protection Regulation (GDPR). Fintech groups should prioritize identification of their personally identifiable information (PII) obligations and pseudonymize or encrypt 100% of their PII volume. This will help your company from being the next big data breach headline, as GDPR includes exceptions to its data breach notification requirements where stolen data has been rendered unintelligible by encryption, prior to a breach.
By applying cryptographic protections to 100% of your most sensitive information, you devalue your company’s data to determined attackers seeking to exfiltrate and monetize your company’s PII. Focus on ensuring your company has coherent and effective policies around sensitive data discovery and classification, as well as an initiative to encrypt all sensitive data-at-rest.
4. Do You Have A Cybersecurity Framework, Strategy and Quantifiable Security Objectives to Measure Your Team’s Progress?
Building application and cloud security capability in a fast-growing fintech company can be difficult. It’s even more difficult without a framework, strategy, and clear, quantifiable goals to catalyze the right kind of action. Think about having an external cybersecurity maturity assessment completed to gain a comprehensive understanding of where your company stands relative to cybersecurity best practices, and to chart a course for capability improvement where necessary. The more you know about your cybersecurity risk posture, the easier it is to define a strategy and utilize metrics to catalyze action across your company’s technology team.
5. Has Your Company Taken Appropriate Steps to Manage Identity and Access Management Risks?
Identity and access management to control access to applications and systems is a foundational cybersecurity capability for all companies, but is particularly important for fintech firms, given the sensitive data they control. Make sure your company has a strategic and methodical approach to ensure it is disabling all inactive accounts; implementing least privilege access controls to ensure access is limited to those with job-function based needs; and conducting periodic reviews of granted access. Also, know that multi-factor implementation represents a significant improvement over passwords as a form of authentication and its use makes your company a more difficult target for attackers.
6. Is Vulnerability Management A Strategic Focus Area For Your Technology Team?
An asymmetry inherent in cybersecurity is the duty of business leaders to protect against the full spectrum of cybersecurity risks, versus an attackers’ need for only a single exploitable vulnerability to compromise your environment. What this means in effect for fintech leaders, is that good is not good enough; vulnerability management should be a strategic focus area for fintech groups and 100% (yes, 100%) of identified actionable vulnerabilities in your applications and infrastructure need to be remediated, mitigated or managed through an established risk governance process.
7. Have You Kicked the Tires on Your Incident Response Preparedness And Resiliency Plans?
For compliance purposes, and to enable your company to respond effectively to a cyber attack, fintech leaders need to maintain policies and an effective incident response plan for data breaches. An effective incident response policy can be the difference between a successfully contained attack and a massive data breach. Once you have an incident response plan in place, ensure that you periodically conduct table top exercises to ensure its effectiveness. In addition, fintech leaders are advised to take proactive steps to protect key applications and systems from disruptive distributed denial-of-service (DDoS) attacks, which remain a threat to the financial sector at large. Retaining experts to support DDoS mitigation efforts can be crucial, as misconfigured DDoS protections are commonplace in even sophisticated organizations and can lead to business disruption.
8. Do You have Insurance to Cover Cybersecurity Risk and Access to Legal Expertise on Cybersecurity-related Matters?
Just as you should invest in an umbrella if you live in London, you should invest in cybersecurity insurance and legal counsel in addition to technical controls if you’re a software-enabled fintech.
Directors of fintech companies are advised to carefully review agreements with their companies and their insurance coverage to protect themselves from any liability and the prospect of personal damages arising from a data breach. Fintech leaders also need to ensure they have adequate cybersecurity insurance coverage to protect their business in the event of a costly intrusion.
9. Do You Have Sufficient Data Loss Prevention (DLP) and Insider Threat Detection Capability?
Data Loss Prevention (DLP) controls are a critical tool for companies seeking to identify sensitive data such as financial information, PII or intellectual property and keep it from being extracted from their control by a malicious insider or data-stealing malware. Seek help evaluating best-of-breed DLP controls to determine the right solution for your company. Beyond that, know that it is not enough to implement a solution — conduct periodic tests to validate effectiveness. Fintech groups seeking to go beyond foundational DLP controls to address internal risks should consider developing an insider threat program. As part of this effort, fintechs should evaluate machine-learning enabled anomaly detection solutions; once properly tuned to your environment, such solutions can help you identify high risk users by baselining what’s normal to guide identification and prevention of malicious insider activity.
10. Are You Placing Adequate Focus on People and Process Issues?
Some of the most impactful actions you can take on cybersecurity pertain to people and process rather than technology. For example, phishing and social engineering awareness training should be provided to all personnel — with a heightened focus on executives and financial personnel — and leadership should carefully consider organizational factors which contribute to security such as who their head of security reports to. For example, the tension between a CTO prioritizing speed-to-market versus the head of security’s emphasis on assurance might best be resolved by making the security head a direct report of the CEO or general counsel. Fintech firms should also be evaluating opportunities for cross-training software development personnel on security basics to empower developers as security champions.
Your customers trust in the security of your products everyday. The lost of that trust is therefore an existential risk for fintech leaders, warranting sustained investment and the utmost attention. As you chart the course for your fintech firm, make cybersecurity an integral component of your strategy.