Disrupting payments, banking, investing, and currency exchanges, FinTech companies are evolving quickly – often ahead of regulations, traditional financial institutions, and consumer adoption curves.
Inherent in this state of rapid innovation is persistent cyber risk, such as:
- Fraud and Knowing Your Customer (KYC).
- Application breaches.
- Data theft.
- Money laundering.
The cost of cyber crime generally is projected to reach $15 trillion by 2025, and FinTechs are navigating how to scale efficiently without sacrificing security along the many points of access and failure across devices, cloud platforms, applications, and networks.
FinTechs must be hyper-conscious to prevailing cyber threats and establish a proactive security posture to the emerging complexity and scale of modern cybersecurity challenges.
New Technology Meets Cyber Risk New and Old
Banks, credit unions, brokerages, investment firms, and other financial services organizations are particularly appealing targets for cyber criminals due to the high volume of sensitive financial data, proximity to massive dollar amounts, and criticality of infrastructure to all levels of society.
- 86% of breaches are financially motivated.
- Employees at large financial services firms have access to more than 20 million files on any given day – an incredibly wide risk vector.
- While the financial sector is the second-most targeted domain (behind healthcare), the cost of cybercrime is the highest in finance.
These types of cybersecurity risk of course impact the nascent FinTech sector. But FinTech solutions – often novel and proprietary – add another risk vector for data security, cloud security, and other security concerns.
2021 was the most financially devastating year to date for breaches and attacks, with the average cost running north of $4 million. Additionally, it takes about 280 days for organizations to realize they’ve been hit by a cyber breach – and then another 80 days to contain it. No industry or company is immune, and the vast integration of digital networks and technologies means that companies can suffer even if they aren’t the primary target. For smaller FinTechs particularly, a public cyber breach is an existential threat that can quickly cease operations permanently.
So what can FinTech firms do?
Security Solutions for FinTech Firms
Identity & Access Management (IAM)
With increasing amounts of personal data, digital transactions, and sophisticated cyber threats, traditional, centralized Identity and Access Management (IAM) is insufficient for the modern age. Below are IAM implications in emerging technology through a conceptual (Cloud Computing), tactical (Security vs UX), and technical (DLT Use Cases) lens.
Cloud Computing – Remote Access & Multifactor Authentication (MFA)
The FinTech industry wouldn’t be where it is today without the advent of cloud computing and, with it, the digitization of IAM and the heightened security it provides organizations. The adoption of remote work during the COVID-19 pandemic coupled with an increasingly sophisticated and prevalent cyber threat landscape has highlighted the need for comprehensive, secure, and durable IAM capabilities that can validate who a user is without them being physically present, quickly provision and revoke access, segment networks based on authorized access permissions, and implement MFA that reduces the likelihood and impact of successful cyber attacks.
Balancing Security and User Experience (UX)
FinTech companies must balance cybersecurity with customer experience. So much of the typical FinTech business model relies on stellar UI/UX, and cumbersome security controls can inhibit the customer experience. FinTechs can strike a balance by focusing on two key principles:
- Make the points of interaction seamless: Integrate backend authentication mechanisms to be essentially invisible to the end user, which bolsters security without impacting user experience.
- Match the level of security to the type of data and process: Take a risk-based approach when planning level of security (and effort) needed based on the type of information being accessed, such as only requiring user credentials to sign in and check account information versus requiring MFA when attempting to transfer funds.
IAM Use Cases of Distributed Ledger Technology (DLT)
Emerging technologies such as distributed ledger technology (DLT) provide an opportunity to decentralize the identity verification, authentication, and authorization processes for organizations that rely on customers first validating who they are before a product or service can be provided. DLT allows for the use of “verifiable credentials” that are tamper-evident (i.e., name, address, birthday, social security number).
This proof of concept has recently gained popularity as blockchain-based nonfungible tokens (NFTs) have enabled artists to “digitally watermark” their original media. In this instance, it’s important to remember that personal data should not be stored on the blockchain, but rather a hashed output of the value that serves as the verified identifier.
A shared ledger can also help synchronize logs across business units, maintaining log integrity and reducing the potential for tampering or fraud. Furthermore, DLT allows for decentralized identifiers (DIDs), which are designed to be user-owned and controlled entirely by the identity owner (i.e., the customer), separate from a central authority (i.e., Certificate Authority).
Offensive Cybersecurity Testing
Another low-drag, high-impact FinTech cybersecurity solution is offensive, or adversary-based, testing of discrete technology stacks, networks, and applications.
These solutions include:
- Penetration testing: Identification and simulated exploit of vulnerabilities.
- Red teaming: Portraying an enemy cyber threat to uncover vulnerabilities and provide constructive security feedback.
- Threat modeling: Using a MITRE ATT&CK and NIST 800-53 framework to model the threat actors faced, the probability of their attack, and the efficacy of existing countermeasures.
After a security team engages in these actions, they can deliver actionable insights into real-world cyber threat actors to challenge the existing security of digital assets. These types of stress tests are an easy way to identify vulnerabilities that threat actors could exploit and target and help prioritize which issues to fix first given limited resources and time.
Additionally, penetration and technical tests function as confidence-boosters to investors and customers who depend on trusted and safe technologies, services, or products. Moreover, these adversary-based tests can often be executed in just a few weeks and with relatively little time commitment from FinTechs’ in-house team.
In this way, cybersecurity professionals – whether in-house, outsourced, or co-sourced – are helping to drive bottom-line business value beyond the purview of security alone.