Cyber Security & Fintech
By Shirley O’Sullivan
Cyber security is increasingly important in every industry but, over the past few years, companies in fintech have become a priority target for cybercriminals. The volume of sensitive data that needs to be controlled is increasing. Electronic transactions and transfers are now part of everyday life. The data that is used has to be processed and then stored in a format that can be protected. There are strict regulations around secure transactions, the capture and storage of payment data, and, especially since the introduction of the GDPR, the use and storage of the personal information that accompanies payment data.
Cyber security needs to be embedded in all stages of the customers’ journey. Authentication and authorisation, data protection, system integrity and fraud detection are major elements. Application Programming Interfaces (APIs) are thought to be a vital part of implementing high-grade security protocols. A key challenge for financial institutions (FIs) and their partners is how to use APIs whilst keeping information safe. Before allowing partner applications to call an API, FI’s need to ensure that extremely rigorous checks are done. APIs do have an advantage in that they place a layer of abstraction over the FI’s systems meaning there’s only one way in.
FI’s need to be increasingly vigilant when it comes to protecting themselves against the loss or theft of their customers’ information, unauthorised transactions, money laundering, or breaching sanctions. Protecting against fintech threats requires an organisational-wide approach. This includes:
- multiple verifications for partner systems identity
- detailed vetting of partners prior to granting access to any of the FI’s systems
- monitoring of all API usage by partners
- tokenisation i.e. replacing sensitive data with a token/placeholder that then enables the customer to be matched with their data without exposing that data.
Financial institutions can use the systems designed by technology companies to improve efficiency, reduce operating costs, and offer new and improved products. Partnerships between the two may result in greater convenience for, and cost savings to, customers.
As more independent systems become connected, more cyber vulnerabilities arise. Common sources are the interfaces between the multiple systems. Software engineers working with two disparate systems do not necessarily know how they both work, thus making it harder to identify all potential sources of vulnerability. Overcoming integration issues through thorough testing will help to minimise cyber security risks and compatibility issues. However, this process can be time-consuming and costly.
Many cybercriminals are able to gain access to networks and accounts through methods that exploit human error. The most common method is spear-phishing and occurs when users accidentally open spam emails, download malicious attachments or enter confidential information into what turn out to be fake websites to which they are directed.
In addition to cyber security, the integration of new financial technology brings concerns around data collection and privacy. Many financial companies collect data about their customers, including sensitive personal details and financial records. Many firms are also sourcing and keeping so-called ‘alternative data’, for example online spending behaviour, social media patterns, etc. The collection of alternative data also poses questions as to whether customers are aware of what data is being harvested, and how they give or withdraw consent. Other questions that are being raised include who owns what data, what can be shared, and with whom? All firms must comply with regulations and keep customers informed.
This creates understandable security concerns as more third parties gain authorised access to customer data. These groups may have differing approaches to security and follow their own, perhaps incompatible, regulations.
Regulators are having to move fast to keep up with the sophisticated cybercriminals. They need to find a delicate balance between protecting customers without stifling innovation. They have regular discussions with fintech providers, enabling them to gain a better understanding of the new technology while the fintech companies become more aware of the regulations.
There are new solutions emerging in the finance space, including regulatory technology (regtech). This technology uses data analytics in order to assess market risks and solve regulatory challenges. A further area of interest to regulators and financial institutions is blockchain – a high profile technology that is faster, more transparent, and efficient than traditional systems. The transparency it offers makes it ideal for regulatory and auditing purposes.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.