As with all technology, the Covid-19 pandemic has created both opportunities and challenges for the FinTech industry. User take up of FinTech products increased as users became more accustomed to doing things remotely and contactlessly. And cyber criminals took the opportunity to release a flood of ever more sophisticated attacks on users and companies alike. As a result, effective cybersecurity in FinTech is more important than ever before.
FinTech companies handle people’s money and personal data through services such as digital banking, digital payments, insurance services, trading, and cryptocurrencies. The unique combination of financial-based services on tech platforms makes them attractive targets for cyber criminals. FinTech cybersecurity risks are further compounded by the regulatory environments in which FinTech companies operate, and which place high value on data protection and information security. As a result, cybersecurity in FinTech is becoming ever more important.
FinTech cybersecurity risks and challenges
FinTech organisations all share similar FinTech cybersecurity risks and challenges, no matter what area they operate in. In no particular order, these risks and challenges include:
Securing networks and applications – Applications are at the heart of most FinTech businesses. While they enable FinTech to reach more users and improve the range of services they offer, applications can also be vulnerable to attack. Cyber attackers can target the application in order to gain access to the entire network.
Identity theft and fraud – FinTech apps allow users to fill in sensitive data and transfer money with a simple tap on a screen. As a result they are an attractive proposition for attackers who may try to guess passwords and gain access to accounts. Once they have access to those accounts, they will be able to steal money, or use the user’s identity for fraud. Keeping users’ digital IDs secure from attackers is a constant challenge, as simple password verification processes can easily be hacked.
Cyber attacks – FinTech is an attractive target for malware because of the mix of PII and financial access that it provides. Some of the most common cyber attacks targeting FinTech include:
- Denial of service attacks where attackers flood the application with traffic preventing legitimate customers from using the app;
- Phishing attacks where cyber criminals pose as businesses or even government agencies to extract information from users and use that information to steal their information and access the application; and
- Ransomware where attackers infiltrate the network and encrypt it demanding payment in order to decrypt the network or files. All of these tactics can have a significant impact on the success of a FinTech company.
Protecting data against breaches – FinTech companies collect, manage, and store large amounts of data every single day. Online transactions are some of the easiest online activities for hackers to breach. If they breach the application and steal user data, the FinTech company will be held responsible by regulators.
Money laundering – Many FinTech companies are either cryptocurrencies themselves, or deal with other crypto currencies. Cryptocurrencies can add cybersecurity risks to FinTech as cyber criminals use the anonymous nature of cryptocurrency to launder money or to steal money from the FinTech’s legitimate customers, causing financial losses, and possibly even legal ramifications.
Compliance with banking regulations – FinTech is an extremely regulated industry. It’s easy to see why – it deals with not just customers’ personally identifiable information (PII), but their money too. Banks are heavily regulated by bodies such as the FCA (in the UK) when it comes to using the forms of open banking solutions that FinTech companies provide. These regulators may require FinTech companies to implement certain protections, with consequences for the company if these requirements are not met.
Compliance with data protection and security regulations – Regulations such as the GDPR place requirements on FinTech to have the proper security protections in place, and failure to protect that data through adequate security measures will result in a hefty fine. Add in Know Your Customer (KYC) requirements, payments regulations such as the Payment Services Directive (PSD2) in the EU, or the Payment Card Industry – Data Security Standard (PCI-DSS), ad there are a lot of different standards that FinTech companies must consider at every point.
Cybersecurity in FinTech best practices
Image 1: Plan, Do, Check, Review
A cyber attack could have a catastrophic impact on a FinTech company, damaging operations, revenues, and reputation. For FinTech companies, the best way to avoid this outcome is to prepare a cybersecurity programme that both protects networks from attack, and plans for an attack should it take place.
Cybersecurity is ever changing, and the best programmes contain plans, actions, reviews, and actions at every stage of the FinTech app’s lifecycle.
- Protect the company’s network and infrastructure
Protecting the network from intrusion by cyber attackers is the first line of defence in cybersecurity in fintech. Cybersecurity constantly changes, so this also includes regular reviews and updates of the protections in place.
- Secure the cloud
Many FinTech applications are hosted on the cloud. The cloud has both opportunities and risks for FinTech, including an expanded attack surface. Cybersecurity best practice recommends that every organisation has a cloud security strategy in place that they review and expand as new threats emerge on the cloud.
- Take a secure development approach
The best way to build a secure app is to take a security first approach to developing it. This includes code reviews, pre-release penetration testing, and following secure development best practices.
- Test the app for vulnerabilities
Put the app’s security to the test by penetration testing it. Pen tests can be carried out at any time, including just before release, and will identify any vulnerabilities in development that could be exploited by cyber attackers.
- Protect users when logging in
Users are a FinTech application’s greatest asset, but they can also be the greatest liability. Protect users’ identities and accounts by implementing a strong authentication process including requirements for strong passwords, and multi-factor authentication.
- Get certified
While certification such as ISO 27001 may not deter attackers from targeting an organisation, it will help the organisation get their cybersecurity risk management programme in order. Just some of the considerations in a programme include assessment of third party risk, identifying and managing vulnerabilities, and more.
- Review, and make changes
Once everything in the initial cybersecurity programme is in place, it’s time to start all over again. Cybersecurity in FinTech changes quickly with new threats emerging on a daily basis as cyber criminals refine their techniques and software is updated with the potential of new vulnerabilities to be exploited. The best cybersecurity programmes are constantly changing as the needs of the organisation change.