How critical is cybersecurity risk management in Fintech?
Effective Cybersecurity risk management is critically important in FinTech because the industry utilizes sensitive data which makes it a target for bad actors, and the industry is highly exposed to the risk of financial fraud which directly harms a company’s balance sheet and its customers. Trust is an essential component of a financial services provider’s success. Cybersecurity breaches and data leaks compromise consumer confidence in financial services providers, even if they are not directly impacted by the breach, leaving a lasting impact on the company’s reputation.
Cybercriminals are constantly looking for vulnerabilities to exploit in financial institutions. (Smusin, 2023) The rapid digitization of the financial services sector has made financial services companies prime targets due to their use of sensitive information like credit card numbers, bank account details, and personal identifiable information. Common risks to consider include data breaches, insider threats, emerging technologies, and third-party risk (Smusin, 2023). Companies also need to remain cognizant of compliance with changing regulations, such as the 2023 revisions in the New York State Department of Financial Services (NYSDFS) Part 500.
“A data breach can occur when an unauthorized person gains access to sensitive data…and uses it for fraudulent purposes” (Smusin, 2023) Data breaches can lead to financial losses, loss of customer trust, and damage to the firm’s reputation, which have longer lasting impact than the breach itself. One of the worst and well-known cases of a data breach in the Financial Services industry is Equifax in 2017. According to the Federal Trade Commission’s website, the 2017 Equifax data breach exposed the personal information of 147 million people and cost Equifax a $425 million settlement. (Equifax Data Breach Settlement, 2022) The total cost of the breach is estimated to be closer to $2 billion after a $1.6 billion investment in improving security and technology (Egan, 2022).
Insider threats are cybersecurity risks that come from within an organization (Smusin, 2023). Insider threats can be intentional, for example, an employee or a contractor stealing data or selling confidential information, or unintentional, for example, malicious links and phishing emails. It is a best practice for firms to implement internal data access controls to minimize the risk of an internal actor accessing sensitive data. This can be applied at the consumer level, for example, tokenizing personal identifiable information and credit card information and storing the plain text data in a vault with limited access. This can also be applied at an organization level, for example, separating public and private employees to limit who has the ability to access Material Non-Public Information (MNPI) which can be stolen or sold for insider trading purposes. Limiting data access helps minimize the impact if a single employee’s credentials are hacked.
“Emerging technologies like artificial intelligence (AI) and the Internet of Things (IoT) can… introduce new cybersecurity risks.” (Smusin, 2023)creating new entry points and faster detection of vulnerabilities. To combat growing AI threats, companies can implement preventative AI strategies, using the technology to anticipate future threats by analyzing historical data and current trends. “Integrating AI into cybersecurity applications can improve threat detection and incident response. For instance, AI can identify anomalies or deviations that may indicate potential security threats. Previously unseen attacks can be detected.” (Drolet, 2024) Another growing application of AI by cybercriminals is AI-based predictive social engineering. Bad actors can more easily profile individuals and create personalized phishing campaigns at scale. (Drolet, 2024)
Third-party risk is risk introduced by a company’s vendors. “When fintech companies outsource a certain service to a third-party vendor, they must ensure that these vendors have appropriate security measures in place to protect sensitive financial data.” (Smusin, 2023) In order to properly vet vendors, companies should conduct due diligence, including background checks and security assessments, and ensure that security requirements are included in the contract. (Smusin, 2023) It’s important that vendors’ security standards align with those of the FinTech, since the FinTech’s clients are ultimately exposed to the vendors’ vulnerabilities. It’s also important that vendors comply with the regulatory and compliance standards that are applicable to FinTech companies. Revisions to the New York State Department of Financial Services (NYSDFS) Part 500 cybersecurity regulation require c-suite sign-off on compliance with regulations. “As of December 1, 2023, not only must the highest ranking executive (usually, and hereafter, the CEO) now sign off on compliance with the regulation, but this certification must now be based on data and documentation sufficient to accurately determine and demonstrate material compliance (described further below), including any reliance on third parties and affiliates to meet the requirements.” (PWC, 2023)
To protect against the increasing cybersecurity risks, FinTech companies must prepare, practice, and revise (Germano, 2024). The National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) offer frameworks for preparedness and incident response plans. Incident response plans “clarify roles and responsibilities and will provide guidance on key activities. [The plan] should also include a cybersecurity list of key people who may be needed during a crisis.” (CISA, 2021) CISA’s framework recommends thorough staff training, attorney revisions of the plan, meeting with the regional CISA team and local law enforcement, defining roles and response actions, quarterly reviews, and attack simulations exercises to ensure the firm is prepared for a potential attack. The framework recommends a blameless retrospective, update to policies and procedures, and effective communication after an incident.
Communication is essential for reputation management. The way a firm communicates that it has undergone an attack or that a breach has occurred can maintain or ruin the trust that the firm’s customers and industry partners have instilled in it. The 2017 Equifax breach is an example of poor crisis management. When announcing the breach, CEO Richard Smith said, “This is a bad day for Equifax.” Senior executives sold stock before the breach was publicly announced and shares fell over 6% in after-hours trading after the attack was disclosed. This messaging and “abandon ship” behavior from the executives sent a weak message to the public about Equifax’s ability to handle a crisis and decreased customer trust in the company. Five years later, Equifax experienced another issue and the new CEO, Mark Begor, sent an honest and informative letter to customers containing language like, “There are no excuses, but technology transformations at this scale are not easy”, “Equifax takes this issue very seriously”, and “We stand behind our customers and impacted consumers”. This second Equifax communication is a strong example of positive communication that can help minimize reputational damage following a breach.
The FinTech industry remains a growing target for cybercriminals, due to the vast amounts of sensitive data, financial data, and the potential for financial fraud. It is essential for FinTech companies to prepare, protect against attacks, and to respond immediately and effectively in the event of a crisis. FinTech leaders must be cognizant of rapidly evolving technologies like AI and IoT that create new entry points and vulnerabilities. Firms must protect against third-party risk, and maintain compliance internally and through vendors with changing regulatory requirements. In the event of a breach, FinTech leaders must respond with care, transparency, and strength to maintain the company’s reputation and protect consumer confidence. This is especially critical for FinTechs and financial services companies because the industry relies heavily on trust.
Sources
Smusin, M. (2023, September 8). Cybersecurity in FinTech: challenges, technologies and best practices. Yellow. https://yellow.systems/blog/cybersecurity-in-fintech?secureweb=WINWORD
PricewaterhouseCoopers. (n.d.). Time’s up! New York cyber changes are final. PwC. https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/nysdfs-cybersecurity-regulations.html
Drolet, M. (2024, February 20). Eight cybersecurity trends to watch for 2024. Forbes. https://www.forbes.com/sites/forbestechcouncil/2023/12/26/eight-cybersecurity-trends-to-watch-for-2024/?sh=5377f9604111&secureweb=WINWORD
CISA. (2021). Incident Response Plan (IRP) basics. In CISA | DEFEND TODAY, SECURE TOMORROW [Report]. https://www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf
Equifax Data breach settlement. (2022, December 20). Federal Trade Commission. https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement
Egan, J. (2022, September 9). Five years after the Equifax data breach, how safe is your data? Bankrate. https://www.bankrate.com/finance/credit-cards/how-safe-is-your-data/
