In Singapore, Asia’s number one Fintech city, 66% of Fintechs saw an increase in demand for their products and services during COVID-19, with 40% believing that this increase will sustain over a long period. This optimism is, ironically, brought forth by the pandemic, which created an environment that forced the world to reduce its reliance on central points in the financial system. The virus accelerated the need to create value at every point in the financial system through an improvement in its overall structure. This is where Fintech providers can come in to fill the gaps.
To ensure continued success, Fintechs need to invest in cyber security at an early stage of their life cycle. Despite challenges in implementation, cyber security is not an option in future-proofing and ensuring the brand trust of Fintechs. Starting small, in this case, is better than starting late.
The necessity of cybersecurity for Fintechs
“Cyber security must never be an afterthought.”Adam Sommer, Vice President, Industry Standards, Mastercard.
This is unsurprising given that Fintechs are more susceptible to cyber-attacks. Having robust cybersecurity helps build brand trust and also future-proofs the company.
Fintechs are more prone to cyber attacks than other industries.
Fintechs handle large amounts of quality data, making them more prone to cyber-attacks than any other industry. These firms often have access to highly confidential and valuable information on individuals and enterprises, such as credit card details, income breakdown, social security numbers, net worth, and more. This data is often stored in digital formats, which makes it a target for cyber attacks. Fintechs also tend to have applications to improve user-friendliness, and this provides yet another avenue for hackers to examine for vulnerabilities in the applications’ design and code.
Expert commentary: Why cybersecurity should be top of mind for all businesses
Since successful data breaches translate to a large cash-out for hackers, many of them have been targeting financial data, which sits in banks, brokerages, financial advisory firms, and financial institutions. The rise of Fintech has provided these hackers with even more platforms to launch cyber attacks. Smaller Fintech firms, who have not yet invested in adequate cyber security tools, can find their systems at risk of being compromised. For example, a recent data breach case involving an Indonesian Fintech aggregator platform involved the leak and sale of personally identifiable information (PII) of almost 3 million users.
Cyber crime is one of the fastest growing crimes in the world, and Fintechs are increasingly a victim to it. Since Fintechs often provide niche cloud services not limited to digital wallets, payment gateways, and secure online payments, insufficient cloud security measures can also lead to a loss or corruption of sensitive information. A system outage or downtime can also devastate a Fintech by exposing it to cyber risks and disabling it from operating. In addition, these companies also need to take note of malware attacks. Short for malicious software, malware executes unauthorised actions on the victim’s system, and can take the form of ransomware, spyware, command and control, and more.
To survive, Fintechs have to be on an active lookout for vulnerabilities in their systems, improve their cyber security measures, and get a good cyber insurance policy.
Strong cybersecurity builds brand trust.
The aftermath of a cyber security breach goes beyond just having compromised company data. These attacks can undermine brand trust, which can result in severe long-term, and sometimes, irrecoverable consequences.
Facebook, for instance, suffered major data breaches and is still recovering from the Cambridge Analytica incident. Usage numbers have fallen drastically, which affected the company’s growth trajectory and share price. Another case in point would be the breach at Yahoo, where the firm had to pay $350 million in damages as a legal consequence of a lax security policy. If a huge social media company can be derailed overnight by a cybersecurity breach, small Fintechs who are starting to build a brand name for themselves can have it worse. To prevent large losses, Fintechs should invest some money into cybersecurity early in their life cycle.
Good cybersecurity investments future-proof Fintechs.
All Fintechs are cyber companies that rely on security to provide services. This means that the key to thriving lies not only in providing a safe platform for customers today but also in future-proofing themselves to make sure that the platform will continue to be safe tomorrow.
The Global Risks Report puts cyber attacks as the fifth greatest threat, the only non-climate or environment-related threat. It is clear that cyber attacks are here to stay, and Fintechs should be wary. Not only are the attacks more and more common, they are also evolving to become increasingly sophisticated. Some hackers even employ artificial intelligence (AI) to speed up and increase the damage done to victims.
Hackers may use AI fuzzing to automate the process of finding and abusing loopholes in the company’s software. AI fuzzing, unlike its manual process, can operate 24/7, every day, without rest. In addition, deep fake programmes have advanced to a stage where it is both cheap and easy to replicate another human being’s looks and voice in a hyper-realistic manner, making client verification for Fintechs highly difficult.
Phishing attacks have also fallen on Fintechs since many firms communicate with clients through virtual chat applications. Hackers can easily pretend to be a Fintech when sending texts or emails to trick victims into giving their personal details. This is where Fintechs need to go a step further and educate their clients on common suspicious activities.
The challenges faced when investing in cyber security
Cyber security is not just a problem for Fintechs, but across the entire financial system, regardless of the level of cyber security maturity. The threat posed by cyber fraudsters can be worsened by the lack of a clear control framework and the need to keep up with multiple regulations in different jurisdictions.
There is no single clear control framework.
Fintechs have many options to make their assets safe from cyber threats, forge strong commercial partnerships, and ensure compliance with regulations in the jurisdictions they operate in. However, it is not clear which control framework is best.
Established financial services providers often have many frameworks, policies, standards, and industry-driven initiatives to test the security of Fintechs. However, the fast-paced technology and the multiplication of regulations create a large number of industry initiatives. The large volume of initiatives may be overwhelming for small Fintechs, making it confusing and tough for them to allocate resources in a manner that promotes both security and commercial partnerships. This can explain why some Fintechs with lesser resources choose to leave it to a game of chance, betting that they are small enough to fall through the cracks and not be targeted by attackers. However, this mindset sets a foundation for problems to occur in the future.
Fintechs need to keep up with multiple regulations in different jurisdictions.
Fintech innovations are progressing rapidly as competitors struggle to keep up. This difficulty is worsened if the company is operating in multiple jurisdictions regulated by different bodies.
Ensuring a proper alignment with local regulations in various jurisdictions, while being cost-conscious, can be challenging for Fintechs. However, good governance ends up becoming profitable for many Fintechs in the long run. For example, the first robo-advisor in Singapore carefully matched its regulatory compliance guidelines to those in force in its countries of operation (Singapore and Malaysia), which enabled it to recently be recognised as a Top 10 LinkedIn Startup. By performing their due diligence and investing in cyber security, the Fintech providers are investing in essential customer protection, which is just as important as any other feature that they are offering. While security may not always be a point of differentiation for the Fintech firms, it is of paramount importance.
The solution to adopting good cybersecurity strategies
Fintechs need to have a sound cyber security strategy right from the onset. Besides investing in cyber security early, they also need to continuously test for gaps.
Adopt a sound cybersecurity strategy.
An ideal cyber security strategy is one filled with the latest know-how, up-to-date security tools, bullet-proof processes, and an experienced cyber security team. Solutions, such as Identity and Access Governance, Anti-Malware, Data Loss Prevention, File Level Encryption, and other integrity tools can be helpful.
While an ideal situation would involve having a team of vigilant defenders actively on the lookout to protect data and brand reputation, it may not be realistic to do it all in-house. In this case, Fintechs can consider partnering with a managed security service provider (MSSP) for a more cost-effective solution.
Improve further through testing.
FinTechs, who think they already have a sound cybersecurity strategy in place, can test their system for loopholes. Third-party vendors can perform Red Team assessments to test the viability of cybersecurity programs against various attack scenarios. From there, the team can access cracks and areas of improvement to make the system as foolproof as possible.
InSight’s Michael Tan shares what’s next for cybersecurity in Southeast Asia
The next step: Where should Fintechs start?
As discussed, FinTechs who neglect their cybersecurity will be at risk of devastating attacks. Starting early is ideal, but for firms who have yet to look into cybersecurity solutions, starting now is better than delaying further. To make the process less daunting, Fintechs can begin by assessing tiered cybersecurity frameworks.
Assess tiered cyber security frameworks.
Low-maturity Fintechs can explore a cyber security framework and assessment process that is tiered according to their own cyber security maturity levels. After identifying where they stand, Fintechs can then adopt and enhance their unique set of cyber security tools as they grow.
The solution can start with baseline requirements for controls and assessment. As the Fintechs mature, they can then look at increasingly complex controls that are aligned with their cyber security risk management requirements.
At the end of the day, these controls are not stagnant. As technology, business offerings, and business models evolve, the cybersecurity solution will need to adapt accordingly. The Fintechs also need to seek consultation with the relevant financial institutions, cybersecurity experts, governmental agencies, and more on the best practices.
This article was contributed by Shakthi Priya Kathirvelu, Head of Information Security at Funding Societies
About the author
Shakthi Priya Kathirvelu is Funding Societies | Modalku’s Head of Information Security, where she oversees and drives the information security and information technology (IT) roadmap for the group. She joined the FinTech after 8 years of experience across several information security disciplines in the BFSI sector. Most recently, Shakthi was a Program Manager at Deutsche Bank, where she had built out and led key onshore and offshore global and regional initiatives and matrix-managed teams in Identity & Access Management, Security Operations, Security Assurance, and Risk Management with a special focus on improving Diversity & Inclusion in the workplace.