Assessing Fintech Cybersecurity: Four Basic Questions For Non-Technical Wealth Owners To Ask

Time to read: 5 minutes
Time to read: 5 minutes
Fintech companies are introducing innovative methods to understand and manage even the most diverse portfolios. If you’re considering working with one of these financial industry newcomers independently – that is, not through one of your banks or other institutional service providers – you should ask four basic questions about their data security. This article explores these questions and provides guidance on evaluating the responses.

Fintechs, short for financial technology companies, are a relatively new breed of digital-centric businesses offering a narrow set of financial services addressing particular pain points, for example in mobile banking, peer-to-peer lending, or robo-advising just to name a few.

We at Altoo are a Zug-based fintech company tackling the challenges faced by wealthy individuals in obtaining straightforward, data-driven overviews of their complex and diverse wealth. The Altoo Wealth Platform seamlessly integrates with clients’ overall financial ecosystems, which often involve multiple relationships with traditional financial service providers like banks, custodians, and wealth managers. The platform automatically consolidates, analyses, and visualises current asset data from all institutional sources – as well as data on non-bankable assets related to real estate, private equity, and even lifestyle assets like cars and collectibles – to empower informed decision-making taking total wealth into consideration.

When considering working with any fintech, it is easy to focus on the interesting features or new possibilities it offers. Superior data security may seem like a given for a company operating in the financial industry, which is highly regulated in virtually every developed country.

Financial regulations, however, often fall short in addressing the nuances of cutting-edge technology. There is a genuine risk that a fintech service provider may prioritise innovation at the expense of robust data security. 

The-Big-Picture-Financial-Data

The Big Picture: Financial Data Remains a Prime Target for Hackers, Regardless of Its Location

The Big Picture: Financial Data Remains a Prime Target for Hackers, Regardless of Its Location

With regards to cybersecurity, the first thing to know about fintechs is that they work with the same types of data as traditional financial institutions. This highly sensitive information is greatly attractive to cyberattackers.

Leading global insurer AON identified cyberattacks and data breaches as the top risks facing financial institutions. In 2023, IBM identified that financial sector data breaches were the second most costly across all industries, costing firms an average of $5.9 million per incident. And in 2022, INTERPOL ranked financial and cyber crimes – which are increasingly interlinked, as criminals aim to exploit digital technologies to launder money – as top global police concerns.

Criminals are constantly scanning for weak links in financial technology security systems. Of all the data breaches risk advisory and intelligence specialist Kroll handled in 2023, the most were in the financial industry. Kroll highlighted several cases of small- to mid-sized regional banks being affected by ransomware attackers who stole client data from the banks’ third-party partners. While Kroll did not disclose details about these partners, it is worth noting that many fintechs fall into this broad category of businesses with whom financial institutions share data.

4-Simple-Cybersecurity-Questions-to-Ask-Fintechs

Four Simple Cybersecurity Questions to Ask Fintechs

Four Simple Cybersecurity Questions to Ask Fintechs

What steps can you take to protect yourself as you venture into the world of fintech? Especially if you do not have a technical background? Here are four straightforward questions (that should lead to understandable answers) to pose to a fintech service provider: 

01 Where are you based?

The location of a fintech’s headquarters – or its branch that you will be engaging with – can serve as a key indicator of the legal requirements governing their data privacy and security practices.

For example, all companies dealing with EU citizens must comply with the General Data Protection Regulation (GDPR), which requires measures to processes and to protect personal data from unauthorised usage and access.

Another example is the EU’s Second Payment Services Directive (PSD2). This directive requires EU-based financial institutions to facilitate secure sharing of clients’ payment-related data with authorised Third-Party Providers (like some fintechs) through properly secured data connections known as application programming interfaces (APIs). This sharing happens only with the explicit consent of the client.

Bear in mind that legal requirements to ensure financial data privacy and security are far from universal around the world. In many ways the EU has led the way here, and several other jurisdictions have incorporated similar policies into local legislation. Switzerland’s Federal Act on Data Protection is a leading example. Note that United States lawmakers have proposed GDPR-style rules at the federal level but no formal enactment has been made so far.

If the fintech you are evaluating is based outside the EU and will be handing an EU citizen’s data, you definitely want to ask a follow-up question as to whether their technology aligns with data security standards similar to those established in the EU – particularly with respect to APIs. These data connections play a crucial role in many fintechs’ operating models, which often involve gathering information like transaction histories, account balances, and loan information from originating institutions. While PSD2 is specific to the EU, it represents a world-class benchmark for securing financial data connections.

02 Can you explain your overall approach to cybersecurity in plain language?

According to the Harvard Business Review, human error is responsible for over 80% of cybersecurity incidents. Hackers often target poorly trained employees to exploit vulnerabilities.

A simple way to judge how much effort a fintech is putting into educating its team members about cybersecurity is the effort the fintech puts into educating you about it.

When assessing a fintech service provider, request an overview of their technological security measures. While this overview may involve complex technical concepts, they should be explained in a straightforward and understandable manner.

Remember: The fintech under consideration exists to serve individuals like you. If the fintech’s leadership does not prioritise making their security practices accessible to you, it may indicate similar challenges within the organisation’s internal training efforts.

03 Do you support more than two access authentication factors?

Simply put, access authentication factors are the barriers a user must navigate before using a digital service. One factor could be an online password, while another might involve a code generated by a mobile phone authentication app or delivered via SMS.

Most likely, your current financial service providers already utilise at least two-factor authentication (2FA), which is commonplace in the industry.

Support for three-factor authentication (3FA) indicates that a fintech is going the extra mile to protect client data. The third factor might be – and is, in our case at Altoo – a certificate that is installed on a user’s device and verified each time the user logs in to the system with that particular device.

04 Do you own all your data storage hardware?

Every fintech has a variety of options when it comes to storing data. Each option involves a combination of software (systems for data management) and hardware (the physical machines hosting the software).

Fintechs do not necessarily need to own hardware in order to take advantage of sophisticated, highly secure data storage software. They can rent servers owned by a cloud service provider (CSP). This option is often more cost-effective than owning and maintaining hardware.

CSPs go to great lengths to ensure security and reliability. Partnering with a CSP, however, introduces an additional layer of risk that is hard for the fintech to be fully in control of.

Therefore, a fintech’s decision to exclusively use its own data storage hardware demonstrates a remarkably strong – and accordingly more expensive – commitment to comprehensive data security practices.   

Cybersecurity-at-Altoo

Cybersecurity at Altoo

Cybersecurity at Altoo

Since our founding in 2017, we at Altoo have been optimising for cybersecurity from the ground up.

Our company and every member of our team are based in Switzerland, a country renowned for its excellence in financial services. In 2023, Switzerland topped the World Intellectual Property Organization’s Global Innovation Index for the 13th consecutive year. We are subject to Switzerland’s Federal Act on Data Protection, which aligns closely with the EU’s GDPR. Our platform interfaces with numerous European banks and data transmission is compliant with the EU’s PSD2. In early 2024, Switzerland was one of only 11 jurisdictions recognised by the European Commission for ensuring an adequate level of protection for personal data transfers. As a result, data transfers from the EU to Switzerland can take place without additional requirements

We implement over 1,600 cybersecurity measures, of which a detailed yet user-friendly overview is available on request. We look forward to sharing it with you! This resource outlines our support for up to three-factor access authentication and describes our data storage hardware, which is owned entirely by us and located exclusively in a Swiss tier 4 data centre.

“At Altoo, data security is not just a promise; it is a fundamental operating principle. We are certainly among the most cybersecurity-conscious fintechs on the market,” says Stefan Thiel, Chief Technology Officer at Altoo AG.

“Our technology professionals employ a wide range of advanced security precautions. For instance, we regularly conduct both ‘grey box’ and ‘black box’ penetration testing to identify potential vulnerabilities accessible to attackers with and without valid login credentials, respectively. Additionally, we prioritise continuous education for all team members, technical and non-technical alike, on cybersecurity protocols. We are dedicated to ensuring strict adherence across the organisation,” concludes Stefan Thiel.

If you would like to learn more about the Altoo Wealth Platform and our world-class cybersecurity practices, please reach out to us.

ACTIONABLE INSIGHTS

Fintechs are in hackers’ crosshairs

Fintechs use the same types of highly sensitive data as do traditional financial institutions, which are top targets for hackers.

You can handle basic fintech cybersecurity due diligence

You do not need to be a technical expert to ask a fintech four simple questions. The fintech’s answers will reveal a lot about its commitment to cybersecurity. 

We think you might like

Family offices are underinvested in operational technology, often relying on paper-based methods and Excel spreadsheets. Transitioning to digital wealth platforms enhances efficiency, decision-making, and collaboration. This insight explores how digital solutions can simplify complex wealth structures, making asset management more effective and strategic for private wealth clients.
According to legendary investor Warren Buffett, successful wealth management is all about following two rules. The first is to never lose money. The second is not to forget the first rule. These rules are simple to understand but can be hard to stick to, especially for UHNWIs: the more complex their wealth becomes, the greater the potential for missteps – and the more significant the consequences. This article outlines three key ways UHNWIs successfully put Warren Buffett’s theory into practice.
Thanks to digitalisation, data transparency is gaining ground in wealth management. With the help of digital platforms, error-free data synchronisation is possible in real time.

In case you missed it

Left Menu Icon