Fintechs, short for financial technology companies, are a relatively new breed of digital-centric businesses offering a narrow set of financial services addressing particular pain points, for example in mobile banking, peer-to-peer lending, or robo-advising just to name a few.
When considering working with any fintech, it is easy to focus on the interesting features or new possibilities it offers. Superior data security may seem like a given for a company operating in the financial industry, which is highly regulated in virtually every developed country.
Financial regulations, however, often fall short in addressing the nuances of cutting-edge technology. There is a genuine risk that a fintech service provider may prioritise innovation at the expense of robust data security.
The Big Picture: Financial Data Remains a Prime Target for Hackers, Regardless of Its Location
With regards to cybersecurity, the first thing to know about fintechs is that they work with the same types of data as traditional financial institutions. This highly sensitive information is greatly attractive to cyberattackers.
Leading global insurer AON identified cyberattacks and data breaches as the top risks facing financial institutions. In 2023, IBM identified that financial sector data breaches were the second most costly across all industries, costing firms an average of $5.9 million per incident. And in 2022, INTERPOL ranked financial and cyber crimes – which are increasingly interlinked, as criminals aim to exploit digital technologies to launder money – as top global police concerns.
Criminals are constantly scanning for weak links in financial technology security systems. Of all the data breaches risk advisory and intelligence specialist Kroll handled in 2023, the most were in the financial industry. Kroll highlighted several cases of small- to mid-sized regional banks being affected by ransomware attackers who stole client data from the banks’ third-party partners. While Kroll did not disclose details about these partners, it is worth noting that many fintechs fall into this broad category of businesses with whom financial institutions share data.
Four Simple Cybersecurity Questions to Ask Fintechs
What steps can you take to protect yourself as you venture into the world of fintech? Especially if you do not have a technical background? Here are four straightforward questions (that should lead to understandable answers) to pose to a fintech service provider:
01 Where are you based?
The location of a fintech’s headquarters – or its branch that you will be engaging with – can serve as a key indicator of the legal requirements governing their data privacy and security practices.
For example, all companies dealing with EU citizens must comply with the General Data Protection Regulation (GDPR), which requires measures to processes and to protect personal data from unauthorised usage and access.
Another example is the EU’s Second Payment Services Directive (PSD2). This directive requires EU-based financial institutions to facilitate secure sharing of clients’ payment-related data with authorised Third-Party Providers (like some fintechs) through properly secured data connections known as application programming interfaces (APIs). This sharing happens only with the explicit consent of the client.
Bear in mind that legal requirements to ensure financial data privacy and security are far from universal around the world. In many ways the EU has led the way here, and several other jurisdictions have incorporated similar policies into local legislation. Switzerland’s Federal Act on Data Protection is a leading example. Note that United States lawmakers have proposed GDPR-style rules at the federal level but no formal enactment has been made so far.
If the fintech you are evaluating is based outside the EU and will be handing an EU citizen’s data, you definitely want to ask a follow-up question as to whether their technology aligns with data security standards similar to those established in the EU – particularly with respect to APIs. These data connections play a crucial role in many fintechs’ operating models, which often involve gathering information like transaction histories, account balances, and loan information from originating institutions. While PSD2 is specific to the EU, it represents a world-class benchmark for securing financial data connections.
02 Can you explain your overall approach to cybersecurity in plain language?
According to the Harvard Business Review, human error is responsible for over 80% of cybersecurity incidents. Hackers often target poorly trained employees to exploit vulnerabilities.
A simple way to judge how much effort a fintech is putting into educating its team members about cybersecurity is the effort the fintech puts into educating you about it.
When assessing a fintech service provider, request an overview of their technological security measures. While this overview may involve complex technical concepts, they should be explained in a straightforward and understandable manner.
Remember: The fintech under consideration exists to serve individuals like you. If the fintech’s leadership does not prioritise making their security practices accessible to you, it may indicate similar challenges within the organisation’s internal training efforts.
03 Do you support more than two access authentication factors?
Simply put, access authentication factors are the barriers a user must navigate before using a digital service. One factor could be an online password, while another might involve a code generated by a mobile phone authentication app or delivered via SMS.
Most likely, your current financial service providers already utilise at least two-factor authentication (2FA), which is commonplace in the industry.
Support for three-factor authentication (3FA) indicates that a fintech is going the extra mile to protect client data. The third factor might be – and is, in our case at Altoo – a certificate that is installed on a user’s device and verified each time the user logs in to the system with that particular device.
04 Do you own all your data storage hardware?
Every fintech has a variety of options when it comes to storing data. Each option involves a combination of software (systems for data management) and hardware (the physical machines hosting the software).
Fintechs do not necessarily need to own hardware in order to take advantage of sophisticated, highly secure data storage software. They can rent servers owned by a cloud service provider (CSP). This option is often more cost-effective than owning and maintaining hardware.
CSPs go to great lengths to ensure security and reliability. Partnering with a CSP, however, introduces an additional layer of risk that is hard for the fintech to be fully in control of.
Therefore, a fintech’s decision to exclusively use its own data storage hardware demonstrates a remarkably strong – and accordingly more expensive – commitment to comprehensive data security practices.
ACTIONABLE INSIGHTS
- Fintechs are in hackers’ crosshairs: Fintechs use the same types of highly sensitive data as do traditional financial institutions, which are top targets for hackers.
- You can handle basic fintech cybersecurity due diligence: You do not need to be a technical expert to ask a fintech four simple questions. The fintech’s answers will reveal a lot about its commitment to cybersecurity.