The Fintech ecosystem can’t seem to catch a break. It’s been over six months since the first details of possibly the largest security breaches in history — the Equifax data breach — were made public, and we’re still struggling to deal with the aftermath as new information continues to emerge.
The WannaCry ransomware attack that hit FedEx, among many many others worldwide nearly a year ago, still seems to be producing copycats. And then there’s the 2014 JP Morgan Data Breach, still considered a doozy — tens of millions of people, and seven million businesses affected — coming to a jaw dropping total of 83 million customers. That time, five hackers used malware, social engineering, and spear-phishing attacks to plunder emails, addresses, phone numbers, SSNs, and other customer information, not just from JP Morgan itself, but other related financial institutions around the same time.
Last year’s 2017 Financial Industry Cybersecurity Research Report highlighted the fact that financial institutions fall victim to breaches more often than companies in the telecommunications, transportation, food, manufacturing, and pharmaceutical sectors combined. As cybercriminals find new ways to attack, breach, and exploit organizations, threat patterns such as phishing, spear-phishing, and social engineering evolve and become more sophisticated.
The report provides us with some troubling data:
45% of the financial firms had at least one malware event between March and August 2017, a proof point that hackers frequently target the financial industry.
The financial industry has difficulty managing third-party security risks that arise from the availability of leaked credentials and exposed passwords
With respect to cybersecurity health, only 25% of the 20 Highest Performing FDIC- insured banks received an 'A' grade in DNS Health.
The report makes it clear that financial organizations need solutions that assess and manage vulnerabilities and their vendor’s vulnerabilities in real-time, to ensure their safety as well as their reputation.
The challenges facing fintech management today include regulation that is increasingly vigilant in cyber-security measures, gaining customer trust in an age when it seems all of our private details are online always, and securing the many applications on which they have become extremely reliant.
This is our breakdown of the top three challenges that we think fintechs should address head-on, yesterday.
Financial institutions are a highly regulated and closely monitored bunch. Processes, systems and applications need to be managed, documented and reported regularly, leaving little room for error.
Regulations and directives like HIPAA in the U.S. and the EU’s upcoming Network and Information Security Directive, and soon to be implemented GDPR directives are particularly stringent regarding records containing private data. In addition, PCI-DSS (the Payment Card Industry Data Security Standard) compliance is another important regulatory issue to address for any organization that accepts, processes, stores or transmits credit card information maintain a secure environment.
Regulation also applies to third party components. Financial Institutions are held accountable, and need to ensure that their software suppliers adhere to compliance and regulatory requirements.
This means that fintechs need to ensure that their offerings are well-managed and comprehensively documented. This affects all aspects of the ALM (Application Lifecycle Management) — development, release, deployment, and operations processes.
Innovation and time to market are essential to all successful software offerings. For financial services institutions to remain competitive, in addition to maintaining innovation in their solutions, they also need to ensure that their offerings are secure and dependable.
Today, data breaches are a top concern and quick to grab the headlines. Just take a look at the Uber fiasco: Uber, already in trouble with federal regulators over a 2014 breach, went to great lengths to conceal a huge data breach that occured in 2016, when hackers stole a whopping 57 million driver and rider accounts, including phone numbers, email addresses, names, and driving license numbers. Uber is now being sued by Pennsylvania, in addition to Washington state, Chicago, and Los Angeles, over the way they handled the breach and its disclosure, while other States have also said they will look into it. Failing to protect their customers’ and users’ data is costing Uber a lot.
Customers and end users are becoming increasingly aware of the risks of allowing companies to store their personal data and credentials, and companies in the fintech industry need to assure customers that they are worthy of their trust.
A breach can lead to a rapid loss of trust from consumers, leading to a rapid attrition rate that can wreck a company’s reputation.
Whether we like it or not, the fintech industry, just like the rest of the software ecosystem, is highly reliant on applications, and therefore needs to prioritize application security management as part of the effort to protect their users’ data.
In the highly regulated fintech industry, financial technologies are joining the increasingly open sourced ecosystem. As open source technologies reshape both our dev processes and our applications and products, they open the door to exciting new opportunities but also to new security risks.
With the use of open source and third party software, financial institutions are becoming more concerned about security. Recent vulnerabilities in open source components (remember Equifax?) raised awareness of open source components used in financial products, and the need to manage third party and open source components as part of an organization’s application security strategy.
The founding of organizations like The Symphony Foundation, an non profit fintech organization founded by tier 1 firms including Deutsche Bank, Bank of America, J.P. Morgan, Credit Suisse, Citi, and Morgan Stanley dedicated to building an open source community and development ecosystem to foster innovation in financial services, shows us that the fintech industry is making an effort to embrace third party and open source components.
In order to ensure that adopting innovative technologies doesn’t come at the price of security, the Symphony Foundation Partnered with WhiteSource to act as gatekeeper of their open source ecosystem, automatically enforcing the organization’s security policies. According to Maurizio Pillitu, the SSF’s Director of DevOps,who spoke to us for our case study about the partnership, implementing automatic security management throughout the development lifecycle has resulted in significant buy-in from the financial industry. He cited their extensive list of platinum members and the growing number of organizations that are signing the Contributor License Agreements that allow them to take part in the initiative.
Implementing continuous management and reporting of the open source components being used throughout the development lifecycle, helps fintechs maintain their competitive edge and stay secure, without slowing down development or affecting quality with outdated methods like manual code scanning.
These days it seems we are continually oscillating between exciting and disruptive technological innovation and the unexpected and unmeasurable risks that they bring.
In order to stay ahead in the competitive fintech landscape, playing it safe can feel like an unattainable option. That said, as we learn about the risks that we face and assess our challenges, we can leverage technology to automate important security and compliance processes while staying ahead of the game.