As the financial services industry has grown increasingly reliant upon electronic data, legacy systems and emerging fintech, so too has the sector (and its regulators) become increasingly concerned with security and resilience. Unfortunately, the wide range of risks associated with digital dependence—to include the underlying software, hardware, and networks—have proven impossible to eliminate. Still, they are manageable given adequate resources, expertise, advanced planning and persistent executive-level attention.
Assessing Enterprise Cybersecurity Risk
To assess a financial institution's cybersecurity risk, organisations typically start by mapping and prioritising their sensitive data and critical networks, while considering the potential consequences of a loss of data confidentiality, or a loss of data—or systems—integrity and availability. Companies then apply controls to mitigate the likelihood of these harms, focusing on administrative, physical and technical methods, which often track regulatory requirements or internationally recognised frameworks. The non-profit Center for Internet Security maintains a list of the top 20 "high-priority, highly effective" controls for defending against pervasive hacking techniques. In 2016, the California Attorney General concluded that a failure to implement these controls, as they apply to protecting an organisation's personal data, "constitutes a lack of reasonable security." At a minimum, fintech companies would do well to have an understanding of which controls they have, and have not, implemented and why.
Assessing Product Cybersecurity Risk
In addition to enterprise cybersecurity concerns, companies responsible for the design, build, and support of financial technologies should consider implementing best practices for software development and supply chain risk management. The non-profit Open Web Application Security Project (OWASP) has considerable resources that can help, including a Software Assurance Maturity Model that sets forth the business functions and security practices of a mature software development team, a Code Review Guide designed to detect vulnerabilities early in the software development lifecycle, and a Top 10 list of the most critical web application security risks. What does this mean for fintech? When assessing risk, companies should consider whether their internal software engineers and fintech vendors either have implemented OWASP or similar processes, or hired a competent third party to review their source code.
Deploying Technology in the United States and Europe
Within the United States, fintech companies might consider assessing themselves against the National Institute of Standards and Technology (NIST) Cybersecurity Framework and taking advantage of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool. NIST breaks down enterprise cybersecurity risk management into the functions of Identify, Protect, Detect, Respond, and Recover, with a strong emphasis on process and continual improvement. FFIEC complements this approach, while emphasising concerns particularly relevant to fintech, including outsourced technologies, third-party connections, end-of-life systems, delivery channels for products and services, online/mobile products and technology services, changes in an organisation's information technology environment, and locations of operations and data centres.
Meanwhile, entities that fall under the New York State Department of Financial Services cybersecurity regulations will require written procedures, guidelines and standards designed to ensure the use of secure practices for in-house developed applications, and procedures for evaluating, assessing or testing the security of externally developed applications.
In Europe, the General Data Protection Regulation (GDPR) (effective May 2018) requires data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Fintech companies seeking to enter, or remain in, the European market should focus particularly on the GDPR's mandate of "data protection by design and by default," which must take into account the risks to personal rights and freedoms in relation to "the state of the art, the cost of implementation and the nature, scope, context and purposes of processing."
Other requirements apply as well. For example, the European Union's Network and Information Security (NIS) Directive is designed specifically to improve the cybersecurity of "essential service providers" (which includes banking and financial markets infrastructure), without affecting oversight that remains with the Eurosystem and the European System of Central Banks. Meanwhile, the Payment Services Directive 2 (PSD2) includes the creation of regulatory technical standards on strong customer authentication and secure communications. Worth noting as well is the Bank of England's CBEST program, which facilitates the use of current cyberthreat intelligence by penetration testers looking for vulnerabilities in the UK financial system (to include fintech products and services).
Cybersecurity can be staggeringly complex at the enterprise level, and properly securing fintech at the product level remains a significant challenge. Companies that develop or deploy fintech solutions must remain mindful of the legal and regulatory landscape in which they operate. It may not be possible to have all the answers, but it is possible and essential to identify the right questions and risk management process. It also is prudent for companies to align their cybersecurity programs with an industry-recognised framework, even when voluntary. Should the day come when your organisation must defend the adequacy of its cybersecurity program, the first step will be to show there actually is one.
This content first appeared in Chambers Professional Advisers: FinTech.