According to a study by Geneva-based application security company ImmuniWeb, 98 per cent of the top 100 global fintech start-ups are vulnerable to cyberattacks, including phishing, app security attacks on mobile and web, etc.
- By Robin Bhowmik
The Covid-19 pandemic has paved the way for huge opportunities for financial technology companies. Financial institutions are adopting fintech solutions to embrace the digital wave that is engulfing our country. Consumer penetration has increased along with the advent of these players and their customer-centric designs. However, along with this speedy tech transformation, new cybersecurity risks are also emerging. This makes it imperative for fintech startups to take appropriate measures to secure their ecosystems from being compromised.
Fintech startups are not free from cyber risks. According to a study by Geneva-based application security company ImmuniWeb, 98 per cent of the top 100 global fintech start-ups are vulnerable to cyberattacks, including phishing, app security attacks on mobile and web, etc. The study also points out that 100 per cent of the fintech providers face some security or privacy risk. Cross-site scripting (XSS), sensitive data exposure, and security misconfiguration are some of the risks associated with websites. Fintech mobile apps had at least one security vulnerability in the recent past. This data reveals the cybersecurity risk associated with fintech companies.
Here are some of the cyber threats fintech start-ups regularly face:
- Malware attacks: Hackers design malware to breach the system and gather critical information.
- Data breach: Most of the fintech players let customers store payment data such as card details, user password credentials et al in their respective platforms/websites. A small breach may lead to leakage of sensitive financial data.
- Cloud environment security risk: The fintech service providers are leaders in incorporating Cloud computing to ease information management. A strong cloud security measure is mandatory to avoid data compromise.
- Availability of critical systems: 100% uptime is necessary for running systems effectively. System outage would lead to a great loss for fintech companies.
- Application security risk: Hidden vulnerabilities in the application design and code attract cyberattacks.
With the growth of fintech, more data is available to be analyzed but that also makes it more susceptible to security breaches. Some of this data includes personally identifiable information and financial and health-related information of customers. Managing digital identities of individuals is a major challenge as organisations aim to provide an integrated omnichannel experience to users by extending a host of banking, wealth management, and payment services in a seamless fashion.
Cybersecurity measures by fintech startups
The essential technique or process that most fintech companies follow is called ethical hacking; which is fundamentally an attempt to hack your own platform from within the organisation and reward anyone that is able to do so or spot inconsistencies or weaknesses in the overall architecture or code. Most service providers with security offerings also offer these services along with stand-alone penetration testing, fortification, load tests, phishing attempts, etc. All fintech companies have a very active hacking team combined with a fortification team inhouse.
A commonly used hack is to recreate fake customer IDs which are then thrown at the application to generate fake data, which is then ‘validated’ with the real customer through screen scraping, mirroring software, or via a phone call. While biometrics, OTPs, and code authenticators make phone/online banking safer, cloning of these identities can lead to amplified risks.
The other threat most fintech companies are wary of is the presence of mirrored sites, which look and function exactly like the real one but essentially capture your personal details like passwords and then take you to a dead web page. The common Internet protocol in use is ‘https’ which demonstrates that it is a secure site with a secure key that is unique to the service provider. In this way, fintech start-ups ensure the security of their products and services.
Towards cyber resilience
The economy is slowly trying to revive after the crisis unfolded by the pandemic. Fintech innovations are pivotal in this revival. Building a cyber-risk free ecosystem is a critical task for fintech companies, which is the future of our financial system. Here is a list of some of the measures that fintech players can take to tighten their cybersecurity systems:
- Regulatory compliance: Complying with the protocols and regulations initiated by various organisations and governments to ensure cyber-risk free systems inside the organisations as well as at the clients’ and customers’ end. India’s premier banking regulator Reserve Bank of India (RBI) has introduced regulations for fintech players including setting up regulatory sandbox (RS) for live testing of innovative products in areas like retail payments, digital KYC, and wealth management. The international regulations include FINRA, NYS-DFS part 500, PCI-DSS, and recent broad-reaching regulations such as GDPR and CCPA.
- MSSPs: Fintech start-ups can also tie-up with a managed security service provider (MSSP). MSSPs manage and monitor the security of devices and systems efficiently. In this way, these start-ups can develop a strong cybersecurity ecosystem in their operations as well as services.
- Cybersecurity to be part of a firm’s DNA – not just a reactive addition: As these cyberattacks have now become a normal event due to their repeated occurrence, cybersecurity measures must be a core part of any system. Every organisation should design a definite cyber-risk prevention framework and ensure its implementation in daily operations. Especially in fintech start-ups, this culture needs to be developed and a proactive approach is necessary from the leaders, employees, clients, and customers to mitigate possible cyber threats and build a strong culture of security.
- Regular penetration tests: As discussed above, fintech start-ups are testing the potential threat inside the organisation using various tools. This needs to be continued and expanded to new areas to explore other possible vulnerabilities or threats. Thus, an organisation can develop a concrete cybersecurity system around its applications and services.
- Collaboration: On July 23, the World Economic Forum’s FinTech Cybersecurity Consortium released recommendations for a common approach to cybersecurity controls. The report suggests that fintech companies increase collaborations with each other, banks, and other financial institutions to enhance the security of the wider financial services supply chain.
The fintech service providers are considered to be the torchbearers in the financial service industry in the post-Covid world. They have the capacity to lead the industry as well as the economy to recover from this current crisis. However, cybercrimes and cyberattacks become a clear hindrance in the financial technology market. Fintech firms need to build a strong cyber resilience system inside and outside their organisations to evade the risks. Ultimately, the onus rests on the individual entities.
Robin Bhowmik is the Chief Business Officer of Manipal Global Academy of BFSI. Views expressed are the author’s own.