Spotting Vulnerabilities Is Crucial for Fintech, Banking Security

Financial transactions are a natural target for cybercriminals. Fintech companies and traditional banks are governed by strict cybersecurity regulations and must be careful when exchanging data due to the risks and vulnerabilities involved in the process, agreed industry experts.

“Companies operating in financial services are targets of various forms of crime and fraud. Now, in the post-pandemic era, we have learned that data is necessary. The exchange of information between financial institutions is key. However, there are important risks to take into account too,” said Valther Galván, CISO, Prosa.

Fintech companies handle the same types of financial data as banks, including account information, balances, cash flow data, budgets and contact information. These companies aim to store as much specific and useful data as possible due to the high value of this information, particularly for AI and machine learning (ML) projects. However, storing large volumes of data makes these companies a more valuable target for cybercriminals.

When it comes to exchanging data, involved players must decide which information they will share, said Galván: “We have a filter according to regulations and global standards that forces us to have a very clear scope of what data will be shared. For large amounts of data, it is important to implement AI and automation.”

While it became more popular after the pandemic, data exchange is nothing new, said Jorge Lozano, Information Security Manager, Mandiant. Financial service companies leverage data to manage risks and position their brands, and the main challenge for these organizations is to work jointly to properly manage the risk scenarios they might face, he added.

Whether it is a traditional bank or a fintech company, the cost of a breach includes both direct and indirect costs, such as reputation damage and fines. A single breach could also drive thousands of customers away. In the case of fintech startups or companies that are experiencing hypergrowth, loss of customer trust and reputational damage may be the costliest aspect of a breach.

Reputation plays an essential role within the fintech and banking environments. “Reputation, or the public opinion about somebody or something, is a concept we take in consideration for most decisions in society,” wrote for MBN José Andrés Chávez, Co-Founder and CEO, Bayonet.

Among other cybersecurity best practices, organizations must be committed with securing customers’ data and be prepared to handle possible breaches when they happen, said Lozano: “It is not a matter of whether it will happen to me or not, but when it happens to me, how will I react?” Assertive, transparent and clear communication is a crucial part of crisis management, he added.

The establishment of appropriate controls and policies to reduce cybersecurity risks is both a matter of organizational culture and deploying the right toolset, according to IBM. Building a strong cybersecurity stance provides insight into threats and helps ensure regulatory compliance. “We test our processes through plans. We do exercises, cyberattack simulations to prove that our processes work,” said Galván.

When it comes to data exchange and there are two or more involved players, they must work as a team to map the security architecture of all companies involved, said Lozano. Creating a collaborative environment for all organizations involved is crucial, he added.

The pandemic helped companies across all industries to realize the importance of cybersecurity and invest accordingly, said Galván. The main keys for companies to successfully implement cybersecurity include the implementation of a holistic and clear strengths, weaknesses, opportunities and threats (SWOT) vision in terms of data security, avoiding investments directed to projects intended only for parts of the entire security infrastructure and remaining aware of the global situation, he added.

On the other hand, companies must take care of their teams working on cybersecurity, said Lozano: “Whether it is a third-party provider or not, you will always need someone in-house to manage those third parties. It does not have to be a large team, but there should be a person that can coordinate all the security efforts and has enough expertise.”