Cyberrisk Management for Fintechs and Banks

By Ronak S. Desai, CAMS, and Angie K. Hipsher-Williams, CISA, QSA

As regulators have made clear, for financial technology (fintech) companies and banks alike, the days of relegating cybersecurity to the back burner are gone.

Even the casual reader of the news can tick off the names of organizations that recently have been victims of high-profile cyberattacks: the 2016 Democratic National Convention, Yahoo Inc., and Target Corp., to name a few. In our increasingly digitized world, the threat of data breaches is no longer a distant notion. Companies have attempted to ratchet up their defenses, and global spending on cybersecurity is expected to reach $170 billion in 2020.1

Banks and fintech companies, which handle reams of sensitive data – not to mention cash – are a tempting mark for hackers. A recent study found that financial services companies experience three times the number of cyberattacks relative to other industries.2

Both sectors have been subject to increased scrutiny by regulators in recent months, and it’s clear that more comprehensive regulatory oversight is on the horizon.

Fintech in the Crosshairs

The number of fintech start-ups more than doubled from 2015 to 2016.3 Given the parallel rise of both cyberthreats and fintech, it should come as no surprise that regulators have begun to take notice. In two separate actions earlier this year, the Consumer Financial Protection Bureau (CFPB) signaled that the fintech industry is in its crosshairs.

The CFPB took action against the digital payment company March 2016, when the bureau levied a $100,000 fine and ordered the company to amend security flaws, improve employee training on data security policies and procedures, enact comprehensive data security measures and policies, and stop deceiving customers about the security of its online payment system.4 This was the CFPB’s first action in the area of cybersecurity – made even more notable because the company had not experienced a data breach.

Immediately following this action, in the bureau’s second effort to home in on fintech companies, the CFPB announced that it would begin to accept consumer complaints related to problems with online marketplace lenders.

While plenty of fintech companies have well-established programs for preventing, recognizing, and countering cyberattacks, many remain exposed due to lack of resources, connections, or knowledge.

What About Banks?

The dawn of new cybersecurity regulations poses threats and challenges to banks as well. In September 2016, New York Governor Andrew Cuomo introduced a new set of proposed cybersecurity regulations for banks.5 The proposal includes new requirements about risk assessments and penetration testing, encryption standards for nonpublic information, hiring cybersecurity-focused personnel, and notifying regulatory officials when data breaches occur. While these proposed regulations are at the state level, New York’s role as a major national hub for financial services means that the impact of these changes would be widely felt.

More broadly, the Federal Deposit Insurance Corporation (FDIC) in June implemented the new Information Technology Risk Examination (InTREx) program as a means to better assess banks’ IT risks.6 The InTREx program includes an assessment of banks’ cybersecurity preparedness.

In this new environment of heightened cybersecurity awareness, the implications for banks include potential for significant costs and a new level of accountability to both regulators and customers.

Mitigating Security and Consumer Privacy Threats

Firms must get in front of the threat of cyberattacks and punitive regulatory actions, both of which have the potential to deal a fatal blow to a business. The best way for companies to insulate themselves is to develop a risk management strategy that lays out a clear defense against cyberattacks. To accomplish this, companies should take the following actions. A discussion of each follows.

  1. Develop a broad-based security and governance strategy.
  2. Implement and maintain layers of protection, starting from the inside.
  3. Manage third-party risks.
  4. Establish monitoring protocols, incident response, and cyber resilience.

1. Develop a Broad-Based Security and Governance Strategy.

A proactive approach to securing a company’s data and operations begins with a broad-based security and governance strategy. Good governance begins with a culture that supports security. This includes engagement from top executives – an imperative that became clear after Gregg Steinhafel, Target’s CEO, president, and chairman, resigned in the wake of the 2014 data breach.7 Moreover, cybersecurity should be viewed not as an IT cost but as a broad strategic initiative that is critical to a business’s success.

In other words, security must be embedded into all areas of the business, not relegated to the sidelines. All staff, across the entire organization, should be trained on security protocols in order to shore up the company’s cybersecurity defense. Since phishing and ransomware (social engineering) are often the point of entry for an attacker, education and technical controls such as white listing and endpoint protection are critical.8

Firms should also engage their boards of directors in developing and maintaining cybersecurity controls. Many companies do not prioritize retaining a board member with the expertise to engage in issues related to cybersecurity. This is a mistake in a world in which it’s not a question of if, but when, an organization will become a cyberattack victim. Boards should require quarterly reporting from management in order to understand and approve risk mitigation initiatives. This reporting should include updates on cybersecurity projects, monitoring, and incidents.

2. Implement and Maintain Layers of Protection, Starting From the Inside.

Companies should establish a variety of controls to keep bad actors out, but equally important is the need to establish – and maintain – layers of protection against threats developing on the inside. Employees are often overlooked as a source of vulnerability, and recent revelations of fraud at JPMorgan Chase & Co.9 and Wells Fargo & Co.10 should serve as cautionary tales about the damage insiders can do. Companies must work to ensure that staff members are engaging with the system only as authorized and not manipulating or changing the system outside of the knowledge of the company’s management.

This begins with user credentials that enable the company to track employees’ actions and hold them accountable. Regular reviews of these roles and permissions should be conducted to make certain that users not only have proper access but also are operating within the bounds of system security protocols.

Employee credentials – and, for that matter, vendor and customer credentials – should use multifactor authentication. With multifactor authentication – a critical network management tool being pushed out broadly, across industries – users must verify their identity through multiple categories of credentials. Users must present at least two pieces of information across three categories: in industry parlance, something you have, something you know, and something you are. For the last category, “something you are,” the use of biometrics – such as fingerprint and iris scans – is becoming more widespread.11

Network segmentation should be used to secure systems behind firewalls and on virtual local area networks (VLANs) to require pivoting through the network to get to the most important systems. These VLANs restrict what kind of traffic can communicate with networks and over what ports in order to restrict access at another level.

Vulnerability management – making certain that the company is keeping up with the changing outside world with zero-day vulnerabilities – is essential. Finally, there has been a big push to devalue sensitive data through controls such as encryption and tokenization to try to ensure that, even if the data is reached, it is unusable to outsiders.

3. Manage Third-Party Risks.

Particularly in the early stages of the business, startups often run lean and must outsource IT functions to third-party companies. Third parties are hired sometimes for hosting data, managing a firewall, processing credit card information, network monitoring, and more. All of these relationships can introduce risks into the business. To protect themselves against those risks, companies must:

  • Carefully vet prospective third-party entities, paying close attention to security track records
  • Establish clear expectations from the outset that third parties will go above and beyond to protect the firm’s data and systems
  • Clearly articulate security standards to the third parties
  • Require the ability to audit third parties’ activities and systems to verify their compliance with security standards

Companies should have an employee or, better yet, a team in place to address these concerns, monitor a third party’s ability to meet the companies’ expectations, and manage issues as they arise.

4. Establish Monitoring Protocols, Incident Response, and Cyber Resilience.

Finally, companies should expect that they will be hacked. They must establish a monitoring protocol so that they recognize an exception on the network when they see it. Going a step further, firms need to develop incident response plans that articulate specific actions to take when something goes wrong.

Cyber-resilient companies can continue operating in the face of an attack. Doing so requires a cyber resilience plan, which includes in-house experts, or outside specialists on retainer, who are ready to mitigate the consequences of an attack and help minimize business interruptions. Along with staff members or third parties who can conduct forensics examinations, a legal team and cybersecurity insurance might be part of the plan as well.12

Don’t Be Caught Flat-Footed

Financial services companies have an obligation to protect their customers’ data, and in today’s world that imperative has become increasingly complex. It’s important for fintech companies and banks not to be caught flat-footed when it comes to cybersecurity, because the consequences could be dire for both customers and the institutions themselves.

Recent regulatory action should serve as a reminder that it does not take a high-profile slip-up to catch the attention of regulators. Companies can protect themselves by being proactive about risk management.

1 Steve Morgan, “Worldwide Cybersecurity Spending Increasing to $170 Billion by 2020,” Forbes, March 9, 2016.
2 Kelly Jackson Higgins, “Banks Targeted by Hackers Three Times More Than Other Sectors,” InformationWeek Dark Reading, June 23, 2015.
3 Miklos Dietz, Somesh Khanna, Tunde Olanrewaju, and Kausik Rajgopal, “Cutting Through the Noise Around Financial Technology,” McKinsey & Co., February 2016.
4 “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices,” news release, Consumer Financial Protection Bureau, March 2, 2016.
5 Christopher M. Matthews, “New York Proposes Cybersecurity Regulations for Banks,” Wall Street Journal, Sept. 13, 2016.
6 Financial Institution Letter 43-2016, “Information Technology Risk Examination (InTREx) Program,” Federal Deposit Insurance Corporation, June 30, 2016. Also see Jeffrey Sacks, “FDIC InTREx Program Is Here,” Cybersecurity Watch Blog, Crowe, Sept 6, 2016, /cybersecurity-watch/fdic-intrex-program/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed:+CroweCybersecurityWatch+(Crowe+Cybersecurity+Watch)
7 Trefis Team, “Target’s CEO Steps Down Following the Massive Data Breach and Canadian Debacle,” Forbes, May 8, 2014.
8 Kiel Murray, “Ransomware Preparedness: Are You Ready for a Data Hostage Situation?” Cybersecurity Watch Blog, Crowe, May 26, 2016, /cybersecurity-watch/ransomware-data-hostage-ready/
9 John Adams, “An 'Impossible' Task: Stopping Insiders From Robbing the Dead,” American Banker, Dec. 29, 2015.
10 Heather Kelly, “Wells Fargo Sued by Customers Over Fraudulent Accounts,” CNNMoney, Sept. 16, 2016.
11 Candice Moschell, “Multifactor Authentication Is Easier Today,” Cybersecurity Watch Blog, Crowe, Aug. 22, 2016, /cybersecurity-watch/multifactor-authentication-easier-today/
12 Raj Chaudhary, Matt Cupp, and Candice Moschell, “Passwords Are Not Enough: Protecting an Organization's Assets With Multifactor Authentication,” Cybersecurity Watch Blog, Crowe, Sept. 12, 2014, /protect-digital-resources/