News

As Fintech Charges Ahead, Are Cybersecurity Measures Keeping Up?

The rise of virtual products and services in banking is revolutionizing the financial industry all around the globe. Suddenly, people who never had access to financial services now find themselves with a plethora of options available with a few taps on their smartphones.

For example, data from the International Monetary Fund published in September 2019 shows that in Afghanistan, “where less than 200 out of 1,000 adults have bank accounts” indicates that mobile money has increased fourfold over the past five years “to reach 1.2 percent of GDP in 2018.”

And the phenomena isn’t limited to developing countries or even just the financial industry itself–suddenly, companies across the board are taking an interest in offering financial services in various capacities to their users as their search for new revenue streams and new ways to serve their clients.

In fact, PriceWaterhouseCoopers, in its “Financial Services Technology 2020 and Beyond: Embracing Disruption” report, said that all over the world, “finTech start-ups are encroaching upon established markets, leading with customer-friendly solutions developed from the ground up and unencumbered by legacy systems.”

This has caused some anxiety among established industry players who are concerned about being able to keep up with the pace of technological innovation. 70% of respondents to the company’s Global CEO Survey said that the “speed of change in technology was a concern” as far as keeping up with the competition.

However, being able to match the agility of challenger banks and fintech startups isn’t perhaps the only reason to be concerned about the pace of innovation in financial technology.

Indeed, the acceleration of technological innovation presents a new and unique set of security risks to the users of virtual banking and fintech platforms.

What are these risks? And is the development of cybersecurity solutions and safety nets moving as quickly as the development of these fintech platforms?

Problems in APAC could be an indicator for the rest of the world

The issue has been a matter of concern in regions of the world where virtual banking has taken a particularly prolific stronghold.

Indeed, in its latest Global Fintech Adoption Index, multinational professional services firm Ernst & Young (or EY) found that the APAC region is charging ahead in terms of the proliferation of fintech platforms.

“In just two years, consumer usage rates of FinTech-powered services have doubled, and in some cases tripled, across key Asia-Pacific markets,” the report said. This includes Hong Kong, Singapore, and South Korea, which have each achieved 67% FinTech adoption; Australia follows close behind at 58%.

Still, the report says that at 87% penetration, China is the clear leader in fintech adoption–” except for India, which is now nearly tied with Asia’s leading digital power.”

Jumio recommends the adoption of electronic know-your-customer (eKYC) and anti-money laundering (AML) solutions that safely and compliantly acquire customer data without placing an extra burden on customers. (It should be noted that Jumio provides eKYC and AML services itself.)

Indeed, Jumio said that finding this kind of a solution is a “delicate balancing act”: on the one hand, “prioritizing fraud detection adds incremental friction to attain higher levels of identity assurance.”

On the other hand, however, “if you have too much friction, conversion rates drop off and you’re left with disenfranchised prospects.”

Alexey Khitrov, co-founder and President of identity verification firm ID R&D, also noted this trend in an email to Finance Magnates. “While digital banking requires strong security, customers are not willing to sacrifice ease and speed,” Mr. Khitrov said.

Therefore, “It’s important that financial institutions pay close attention to the user experience and take steps to eliminate friction whenever possible. For example, in Digital Onboarding we see increased application abandonment when identity verification requires users to perform hard-to-follow actions in order to prove liveness.”

Solutions must be tailor-made depending on a company’s needs, but they must address a certain set of issues

In other words, with concerns of cybersecurity, compliance, and user-friendliness, fintech’s cybersecurity problem is very complex–and as such, it probably requires complex solutions. This could mean the creation of home-grown solutions that attempt to address each aspect of identity verification and cybersecurity or the use of a number of different third-party solutions that separately address various aspects of the problem.

In either case, there is no one-size-fits-all answer: each company’s solution will need to be tailor-made, one way or another.

Still, Mr. Klein says that there is a guiding set of “Zero-Trust” principles that companies are increasingly adapting to form the security and compliance infrastructures that they use.

“In response to these threats financial institutions are increasingly adopting Zero Trust strategies and active defense measures to protect critical financial systems like SWIFT payments infrastructure, cardholder data environments (CDE) and customer PII to reduce the attack surface and meet data protection and compliance requirements,” Klein said.

These “Zero-Trust” infrastructures reduce risks by taking steps toward decentralizing customer data, making it more difficult for a malicious actor to gain access to it.

In other words, this “micro-segmentation” makes it possible for companies to score KYC data in one place, while transaction data and account access data may be stored separately. Therefore, if a hacker gains access to one set of data, they may not be able to access other pieces.

“A Zero-Trust architecture abolishes the idea of a trusted network inside a defined corporate perimeter,” he explained. “At the core of Zero-Trust is the application of ‘micro perimeters’ of control around sensitive data assets.”

“These ‘micro perimeters’ require micro-segmentation and software-defined segmentation to segment off critical banking systems, reduce the attack surface and streamline compliance in any environment,” Mr. Klein said.

This means that “financial institutions can reduce the attack surface of critical financial systems and prevent the exfiltration of sensitive data by applying micro-segmentation for fine-grained access control.”

Building a “Zero-Trust” infrastructure

What does this kind of Zero-Trust infrastructure look like on a practical level? Mr. Klein told Finance Magnates that “Institutions that seek to adhere to Zero Trust principles must successfully leverage security solutions that are specifically designed to provide the following:

Total visibility. Real-time and historical capability to visualize and map application dependencies and flows across financial systems. This visibility is key to producing error-free, accurate, granular, and tight micro-segmentation policies.

Enforcement capabilities around these micro-segmentation policies that include process, user, and fully qualified domain name. These capabilities enable teams to reduce the attack surface and limit exposure to crown jewel applications.
Meet compliance requirements. Quickly map and separate compliance-related systems and infrastructure such as SWIFT, PCI, CCPA, SHIELD, GDPR, Mexico FDPL, et cetera.

In addition, these systems “must work across the complex, heterogeneous banking environment from legacy systems to virtualized workloads, and to containers, serverless and clouds.”

Looking into the future, Mr. Klein said that in general,” banks and other enterprise organizations must do more to shore up low hanging fruit that attackers take advantage of. They must address things like poor password control and dual-factor authentication, certificate management, running workloads under least privilege (without admin rights), account management control and vulnerability assessment and patching.”

What are your thoughts on fintech and cybersecurity? Let us know in the comments below. 

Leave a Reply

Your email address will not be published.