FinTechs prove tempting prey for cyberattacks

By Risk Performance and Technology group

Original, as it appears on Finance et Investissement –

In 2017, FinTechs became a target of choice for cybercriminals. Most FinTechs are businesses in the process of development, striving to minimize their investments while maximizing their outreach. Communication implies exposure, however, and because such companies are technically advanced, conceptually speaking, they are more likely to balance on the edge of the cyber-risk knife than are the more “conventional” businesses.



Let’s not over-generalize. I’m not saying that all FinTechs are leaving themselves open to attacks due to insufficient cybersecurity… far from it! My point is that their situation and the current context of cybercriminality make them inherently more exposed and vulnerable to the latest cyberthreats.

So what does all this mean? In previous articles, I discussed what an Eldorado our confidential data was for cybercriminals.

Inasmuch as perfect anonymity is not really possible on the Internet, it has become simpler for a criminal to steal the average Joe’s digital identity to conduct illicit transactions. This is why the most common targets are health-record data or financial data, which can then be shopped around on the dark web to the delight of cybercriminals.

I think it is important for us to remember that it is not the actual size of a company that determines the value of data, but rather the nature of the data it possesses about employees, clients, partners, or its banking, invoicing and payroll figures, for example. Long gone are the days when the only companies targeted were those that stored or managed data regarding credit cards or confidential intellectual property. All businesses have something worth targeting.

As a result, companies employing an IT team, possibly with a cybersecurity unit, are less attractive targets than, say, a fintech that may be a little more technologically advanced but may not yet have the wherewithal to deploy proper security practices. Such FinTechs may well partner with their clients, prospects or business partners to test their prototype for a new portal by creating so-called pilot projects involving real and confidential data. These kinds of ventures are a real boon for pirates, who can then attack financial, banking or estate data without any resistance from the type of cybersecurity monitoring and protection that is now ubiquitous in banks. The data available are much the same but more accessible and easier to mine.

As they start out, fintech companies are not overly concerned about regulators in terms of the risk and operational considerations associated with their technological assets. Brokers are in the same boat. This can be explained by the dearth of means available to compel the regulatory oversight and compliance of such organizations, which are often deemed too complicated.

Since 2017, however, it has been fairly easy to protect a company adequately using “open-source” security products. Companies can now fulfill cybersecurity obligations such as due care and due diligence without incurring undue investments of time and resources. Security hygiene is within everyone’s reach, from independent brokers to advanced FinTechs and even ourselves as individuals. It’s a question of willingness.

In short, since 2017, we have been able to install cybersecurity surveillance, protection and monitoring tools quite readily. I’m not saying that these open-source tools are as functional and effective as commercially available applications. What I am saying is that an initial installation will meet the 80/20 of your needs. Such an initiative is not only the least you can do in terms of organizational practices, but it could also give you a bit of a competitive advantage.