Community
The UK is a very demanding market for everybody. Including FinTech, which must operate similarly to regular banking institutions. Both legal and technological requirements are there to protect customers’ money. Applied FinTech security standards benefit customers and FinTech organizations and please regulators. What regulations should you take care of while entering this market and what do they mean for your business?
Security requirements from a legal perspective
It can be surprising at a first glance but the United Kingdom, the FinTech hub of Europe and the world for that matter, doesn’t have special laws for the sector. FinTech products are all subject to the existing body of the UK financial regulatory perimeter. This single fact places apps alongside institutions providing consumer credits, insurance services, crowdfunding, and high-street, traditional banking.
There are also many cyber security laws that for the most part are compatible with the law made in European Union.
The most important ones are:
The important difference between the UK and EU when it comes to regulating the FinTech sector is that the UK’s Network and Information Systems Regulations of 2018 don’t apply to banks and financial institutions. According to the Network and Information Systems Directive, (EU) 2016/1148 they should but that’s another issue. The reason for excluding the finance sector from this law is that it was considered sufficiently regulated in the first place.
Security standards from a technology point of view
Many startupers and managers would say that obeying the law is the most important factor for any FinTech company out there. True but there are other important factors. Such as security and reputation in a market which is paramount for the clients. It’s important for public and private companies alike. No matter if your company offers stock or you own it in 100%. There’s always a matter of public perception, which can derail even the best business and marketing plans.
The memorable market disaster happened in 2016 and is known as “the saddest $5 billion deal in tech history”.
Basic security solutions for FinTech
If you want your business to be safe and resistant to potential disaster, think about and implement these five steps:
A dedicated cyber security team
To spot vulnerabilities and make the app resistant to potential attacks and other types of threats, you need cyber security experts. And not for a single occurrence but available on demands. They worked on every step of the System/Software Development Life Cycle (SDLC). They are not cheap, so you can think about team augmentation for filling the blanks. Their role doesn’t end when the product is done. They will support the app with updates and monitor the market for potential threats.
This doesn’t mean specialists will sleep in your office. A lot of their work can be automated with a security information and event management system (SIEM). It monitors data in real-time and can prevent any suspicious activity.
1. ISO 27001
The ISO 27001 certification is a great way to make sure that your product meets all FinTech data security standards. It focuses on an information security management system or ISMS. There are multiple steps to acquire certification but it’s worth it. You will have proof that strengthens the product’s market transparency. You will also go through a proper process of risk assessment, identification and fixing the app’s flaws. It will also teach you ways to properly implement security valves and ways to review them on a regular basis.
2. Penetration testing
Penetrating testing is a simulation of a hacker’s attack. Done by an ethical hacker called a “white hat” it will expose your product to a skilled specialist that will turn it upside down and look for security flaws. Experts like these use a full range of weapons available to real-life hackers; they can breach your system in all ways possible, finding holes and proposing ways to manage and fix them.
The problem with that is the nature of their work. They are usually external testers hired for a job. They come, perform, leave a report and go. They can’t replace an internal cyber security team. What is important, however, is that they keep your data safe and maintain the ISO 27001 standards, while boosting products and brand’s market credibility.
3. Trained and professional employees
Unfortunately, many attacks happen without actually breaching any technological barriers. It’s possible because many employees don’t follow procedures carefully enough or even at all. In some cases, the problem lay in faulty procedures which can and should be changed or entirely replaced. Manipulating the staff with high-level access through phishing emails or other types of internet scams is nothing extraordinary.
A good example is Twitter, which fell victim to, as the company called it, “coordinated social engineering attack”. This could be avoided by raising staff awareness.
4. Quick and efficient responses
When the worst already happened and you fall victim to an unethical breach, you need to think about the next step. Actually, steps, since nothing is easy after this type of unfortunate occurrence. There are three basic rules every organization needs to follow. With them, you can properly react to a security breach.
What you need to do:
When security is breached… Finastra case study
FinTech app development is tricky. You need to include factors like security and regulatory compliance. They are essential for your business and determine the entire process of creating a product. Even the largest and established financial services providers can get punished or fall prey to hackers. Just like Finastra did last year. What’s important in this particular case is that Finastra works with leading banks and the company’s problems can impact millions of customers across the board.
What can you do to avoid or mitigate risks?
The weakest link – invariably human
Human errors are the most common cause of attacks. When it comes to Finastra, someone simply forgot to patch the VPN to the latest version. It’s a perfect situation for hackers; they can make use of already known exploits and breach fairly easily. That was the case this time around. Hackers used a vulnerability known as CVE-2019-11510 and triggered chains of events that eventually broke the security system. The attack also wrote arbitrary files to the host.
Results of the attack
As a consequence, a company employing over 10.000 people and with a reported $2 billion revenue for 2019, was forced to disconnect all systems from the internet and perform an investigation. What’s worse, vital data about top banks from over 40 countries might fell prey and be sold on a black market. If it wasn’t for a simple mistake and an even simpler update…
Security breaches are preventable
All you have to do is cherry-pick the right technology partner to build and maintain your product. Security begins… well, in the beginning, when you and the development team choose the right technology stack and architecture for the app. FinTech app development is not something we can all treat lightly. Data and credibility are at stake.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Seth Perlman Global Head of Product at i2c Inc.
18 November
Dmytro Spilka Director and Founder at Solvid, Coinprompter
15 November
Kyrylo Reitor Chief Marketing Officer at International Fintech Business
Francesco Fulcoli Chief Compliance and Risk Officer at Flagstone
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.