Cybersecurity can power fintech to new heights
Leo Cole, VP—Marketing at DarkMatter, discusses the correlation between fintech and cybersecurity.
Innovations in financial technology (fintech), and the growing importance of online transactions in the wider banking and finance sector, means the requirement to institute and maintain the highest levels of end-to-end cybersecurity resilience is imperative to the maintenance of the innovation momentum.
The number and scope of cyberincidents affecting the banking and finance sector are well documented, with estimates ranging between tens and hundreds of billions of dollars of losses incurred annually through cyberattacks. From an industry standpoint, efforts are intensifying to mitigate cyberthreats before, during, and after they have occurred, though more can still be done.
Last year, for example, the Dubai Financial Services Authority (DFSA) announced its willingness to engage with the rapidly evolving world of fintech. The Authority’s efforts in this area are in conjunction with those of the Dubai International Financial Centre (DIFC) Authority, and are in line with the broader innovation strategies of the UAE’s local and federal governments.
The DFSA has been discussing opportunities with interested fintech companies and startups looking to test innovations within the Authority’s regime for some time now. In response to these enquiries, at the beginning of March 2017, the DFSA issued a consultation paper that it believes will assist current stakeholders and the wider public to better understand how the Authority intends to deal with future enquiries from those interested in establishing a presence in the DIFC for a fintech business.
The DFSA does not propose introducing new rules, and instead its month-long consultation process (which closed 5 April 2017) was geared towards considering how the Authority can make use of the flexibility in its regime to facilitate the testing of innovative fintech business models in the DIFC.
We applaud this consultation process, and the Authority’s openness, and forward-looking approach to the technical advancement of the financial services sector. It is our view that the ramp-up of fintech is a positive development but can only proliferate should a standard level of cybersecurity across interconnected networks and endpoints exist.
This standard level of cybersecurity may also be described as the achievement of cyberresilience, which requires entities operating digital infrastructure to adhere to the cybersecurity life-cycle, which incorporates planning, prevention, detection and protection, and response to digital threats.
Fintech companies should understand their risk profile before initiating a cybersecurity management and mitigation exercise, which will provide them with an understanding of all their digital assets, the full range of threats they may face and the vulnerabilities, and how best to protect themselves from them.
The planning stage within the life-cycle relates to the implementation of threat assessment efforts, which is often best done by an experienced third-party as it likely has a much clearer perspective of the risk landscape. Vulnerabilities may arise from a number of different areas including technology, processes and people, though once the cybersecurity function of a company has a firm handle on its risk profile, it can then move to take appropriate mitigation measures.
An entity can then move quickly to the next three stages within the cybersecurity life-cycle that are aimed at mitigating the effects of any potential cybersecurity threat and relate to prevention, detection and protection, and response to incidents.
Prevention requires an entity to truly understand the configuration of its network and most importantly who has access to it. It’s a simple truth that one cannot protect what one doesn’t understand; a thorough audit is vital at the start of any mitigation process. Sophisticated mapping software can certainly accelerate this process, but ultimately a comprehensive audit requires people on the ground to ask the right questions and find the location of servers and access rights.
Detection and protection relates to mapping a system’s characteristics to the known threats and its vulnerabilities in relation to them. It takes the threat intelligence gathered in the risk assessment process and relates it to the specifics of the company’s system, which then informs the implementation of active cyberdefences in order protect systems and data.
Response relates to the range of tools and actions that can be implemented to deflect possible cyberattacks and is based on the aggregation of the information found in the first two phases. The response is guided by information that can be readily understood by decision makers to enable them to act quickly. In particular, attacks and responses to them should be logged and diagnosed in a systematic fashion.
Fintech companies need to adopt a pro-active approach to cybersecurity in which they assume a state of breach in order to have the defences and mitigation mechanisms in place to detect and minimise possible disruption caused by any cybersecurity incident as it occurs.
The threat of cyberattack does not loom large for fintech companies in isolation. Digitisation means organisations across sectors are being targeted by an array of threat actors seeking to steal, disrupt, or compromise the normal functioning of their digital assets. The rise in the risk of loss associated with cyberincidents has been escalating in recent years, with the consequent demand for cyberincident insurance also scaling new heights.
Global advisory firm PwC estimates that by the end of this decade, annual gross written premiums for cyberincidents will increase from around $2.5 billion to $7.5 billion. By 2025, this could jump to over $20 billion – a compound annual growth rate of over 20 per cent, according to a report from Allianz Global Corporate & Specialty.
Tying back into the cybersecurity life-cycle described earlier, insuring losses arising from cyberincidents will require a much higher level of cybersecurity awareness, scrutiny and monitoring. Insurance companies are currently at a big disadvantage in this area as they often have little or no visibility of the condition of an entity’s cyberdefence position. A pure risk-based analysis is insufficient and better tools are required in order to assess how strong companies are in their cyberdefence expenditures and layers.
What this situation means is that insurers in effect do not know how much to charge for insurance policies. Wrong policies could lead to bankruptcy for those insurance companies, which has negative knock-on implications across economies.
What is required is the formulation of a cyberdefence condition dashboard that can determine the level of protection an entity possesses and how successful a future cyberattack may be on that company based on its current protections, policies, standards, and other factors.
It is becoming increasingly apparent that further advances in the digital economy will only be successful should they be accompanied by a robust cybersecurity outlook.