Financial institutions have been attractive targets for thieves since the first bad guy donned a mask and yelled “stick ‘em up!”
However, in this century, bank robbers are more likely to be armed with technology and sophisticated hacking skills thanks to the advancement of the FinTech (financial technology) industry, which uses technology to make financial services more efficient. With information more readily available to consumers, banks are even easier marks with far greater losses and penalties if security is taken too lightly.
In one of its first enforcement actions against a FinTech company, the Consumer Financial Protection Bureau (CFPB) levied a $100,000 penalty against Iowa-based startup Dwolla, the Wall Street Journal reported. Dwolla settled with the CFPB while neither admitting to nor denying the agency’s allegations. The company did state that the data security practices the CFPB took action against were old, and that its current security practices were in line with industry standards.
Notably, Dwolla was not accused of having had an actual breach; instead, the CFPB alleged that the company had misrepresented its data security practices, assuring its customers that its practices were compliant with the Payment Card Industry Data Security Standard (PCI DSS) and that their data was being “securely encrypted and stored” while, in actuality, “[failing] to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorised access.”
The CFPB’s action against Dwolla has ushered in a new era of government oversight of the FinTech industry, which has, up until now, operated under much looser regulations than traditional banks.
What can FinTech organisations do to protect themselves against the fallout from data breaches and the related regulatory repercussions? FinTechs should ensure that their information security practices comply with or exceed the PCI DSS, which encompasses data security best practices. Following are five steps, based on the PCI DSS, that every FinTech organisation should take to protect customer data and demonstrate to authorities that appropriate preventative measures are being implemented:
- Ensure that the Organisation’s Network is Secure
FinTechs must maintain a secure network that utilises firewalls and router configurations to restrict traffic from “untrusted” networks and hosts and prevent direct public access to customer data. If employees use their own computers and mobile devices to access the organisation’s network, endpoint security, such as threat isolation or active threat defense software, must be installed on them.
Organisations should never use vendor-supplied defaults for system passwords and other security settings, as these defaults are widely known by hackers. They must be changed prior to a new system being installed on a network.
- Ensure that Consumer Data is Securely Stored and Transmitted
In general, cardholder and other sensitive consumer data should never be stored – whether in paper or electronic form – unless it is absolutely necessary. If this type of data must be stored, the storage and retention time should be limited to the absolute minimum required for business operations or legal/regulatory purposes. Unnecessary stored data should be purged at least quarterly. If an organisation must store customer primary account numbers (PAN), they must be rendered unreadable using such methods as one-way hash functions, truncation, index tokens with securely stored pads, or strong cryptography.
Cardholder and other sensitive consumer data that is transmitted across open, public networks must be encrypted using strong cryptography and security protocols such as SSL/TLS, SSH, or IPSec.
- Limit Access to Consumer Data
According to the Ponemon Institute’s study, 32 per cent of data breaches come from malicious insiders already in the network. FinTech employees should be able to access only those systems and data that they absolutely need to perform their jobs. So that all activity can be traced to a particular user, each employee should have a unique access ID and should be authenticated using a strong password or passphrase, biometrics, or a token device or smart card. Strong cryptography should be used to render all passwords unreadable during storage and transmission.
Physical access to systems and consumer data should also be restricted to prevent employees and building visitors from accessing or removing devices, data, systems, or hardcopies.
- Track and Monitor Networks, and Test Security Systems and Policies
System vulnerabilities must be identified and fixed before they are discovered and exploited by a hacker. Network components, processes, and custom software should be tested on a regular basis to ensure that cybersecurity measures are still effective, especially after deploying new software or making changes to the system’s configuration.
Internal and external penetration testing should be conducted at least annually and whenever significant system upgrades or modifications are made. Secure audit trails should be used to log system events and user activity, and logs related to security functions should be reviewed at least daily.
- Implement a Comprehensive Information Security Policy, Including Continuous Employee Training
An organisation’s information security policy should address all security requirements and procedures. It should include a formal review to identify vulnerabilities and assess risks, conducted at least once a year and whenever the environment changes.
All employees in the organisation, including non-technical employees, must be aware of the sensitivity of consumer data, the importance of data security, and their specific responsibilities under the company’s information security plan. It is not enough to simply include a section on data security in an employee manual or require that new employees sit through one training session upon hire. Employee training on data security must be mandatory, comprehensive, and ongoing.
With almost daily threats from hackers and cyber-terrorists and legislative mandates with the promise of fines for non-compliance, making sure your FinTech business is secure is imperative. The result of a breach could be a massive loss of customers, a damaged reputation, and legal and financial liabilities that may be impossible to recover from. It takes a complex and systematic approach that addresses the physical elements of cybersecurity and the cyber elements of physical asset security, which will help any size organisation be better equipped and educated to battle the full spectrum of future attacks.
FinTech companies do not have to fly solo. There are plenty of managed services providers, companies, consultants, and experts who can advise and oversee FinTech security strategy. Aside from convenience, keeping customer information secure is the biggest responsibility of Fintech companies. Failure is not an option.
Mike Baker, founder and Principal at Mosaic451
Image source: Shutterstock/Artem Samokhvalov