Blog
The Growing Cyber Risks in Fintech and How to Mitigate Them
Aaron Casey
Apr 09, 2024
The fintech revolution has reshaped the financial world, creating new opportunities to borrow, save, transact, and invest like never before. With no signs of slowing, fintech revenues are projected to grow sixfold from $245 billion to $1.5 trillion by 2030.
But having only been around for a couple of decades at most, fintech products and services are largely driven by startups that have had to put cybersecurity measures at the forefront given the sensitivity of the information they are responsible for.
And because fintech has crept into every corner of our personal and professional lives (75% of consumers globally have adopted some form of money transfer or payment service), it makes it an industry ripe for bad actors to target.
Let’s look closer at the top cyber risks in fintech and the measures companies can take to mitigate these risks.
An Overview of the Top Cyber Risks of Fintech
Fintech is a broad term comprising many different types of B2B and B2C financial technology solutions.
Examples include everything from payment processing for e-commerce, peer-to-peer payments, and investment platforms to consumer banking solutions, fund exchanges and technology platforms powering their various offerings.
Risks can range from traditional technology exposures to more traditional banking risks. Liabilities include third-party risk, technology vulnerabilities, cyberattacks, and the aftereffects of a cyber incident.
Unfortunately, the financial services industry is among the most attacked sectors, coming in at No. 2 according to Statista.
This is largely because financial services collect a vast amount of valuable data that can be used by bad actors.
Let’s look closer at some of the top exposures in fintech.
Technology Exposures
When using fintech products or services, businesses and consumers open themselves up to all the exposures of that technology. This includes vulnerabilities inherent to technology apps, cloud computing, mobile devices, and more.
Banks that partner with fintech solutions need to be aware of the third-party liabilities they are opening themselves up to as they adopt the technology.
Malware Attacks
Malware is the most common type of cyberattack in the financial sector targeting about 40% of companies worldwide.
In fact, malware remains a main weapon of choice across industries, used in 73% of successful cyberattacks.
Many of these malware attacks begin with phishing campaigns, often in emails.
Data Breaches
As financial services process data related to consumer payment card information, financial account details, and various forms of sensitive data, data breaches are a major concern.
Bad actors with access to sensitive data can carry out everything from identity theft and fraudulent transactions to further infecting consumer systems for more data. The fallout from a data breach can also lead to consumer complaints and class actions.
Money Laundering
Cryptocurrency is mostly unregulated and can be an issue if criminals are using fintech services to launder money via crypto.
One report stated there was an estimated $22 billion laundered via crypto in 2023.
Regulatory Compliance
As if the potential customer litigation from a data breach wasn’t concerning enough, fintech organizations are governed by a variety of regulations. Some of these are dependent upon the services they provide or in what jurisdictions they operate.
These include:
- General Data Protection Regulation (GDPR)
- Various state privacy laws, including the California Privacy Rights Act (CPRA), with several other states proposing similar bills
- Payment Card Industry Data Security Standard (PCI DSS)
- Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) regulations
- Anti-money laundering (AML) regulations
- Open banking regulations
- Sector-specific regulations tailored to different fintech sectors, such as insurance technology (InsurTech), wealth management, or alternative lending, each addressing unique privacy risks and compliance obligations
Financial Losses and Other Damages
Cyberattacks are expensive–each data breach costs the financial sector $5.9 million on average.
Costs add up from cyber incidents in different ways, including bad actors stealing money directly or the subsequent financial losses that occur from loss of consumer trust, reputational damage, regulatory fines and penalties, class action lawsuits, and more.
Lloyd’s of London estimated that a major cyberattack on a payments system could cost the world economy $3.5 trillion.
How to Mitigate Fintech Cyber Risk
Because fintech is a broad sector encompassing many different types of products and services, there is no one-size-fits-all solution. Let’s explore some general ways to mitigate risk.
Implement Cybersecurity Frameworks
Some organizations will want to look closer at cybersecurity frameworks like those found at the National Institute of Standards and Technology (NIST), currently the gold standard for cybersecurity.
Implementing a framework like NIST help to strengthen an organization’s cybersecurity posture by following five core functions: Identify, Protect, Detect, Respond, and Recover. This will not only help with building a strong security culture but is relevant enough to cover a variety of security measurements required to be in compliance with security requirements within regulations and acts like the Gramm Leach Bliley Act.
Understand the Laws
Understanding the regulations that govern your business will also be key, and will set the stage for the systems you put in place to ensure compliance.
Working with outside counsel to identify the specific risks that you face when building out your product will help with understanding the scope of regulations to adhere too. Not only will it govern the data privacy protections you must have in place but will also determine what forms of licensing you have to apply for, like payment andelectronic money institutions who need to register under PSD2 in the EU.
Invest in Cyber Liability Coverage
A major part of transferring risk in fintech is by purchasing cyber insurance policy. Cyber policies cover the following:
Network Security and Privacy Liability
This aspect of a cyber policy covers network security failures as a result of network intrusions, data breaches, cyber extortions, including ransomware, or business email compromise.
Policies can cover the negotiation and payment of a ransomware demand, data restoration, legal expenses, IT forensics, breach notification to consumers, public relations, call center setup, credit monitoring, and identity restoration.
It can also protect organizations from liabilities from a cyber incident or regulatory violation.
Examples include liabilities from a contractual obligation, expenses from regulatory investigations and penalties from governments and/or law enforcement, and class action litigation and settlements.
Network Business Interruption
A cyber policy can help you recover lost profits and other costs if there are network outages caused by security failures (such as malware) or system failures (like administrative errors or botched upgrades).
Some organizations may face challenges in demonstrating lost revenue directly, as this might result in errors and omissions coverage.
Errors and Omission
The E&O coverage protects policyholders from claims arising from errors in performance or failure to perform services.
Given the scope of fintech offerings, this could cross the gambit of an improperly implemented technology platform, an error or mistake in the evaluation of who qualifies for a loan or might even be caused by consumers not being able to access their funds caused by a network business interruption event. All of these have potential to manifest as a third-party liability claim from customers or consumers.
This is something I’ll further explore in a detailed article next time (stay informed of future articles by subscribing to the Cyber Notebook right here on this page).
Securing the Coverage You Need
Because of the diverse nature of fintech, not all companies are going to have the same exposures. A well-crafted cyber policy can address the specific risks of your organization's fintech liabilities.
Insurers are increasingly leveraging data analytics and artificial intelligence to assess cyber risks more accurately, tailor coverage solutions to specific industry sectors, and enhance the claims handling processes.
That said, cyber policy underwriting guidelines are becoming stricter in the face of evolving cyberattacks. Insurers are looking for certain cybersecurity controls to be in place before they offer coverage.
Working with a broker that specializes in cyber insurance can help you identify the risks you face, help you understand what’s required to get the coverage you need, and set the appropriate limits.
For more on what you need to know about the 2024 cyber insurance market, read Woodruff Sawyer’s Cyber Looking Ahead Guide, 2024 edition.
Author
Table of Contents
