Resilience at Speed

METHODOLOGY

Sample Breakdown

Respondents Profile

The majority of respondents held senior executive positions, emphasising the importance of security and resilience to a FinTech's management teams. Firms largely self-identified as FinTechs, with InsurTech and RegTech firms also represented. There was a relatively even split between B2B and B2C business models, though the two distinct models showed very different risk profiles.

Respondents Profile

APAC had the highest concentration of market penetration, accounting for 41.17% of the total.

EMEA follows with 35.39% of respondents doing business within Western Europe, Eastern Europe and the Middle East.

AMER had the lowest market penetration from the respondents, likely due to the region having a comparable fintech industry of its own.

UK firms continue to uphold the country's position as a global financial hub, with firms increasingly reaching out to a global customer base from a reputable, well-regulated, resilient base in the UK.

Post-Brexit, we see a more even distribution of spread globally, with less concentration on the European market. Within Europe we see Spain rising in popularity, with more firms seeing the potential for a market and/or an operating base in Europe.

Notably few firms appeared confident enough to discuss operating in mainland China, which testifies to the perceived level of threat and lack of transparency.

In the current economic landscape where maintaining trade relationships with China has become imperative, there is a growing acknowledgment that robust capabilities in cybersecurity are a necessity, not just a strategic advantage.

We find ourselves in this intricate dance with the world's largest market, where the power dynamics are anything but symmetrical. We need to embrace the idea that cybersecurity isn't a choice anymore: it's the very foundation upon which reliable financial services are built.

Download as PDF

CHALLENGES TO OPERATIONAL RESILIENCE

It is telling that the largest perceived threats to the financial services industry come from the industry itself, rather than from external attacks. 2023's harsh economic outlook, combined with rising interest rates, increased regulatory pressure, and the relative scarcity of investment capital, are the main threats on the minds of executive management.

Although they remain keenly aware of the threats of data theft, fraud, supply chain risk, and statesponsored cybercrime, firms know that these threats are part of operational life and their first priority is to survive to operate another day. In this environment, cybersecurity technologies need to be cost effective and give a clear return on investment.

It also highlights the increased impact of a security breach; a security event that might have been just a significant problem in 2022, when funding was available to respond, could potentially be a death blow in 2024. A successful firm will view cybersecurity not as a cost or an overhead, but as a financial operational risk that needs to be managed with the same level of diligence as expenditure.

If you cannot afford to spend on security, you certainly can't afford to get hacked.

REGULATION AND STANDARDISATION

The ISO27000 series of standards on Information Security Management continues to become the pre-eminent voluntary certification standard amongst FinTechs. Firms discussed using ISO27k in three separate ways: as thought leadership to identify what they should be doing; as a public quality attestation to demonstrate their security to clients and investors; and as a requirement for their own supply chain to minimise risk. The US-based SOC2 attestation of operational security is losing ground, which we attribute to its complexity, expense, and US-centric certification.

Mandatory regulatory compliance was also a major topic of discussion, irrespective of whether a firm was or was not a licenced financial institution or whether the interviewee held a role that was directly responsible for Compliance. Modern global regulators tend to adopt a model of requiring licenced institutions to pass down requirements to their own supply chain, which has the effect of requiring any firm operating in financial services to be indirectly held to the same level.

With apologies to Benjamin Franklin, in this industry it appears there are three certain things: death, taxes, and compliance.

Few firms object to the details of regulations, with some mentioning that regulations could be seen as thought leadership, or even a 'cookbook' for how to operate a resilient firm.

The key concerns were the pace of change of regulation, the complexity of meeting multiple regulators' differing approaches to the same topic when operating internationally, the difficulties of interpreting regulatory requirements in a fast-paced industry, and the knock-on effects of tightened regulations as regulated institutions become more risk-averse and less supportive of emerging technologies.

A specific theme that was raised frequently by CTOs, CEOs, and CROs alike was Know Your Client (KYC) and Anti-Money Laundering (AML) regulations, and the difficulties of effectively implementing onboarding approaches amidst rising levels of consumer fraud and the lack of government back identity management schemes. One respondent noted that nearly half of their account openings in a post-launch period were later identified to be fraudulent.

Download as PDF

KEY AREAS OF FOCUS

However application security testing goes hand in hand with Security by Design, so it was concerning that that wasn't getting the same level of focus. The Security by Design approach holds that the strongest and most cost-effective approach to security is to address it at the very beginning of the design process, giving security requirements exactly the same level of precedence as functionality and usability.

USE OF CLOUD PROVIDERS

AWS continues its dominance of the FinTech cloud industry, driven both by its 'gateway drug' marketing policy of providing free credits to startups, and by the impressive range and strength of its security product suite. Azure runs a distant second, only slightly ahead of on-premise deployments.

The data gathered shows a larger skew to AWS than the overall industry according to market research from Synergy Research Group and Statista. Amazon Web Services (AWS) holds a substantial 34% market share among leading global cloud infrastructure providers, while Microsoft's Azure follows with 21%, and Google Cloud trails with 10%.

It is a market leader for a reason: our own experiences with AWS in development mode, live production environments, and post-breach recovery situations have given us a great deal of respect for its abilities, so we expect this dominance to continue in high-security environments like financial services.

However, two notes of caution need to be sounded from our conversations. Some respondents refused to comment on cloud provider, rightly pointing out the need to be platform independent and not dependent on any individual supplier. As the cloud industry itself is less that twenty years old, some degree of consolidation or failure is inevitable and at some point, companies will need to make a shift.

It is prudent to plan for that eventuality and ensure you are platform-independent now so you are not caught in the storm of a turbulent transition. The costs of writing platform independent code are a tiny fraction of the costs of a migration project of a rapidly growing platform.

Secondly, a lot of confidence was placed in the security of the AWS infrastructure, which is only part of the complete picture for a FinTech platform on AWS. While AWS does give you an exceptionally good set of security tools, they are still just tools for you to use to engineer your own solution. The tools won’t break, but that doesn’t mean that the application you build with them is secure.

It is essential to understand AWS's Shared Responsibility model, to ensure you adopt strong practices such as Security By Design, and have a regular testing model of both infrastructure (VAPT) and code (SAST/DAST).

GOVERNANCE

Who is responsible for technology risk and security?

How security is managed and governed in a company plays a subtle but very influential role in its success. Unsurprisingly, the CTO tops most respondents’ lists, followed by CRO, Compliance Head. A few firms with strong security cultures do have a clear nominated CISO

The majority of FinTechs fall into one of two categories: either the CTO is primarily responsible for cybersecurity, or responsibility lies with CRO / Head of Compliance but they delegate to CTO due to lack of technical knowledge .

There is an understandable logic to this: the CTO builds the product, they should be held accountable for building it right. However, this overlooks a major conflict of interest that can lead to significant problems.

A CTO is held responsible for building a product that works, for building it quickly, for building it to a budget, and for building it in a secure and resilient fashion.

Security requirements will often add necessary time, cost and complexity to a project; when cost and time pressures are immediately felt, while security is for something that might happen in the future, security is often put aside “for the short term”. Time and budget pressures rarely go away, and so short-term rolls into medium term and the company continues to operate insecurely until the inevitable happens.

Slightly under one-third of our respondents had a dedicated Chief Information Security Officer (CISO) or Security Architect, though often these roles report to a CTO, and can still suffer from conflict of interest. While it is often practical to keep technical staff under one line of management, firms should ensure people responsible for managing cybersecurity also have a reporting line to the Board or a CRO.

A recurring theme in advice from later-stage FinTechs to earlier-stage FinTechs was to ensure that you have specialist security advice available to you at a senior level to help a company balance competing priorities. Where a firm cannot find or afford these skills in-house, a specialist board advisor, fractional CISO/Technology Risk Head, or external specialist advisor can make a big difference.

THE FUTURE OF FINTECH RESILIENCE

The FinTech industry continues to undergo significant transformation to meet market demand in a safe, resilient, and practical way. Collaboration and innovation will continue to be at the forefront, with FinTech firms partnering with traditional financial institutions and other tech companies to create more seamless and secure financial services.

Government-supported digital identity solutions would simplify and strengthen operational processes and enhance user experience, though they come with significant privacy and libertarian concerns. Central bank digital currencies and international standards for risk management will shape the industry, necessitating adaptability and creativity from FinTech firms.

In the long term, the industry landscape is expected to see even more profound changes. The continued evolution of technology will lead to the expansion of value-added services, making transactions increasingly convenient and efficient - however FinTech will need to maintain a strong commitment to cybersecurity as security threats evolve.

The concept of 'Design for Failure' will become more ingrained in strategic planning, with redundancy and failover mechanisms integrated into core systems. Economic and regulatory shifts may present challenges, but a long-term outlook and a patient approach is essential.

Gradual progress will be transformative, and adaptability will be the key to enduring success.

Download as PDF

METHODOLOGY

Pragma reached out to prominent FinTech firms based in the UK during the July and August 2023 to discuss their perspectives on operational resilience and cybersecurity.

This whitepaper is a summary of the survey findings, not a statement of best practice. The opinions and recommendations in this document are based on brief verbal interviews with respondents. Any mentions or direct quotations from named respondents are reproduced with consent.

ABOUT THE AUTHORS

Geoff Leeming

Co-Founder, Pragma

[email protected] | linkedin.com/in/geoffleeming

https://pragma.ltd | 7 Bell Yard, London WC2A 2JR | +44 20 3318 1470

CALL US FOR A COMPLIMENTARY RESILIENCE AUDIT TODAY

[email protected] | +44 20 3318 1470

pragma.ltd

Pragma is a global Cybersecurity and Regulatory Consulting firm that helps FinTechs strengthen cyber and operational resilience in UK, Europe and Asia. Areas of excellence include cloud security; security testing; pre-breach and post-breach incident response; governance, risk and compliance (GRC); Data Privacy compliance; FinTech licencing; and financial regulatory compliance services including AML and KYC.

Geoff Leeming has over 30 years of experience designing cybersecurity solutions for financial services firms, from multinational investment banks to early stage FinTechs. He holds an M.Sc. in Information Security and is a certified AWS Security Architect. He has also conducted multinational fraud investigations, network security incident response engagements, and compliance audits across various industries. He specialises in operational resilience areas, including cryptography, cloud security, data analysis, and control process design.

Date: September 20, 2023