The UK FinTech industry is a thriving ecosystem, as the UK is consistently ranked among the world's most fintech-friendly countries. As per data from Innovate Finance, the country has over 2,500 companies specialising in eight domains, including Banking, RegTech, InsurTech, Lending, Payments, WealthTech, Quote Aggregators, and Accounting, Auditing, and Cashflow Management. The UK excels in WealthTech, which includes Personal Finance Management (PFM) and cryptocurrencies, and payment technology, collectively representing over half of the country's FinTech firms.
While the sector has enjoyed significant growth, it has come under steady economic pressure over the past twelve months with a significant drop in deal activity and investment funding. As is often the case in a more difficult economic climate, fraud and cyber crime have continued to rise resulting in a double whammy of decreased funding for cyber despite increased need.
As a CREST-approved global provider of cybersecurity solutions, Pragma's own post-breach cyber incident response work has also shown cyber attackers increasingly switch towards smaller financial firms, as underfunded cyber protection gives more opportunities to attack. Attackers often focus on developing technical areas in banking and financial services, such as API security, mobile app vulnerabilities, and cloud storage risks.
Pragma has undertaken this whitepaper to tackle the rising concern among UK FinTechs about their overall safety and stability in an increasingly complex financial, regulatory, and security landscape. The researchers used a qualitative exploratory descriptive design to identify, analyse and describe factors relating to the challenges that FinTechs are currently facing.
The majority of respondents held senior executive positions, emphasising the importance of security and resilience to a FinTech's management teams. Firms largely self-identified as FinTechs, with InsurTech and RegTech firms also represented. There was a relatively even split between B2B and B2C business models, though the two distinct models showed very different risk profiles.
APAC had the highest concentration of market penetration, accounting for 41.17% of the total.
EMEA follows with 35.39% of respondents doing business within Western Europe, Eastern Europe and the Middle East.
AMER had the lowest market penetration from the respondents, likely due to the region having a comparable fintech industry of its own.
UK firms continue to uphold the country's position as a global financial hub, with firms increasingly reaching out to a global customer base from a reputable, well-regulated, resilient base in the UK.
Post-Brexit, we see a more even distribution of spread globally, with less concentration on the European market. Within Europe we see Spain rising in popularity, with more firms seeing the potential for a market and/or an operating base in Europe.
Notably few firms appeared confident enough to discuss operating in mainland China, which testifies to the perceived level of threat and lack of transparency.
In the current economic landscape where maintaining trade relationships with China has become imperative, there is a growing acknowledgment that robust capabilities in cybersecurity are a necessity, not just a strategic advantage.
We find ourselves in this intricate dance with the world's largest market, where the power dynamics are anything but symmetrical. We need to embrace the idea that cybersecurity isn't a choice anymore: it's the very foundation upon which reliable financial services are built.
CHALLENGES TO OPERATIONAL RESILIENCE
It is telling that the largest perceived threats to the financial services industry come from the industry itself, rather than from external attacks. 2023's harsh economic outlook, combined with rising interest rates, increased regulatory pressure, and the relative scarcity of investment capital, are the main threats on the minds of executive management.
Although they remain keenly aware of the threats of data theft, fraud, supply chain risk, and statesponsored cybercrime, firms know that these threats are part of operational life and their first priority is to survive to operate another day. In this environment, cybersecurity technologies need to be cost effective and give a clear return on investment.
It also highlights the increased impact of a security breach; a security event that might have been just a significant problem in 2022, when funding was available to respond, could potentially be a death blow in 2024. A successful firm will view cybersecurity not as a cost or an overhead, but as a financial operational risk that needs to be managed with the same level of diligence as expenditure.
If you cannot afford to spend on security, you certainly can't afford to get hacked.
REGULATION AND STANDARDISATION
The ISO27000 series of standards on Information Security Management continues to become the pre-eminent voluntary certification standard amongst FinTechs. Firms discussed using ISO27k in three separate ways: as thought leadership to identify what they should be doing; as a public quality attestation to demonstrate their security to clients and investors; and as a requirement for their own supply chain to minimise risk. The US-based SOC2 attestation of operational security is losing ground, which we attribute to its complexity, expense, and US-centric certification.
Mandatory regulatory compliance was also a major topic of discussion, irrespective of whether a firm was or was not a licenced financial institution or whether the interviewee held a role that was directly responsible for Compliance. Modern global regulators tend to adopt a model of requiring licenced institutions to pass down requirements to their own supply chain, which has the effect of requiring any firm operating in financial services to be indirectly held to the same level.
With apologies to Benjamin Franklin, in this industry it appears there are three certain things: death, taxes, and compliance.
Few firms object to the details of regulations, with some mentioning that regulations could be seen as thought leadership, or even a 'cookbook' for how to operate a resilient firm.
The key concerns were the pace of change of regulation, the complexity of meeting multiple regulators' differing approaches to the same topic when operating internationally, the difficulties of interpreting regulatory requirements in a fast-paced industry, and the knock-on effects of tightened regulations as regulated institutions become more risk-averse and less supportive of emerging technologies.
A specific theme that was raised frequently by CTOs, CEOs, and CROs alike was Know Your Client (KYC) and Anti-Money Laundering (AML) regulations, and the difficulties of effectively implementing onboarding approaches amidst rising levels of consumer fraud and the lack of government back identity management schemes. One respondent noted that nearly half of their account openings in a post-launch period were later identified to be fraudulent.
KEY AREAS OF FOCUS
Unsurprisingly for companies working in a heavily regulated industry, due diligence was the most common area of focus for many B2B respondents. The scale of the effort required to answer due diligence enquiries should not be underestimated, as without de facto standardisation, clients' approaches to due diligence are usually bespoke so a FinTech may find itself describing its network security design, for example, in ten different ways to ten different firms.
ISO27000 and shared due diligence platforms may reduce the scale of work, but do not eliminate it. B2C firms, and firms who develop solutions to be deployed on-premise by a client, reported a much lighter due diligence load.
An impressive second place was source code security assessment, often referred to as SAST or DAST (Static/Dynamic Application Security Testing). As infrastructure security becomes increasingly commoditised by cloud providers, the focus of security design and prevention work shifts to the application.
As most product security vulnerabilities can be traced back to a failure to code securely, shifting security left and into the development lifecycle is an essential move for companies whose long-term prosperity relies on the strength of their code.
While some firms are still taking the traditional "build it first then pay to test it" approach, others are seeing both security and cost benefits by integrating specialist security testing earlier and earlier in the pipeline, with every pull request getting automatically tested.
However application security testing goes hand in hand with Security by Design, so it was concerning that that wasn't getting the same level of focus. The Security by Design approach holds that the strongest and most cost-effective approach to security is to address it at the very beginning of the design process, giving security requirements exactly the same level of precedence as functionality and usability.
We see a clear split in approach by maturity of the firm: earlier stage FinTechs often took the approach that they would build the product first then "bolt on" security later when they had more funding, while larger and more established FinTechs overwhelmingly gave the advice that security must be addressed from the start. Whether this split is correlation or causation is hard to tell.
USE OF CLOUD PROVIDERS
AWS continues its dominance of the FinTech cloud industry, driven both by its 'gateway drug' marketing policy of providing free credits to startups, and by the impressive range and strength of its security product suite. Azure runs a distant second, only slightly ahead of on-premise deployments.
The data gathered shows a larger skew to AWS than the overall industry according to market research from Synergy Research Group and Statista. Amazon Web Services (AWS) holds a substantial 34% market share among leading global cloud infrastructure providers, while Microsoft's Azure follows with 21%, and Google Cloud trails with 10%.
It is a market leader for a reason: our own experiences with AWS in development mode, live production environments, and post-breach recovery situations have given us a great deal of respect for its abilities, so we expect this dominance to continue in high-security environments like financial services.
However, two notes of caution need to be sounded from our conversations. Some respondents refused to comment on cloud provider, rightly pointing out the need to be platform independent and not dependent on any individual supplier. As the cloud industry itself is less that twenty years old, some degree of consolidation or failure is inevitable and at some point, companies will need to make a shift.
It is prudent to plan for that eventuality and ensure you are platform-independent now so you are not caught in the storm of a turbulent transition. The costs of writing platform independent code are a tiny fraction of the costs of a migration project of a rapidly growing platform.
Secondly, a lot of confidence was placed in the security of the AWS infrastructure, which is only part of the complete picture for a FinTech platform on AWS. While AWS does give you an exceptionally good set of security tools, they are still just tools for you to use to engineer your own solution. The tools won’t break, but that doesn’t mean that the application you build with them is secure.
It is essential to understand AWS's Shared Responsibility model, to ensure you adopt strong practices such as Security By Design, and have a regular testing model of both infrastructure (VAPT) and code (SAST/DAST).
Who is responsible for technology risk and security?
How security is managed and governed in a company plays a subtle but very influential role in its success. Unsurprisingly, the CTO tops most respondents’ lists, followed by CRO, Compliance Head. A few firms with strong security cultures do have a clear nominated CISO
The majority of FinTechs fall into one of two categories: either the CTO is primarily responsible for cybersecurity, or responsibility lies with CRO / Head of Compliance but they delegate to CTO due to lack of technical knowledge .
There is an understandable logic to this: the CTO builds the product, they should be held accountable for building it right. However, this overlooks a major conflict of interest that can lead to significant problems.
A CTO is held responsible for building a product that works, for building it quickly, for building it to a budget, and for building it in a secure and resilient fashion.
Security requirements will often add necessary time, cost and complexity to a project; when cost and time pressures are immediately felt, while security is for something that might happen in the future, security is often put aside “for the short term”. Time and budget pressures rarely go away, and so short-term rolls into medium term and the company continues to operate insecurely until the inevitable happens.
Slightly under one-third of our respondents had a dedicated Chief Information Security Officer (CISO) or Security Architect, though often these roles report to a CTO, and can still suffer from conflict of interest. While it is often practical to keep technical staff under one line of management, firms should ensure people responsible for managing cybersecurity also have a reporting line to the Board or a CRO.
A recurring theme in advice from later-stage FinTechs to earlier-stage FinTechs was to ensure that you have specialist security advice available to you at a senior level to help a company balance competing priorities. Where a firm cannot find or afford these skills in-house, a specialist board advisor, fractional CISO/Technology Risk Head, or external specialist advisor can make a big difference.
THE FUTURE OF FINTECH RESILIENCE
The FinTech industry continues to undergo significant transformation to meet market demand in a safe, resilient, and practical way. Collaboration and innovation will continue to be at the forefront, with FinTech firms partnering with traditional financial institutions and other tech companies to create more seamless and secure financial services.
Government-supported digital identity solutions would simplify and strengthen operational processes and enhance user experience, though they come with significant privacy and libertarian concerns. Central bank digital currencies and international standards for risk management will shape the industry, necessitating adaptability and creativity from FinTech firms.
In the long term, the industry landscape is expected to see even more profound changes. The continued evolution of technology will lead to the expansion of value-added services, making transactions increasingly convenient and efficient - however FinTech will need to maintain a strong commitment to cybersecurity as security threats evolve.
The concept of 'Design for Failure' will become more ingrained in strategic planning, with redundancy and failover mechanisms integrated into core systems. Economic and regulatory shifts may present challenges, but a long-term outlook and a patient approach is essential.
Gradual progress will be transformative, and adaptability will be the key to enduring success.
Pragma reached out to prominent FinTech firms based in the UK during the July and August 2023 to discuss their perspectives on operational resilience and cybersecurity.
This whitepaper is a summary of the survey findings, not a statement of best practice. The opinions and recommendations in this document are based on brief verbal interviews with respondents. Any mentions or direct quotations from named respondents are reproduced with consent.
ABOUT THE AUTHORS
Pragma is a global Cybersecurity and Regulatory Consulting firm that helps FinTechs strengthen cyber and operational resilience in UK, Europe and Asia. Areas of excellence include cloud security; security testing; pre-breach and post-breach incident response; governance, risk and compliance (GRC); Data Privacy compliance; FinTech licencing; and financial regulatory compliance services including AML and KYC.
Geoff Leeming has over 30 years of experience designing cybersecurity solutions for financial services firms, from multinational investment banks to early stage FinTechs. He holds an M.Sc. in Information Security and is a certified AWS Security Architect. He has also conducted multinational fraud investigations, network security incident response engagements, and compliance audits across various industries. He specialises in operational resilience areas, including cryptography, cloud security, data analysis, and control process design.
Date: September 20, 2023