Cybersecurity and Fintech – The State of the Field
BrainWorks recently established Practice Areas in Cybersecurity and Financial Technology under the leadership of Global Managing Director Kayle Bernal.
Cybersecurity has long been a concern for companies, with hacking, data theft, ransomware, viruses, malware, and phishing scams creating greater and greater exposure and potential liability. With recent financial scandals such as Silicon Valley Bank and bank failures, Financial Technology (Fintech), long a subset of cybersecurity, has come into its own as a specialty area.
The Mix Between Financial Technology and Cybersecurity
There is significant overlap between Financial Technology and cybersecurity, extending well beyond traditional financial services to include all aspects of payments. So, whether it’s related to accounting tech, wealth tech, blockchain software as a service, payments, or open banking, anything involving the intersection of money and technology falls within the domains of both cybersecurity and fintech. This expansive landscape encompasses not only traditional banks but also digital banking, cryptocurrencies, blockchain, NFTs, and more.
On the cybersecurity side, the traditional areas mentioned above have expanded to include all types of products, such as asset or identity and access management, threat and defense, and industries in entertainment, beauty, hospitality – anyone that is searching for security components.
Cisco summarized cybersecurity within fintech as: “… the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at assessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.” (https://www.cisco.com/c/en/us/products/security/what-is-cybersecurity.html)
Financial service providers are prime targets for criminals as the Financial Technology sector continues to expand. According to Global FinTech Market 2021, the sector was valued at $7.3bn in 2020 and is projected to grow at a CAGR of 26.87%, reaching $31.5bn by 2026.
Data from IBM Security research showed that finance and insurance topped the list of industries attacked by criminals in 2020. Cybersecurity is key to protecting information.
“Cybercrime is the ultimate evolution of financial crime,” Barnabe Robinson, head of risk practice for VentureStep, part of The Conexus Group, told Capital.com. “On the one hand, it facilitates organized criminal activities on an industrial scale with substantially reduced risk. On the other hand, it has spawned a new breed of opportunist criminal. An extensive range of malware is openly bought, sold and traded on the not-so-dark web. For $5,000 a would-be criminal can purchase malware promising earning potential of $10,000 a week alongside tech support and online tutorials.”
IBM highlighted that the threat of reputational loss due to sensitive data being leaked has the potential to cause significant damage to a business and its customers, which could lead to legal cases and hefty regulatory fines in addition to the costs of a lengthy recovery.
“When ransomware attackers publicly disclose sensitive data on leak sites, these breaches are often picked up by press, further adding to the reputational harm associated with these attacks. X-Force analysis of public breach data indicates that ransomware-related data leaks made up 36% of public breaches in 2020,” IBM said.
Experts at Deloitte pointed out that financial crime remains a trillion dollar issue, despite significant investment in detection, prevention, and deterrence capabilities.
“Criminals are becoming increasingly sophisticated in their use of technology to perpetrate financial crime, finding and exploiting loopholes in our financial system and leveraging emerging technologies such as new payment platforms and cryptocurrencies to conduct complex, multi-layered transactions that are increasingly difficult to detect and trace,” the consultancy firm said.
Identifying the top Fintech trends in 2021, consultants KPMG found that the importance of cyber security is crucial.
“Given the rise in digital transactions and the subsequent rise in cyberattacks and ransomware, cybersecurity is a focus area for investors, particularly corporates. In addition to threat security, fraud management, KYC [know your customer], and password-less security will gain increasing attention from investors.”
Craig Goodwin, founder of global cybersecurity firm Cyvatar.ai, told Capital.com more about the importance of cybersecurity and identified the biggest financial cyber risks in the sector. When it comes to challenges, Goodwin explained that financial services are prime targets because real money is there:
“It is not just traditional approaches to take personal data, with financial services there’s things like fraud or extortion that allow you to get more bang for your buck if you are a cyber attacker or hacker.
“In the early days, it was really easy to see the reputational damage associated with that. Or the other flip side was that the hackers got incredible notoriety as a result of hacking or getting access or monetary gains from well known financial institutions. On top of that, you have nation states too targeting financial operations for political reasons and commercial espionage reasons.”
Goodwin said the explosion in digitalization of financial institutions in the last few years has amplified the issue.
“Exposure to the internet, fintech and crypto is all taking off. This means that the number of attack angles and the areas to exploit financial institutions just gets exorbitantly bigger every day – and we have seen that from the RobinHood hack last year, from OpenSea NFT platform hack more recently. With increasing digitalization, the number of cyber-attacks will continue to grow,”
How this Impacts Cybersecurity and Finance Recruitment
From the recruiting and hiring standpoint, individuals in this area need experience and expertise in dealing with large sets of secure, confidential transactional data. Cybersecurity is very hard to recruit for in the US, though the talent pool is getting better. Europe, on the other hand, has for several years been posting white papers, putting people through a variety of training programs, and interactive labs to learn all of these skills.
In the U.S., while there is a growing pool of tech talent, cybersecurity is probably the most limited. And although people on the back end have been talking about it for many years, the general public is only now beginning to talk about it because they are now seeing the things that are happening when it comes to cybersecurity breaches, such as credit cards hacks or hospital data breaches. In some cases, hackers are even holding people in life-threatening situations hostage during medical procedures, demanding payments of $10,000 to restore access to critical systems.
In a 2023 report, Gartner predicts that challenges confronting those in charge of information security are evolving beyond technology, cybersecurity, and controls. Meeting these challenges will require cybersecurity leaders to redouble their focus on people.
Presenting Key Challenges
It’s important for leaders and their stakeholders to realize that this isn’t a pivot, but adding work to the talent and bandwidth of cybersecurity teams that are already constrained. This presents a key challenge: the increasing morale and burnout of cybersecurity teams. Increasing burnout coupled with less than zero percent unemployment in the field enables employees to find greener or even just different pastures at will. To mitigate this, cybersecurity leaders need to focus on the health and well-being of their teams, starting with themselves. But “care and feeding” alone is not enough.
A key stressor of this work is that often teams are playing a game they can’t win because they are always playing defense. Leaders need to recognize this and recognize that people are both the problem and the solution. More often than not, companies are not being confronted by super hackers with novel “lock picking” skills but rather by employees that are leaving openings for hackers to do damage. Helping business leaders make decisions that are based on good threat assessments and focusing on the early detection of risky behavior by employees will result in organizations being able to take a proactive approach to minimize the risk. Cybersecurity leaders need to think beyond just phishing testing and resilience to social engineering. Far greater returns are to be had in elevating the conversation to value propositions and business/operating models.