The Evolving Relationship Between Cybersecurity and Fintech

If you use Venmo, Zelle, Klarna, Turbo Tax or mobile banking apps, then you’re familiar with the near ubiquity of financial technology. Financial technology, or fintech, is one of the fastest growing sectors in today’s business landscape. It continues to reshape the way we think about our money, spending and investing…but unfortunately, all of that comes with a cost.

As financial technology continues to advance, so does the need for strong cybersecurity measures to protect the valuable data it contains. Cybersecurity is increasingly becoming one of the most essential elements in fintech, as the risk of cyberattacks and data breaches is growing with each passing day. To protect customer data and their own reputation, fintech companies must make cybersecurity a priority.

Here, we’ll analyze the critical importance of cybersecurity in the fintech industry, the evolving cyber threats that need addressing and the emerging technologies that can help mitigate those risks.

What is Cybersecurity?

Cybersecurity is the art of protecting networks, devices and data from unauthorized access or criminal use. It ensures confidentiality, integrity, availability and accessibility of information—for the right people—so that an outside party cannot taint or exploit its original intent or users.¹ Cybersecurity applies to all digital activities and devices, ranging from emails on the computer to display screens at the train station.

What is Fintech?

The term “fintech” refers to applications, hardware and software that allow people to access financial products and services digitally. Traditional banks have used automatic teller machines (ATMs) and computers for decades, but contemporary fintech emerged in 2008 after the global financial crisis. This event caused widespread mistrust of banks, motivating many people to find alternative financial solutions.²

Today, new tools such as person-to-person payment apps and robo-advisors allow consumers to manage their finances independently and digitally. With apps and online platforms, you can access your bank accounts and investment portfolios without ever setting foot inside a brick-and-mortar bank. All of these developments have caused the industry to grow dramatically in the last few years. In 2017, the fintech sector was worth $90.5 billion; as of 2023, it’s valued at $179 billion.³

Cybersecurity Challenges in Fintech

As more and more of our finances move online, the stakes to protect them become even higher. Credit card numbers, bank account PINs, phone numbers, investment accounts and other personal identifiable information (PII) can be hacked and used for criminal gains, costing people large amounts of time, money and energy to restore their privacy. In 2022, financial institutions experienced the second highest number of data breaches behind the government.⁴

Here are some of the top concerns for cybersecurity in fintech.

1. Data Breaches and Financial Fraud

A breach is a security incident that gives unauthorized access to an organization's sensitive information; in other words, when someone can see or use something they should not be allowed to. Cybercriminals use a diverse array of methods to gain access to information systems, both for individuals and large companies. In 2022, cybercriminals most commonly gained access through compromised passwords and phishing scams.⁵

When a data breach happens, there are many different scenarios that could come afterward. For example, if someone hacks your bank account, they could commit financial fraud and use your money to buy a lot of expensive items for themselves. They could also change your login information and disable notifications so that you won’t notice their purchases and can’t access the account right away.

No matter how large or small the breach is, every incident has direct and indirect costs that linger long after. Direct costs refer to the specific dollar amount it costs an organization to clean up a data breach. These costs include the price of new technology, software or cybersecurity professionals a company may need to bring in; the amount they owe back to customers; and any fees or penalties the company might be forced to pay. The indirect costs are what hurt a company’s reputation, customer trust, business partnerships and resources—about 38% of the total cost of a data breach is related to loss of productivity.⁶

2. Insider Threats and Employee Misconduct

You might think that cyber attacks always come from the outside of an organization, with a cyber criminal breaking through network defenses on their own. But, unfortunately, 88 percent of data breach incidents are caused by employee error.⁷ A vast majority of workers won’t expose sensitive data on purpose (although insider threats are certainly possible), and their mistakes usually stem from a lack of cybersecurity knowledge (e.g., clicking on a link coded with malware, leaving their computer open in a public space or using an easy password on multiple sites). More than half of employees fall for phishing emails from attackers who impersonate a senior executive at their company, mostly because they don’t know to suspect anything different.⁷

Fintech companies deal with highly valuable data in enormous quantities, so when a breach occurs, there is much more on the line than their own personal information. Employee mistakes can cost customers incalculable amounts and impact their livelihoods. Thus, cybersecurity prevention and education is an integral part of employees’ training and day-to-day operations in financial technology.

3. Third-party Risks and Supply Chain Vulnerabilities

As in any industry or process, the more people and organizations you involve with your work, the less control you have over every detail. Fintech employees may be well trained on proper cybersecurity protocol, but the same can’t always be said for third-party partners. Vendors, suppliers, contractors and business partners have their own understanding of cybersecurity and data protection, which might not be as comprehensive as they should be.

To maintain their security standards, fintech companies must thoroughly vet and train their third-party partners, as well as implement additional protections on every touchpoint between them. At the end of the day, customers won’t care who exactly leaked their information, so it is the responsibility of the principal company to keep everyone’s financial data safe and secure.

Examples of FinTech Cybersecurity Incidents

Sadly, some companies have had to pay the price and learn the hard way just how crucial cybersecurity is for their long-term success. Cybersecurity Ventures expects global cybercrime costs to grow 15 percent per year over the next three years, reaching $8 trillion globally in 2023 and $10.5trillion by 2025.⁸

Credit reporting agency Equifax experienced this in 2017 when hackers were able to gain access to the personal data of 143 million people. Equifax was forced to spend $1.38 billion to resolve consumer claims and spent another $1.4 billion on cleanup costs.⁹ Capital One went through a similarly harrowing event in 2019 when the names, addresses, income and other PII of over 106 million people were taken by a hacker.¹⁰ In 2021, CNA Financial made the biggest ransomware payout on record: $40 million to a cybercriminal group.¹¹

Regulatory Landscape & Compliance

To help mitigate cybersecurity risks and make sure fintech companies act responsibly with users’ finances and data, there are a number of laws, regulations, security policies and organizations in place for the financial services industry.

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Launched on September 7, 2006, PCI DDS improves account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS.¹²

There are 12 requirements for PCI DDS Compliance:

1. Use and maintain firewalls
2. Proper password protections
3. Protect cardholder data
4. Encrypt transmitted data
5. Use and maintain anti-virus
6. Properly updated software
7. Restrict data access
8. Unique IDs for access
9. Restrict physical access
10. Create and maintain access logs
11. Scan and test for vulnerabilities
12. Document policies¹²

General Data Protection Regulation

The General Data Protection Regulation (GDPR), enacted in 2016 by the European Union (EU), sets the standards for acquiring, managing and processing the personal data of EU citizens and residents. The most important element of GDPR dictates that no organization can collect, store or use personal data without the explicit consent of the data subject.¹³

Maintaining compliance with GDPR is not only in your customers’ best interests, but in your business’s best interest as well. Horror stories of non-compliance and data theft can mean hefty fines. Depending on the size of your business, fines can range between $11 and $21 million or 2 – 4% of your annual global turnover.¹³

There is no full-scale GDPR equivalent in the United States, but some states (e.g., California) have implemented similar policies.

Financial Industry Regulatory Authority Guidelines

The Financial Industry Regulatory Authority (FINRA) is a non-governmental organization responsible for writing and enforcing rules governing registered broker-dealers and brokerage firms in the United States. It oversees its securities firms’ fair and honest operations to protect investors in the United States. Among its powers are:¹⁴

• Drafting and enforcing rules governing the ethical activities of all registered broker-dealers and registered brokerage firms in the United States
• Examining firms for compliance with such standards
• Promoting market transparency
• Educating investors

Emerging Technologies in FinTech Cybersecurity

As financial technology becomes more sophisticated, the cybersecurity efforts that protect it will as well. Keep an eye on the following security tactics:

Biometric Identification: using biological features like your face shape, fingerprints or voice recognition to approve or deny access to PII.¹⁵

Blockchain: a decentralized, digital database that stores information about financial transactions. This improves accuracy and security, removes the need for a third party, and never shuts down/relies on human operation.¹⁶

AI and machine learning: algorithms that run independently and can flag abnormal events, automate tasks and learn from past cyber attacks. You can read more about AI and machine learning in cybersecurity here.

Become a Cybersecurity Specialist in Any Field

Because of the high volume of valuable, confidential data in their control, fintech companies are deeply invested in hiring more cyber professionals, making it a highly lucrative and future-ready field. For example, the average annual salary for a chief information security officer (CISO) is $255,876, while an application security engineer can earn approximately $116,992.^17,18

Ranked as the #4 Most Affordable Online Master’s in Cybersecurity Degree by Fortune, an online Master of Science in Cybersecurity from Yeshiva University’s Katz School of Science and Health will prepare you to hit the ground running in less than two years.¹⁹ The program combines a traditional cybersecurity education, taught by industry experts, with hands-on experience that you’ll need to achieve critical certifications. Whether you're pursuing a career change or updating your current skills, we'd love to talk more with you about the online master’s degree in cybersecurity.