[BreachExchange] No company is immune from data security threat

Wed Jul 13 20:55:15 EDT 2016

http://www.irishtimes.com/special-reports/future-of-fintech/no-company-is-immune-from-data-security-threat-1.2720133

Data security is a keystone of the financial services industry. One
security breach can destroy the reputation of a financial institution. But
the rapidly emerging fintech sector is throwing up serious challenges in
this all-important area. And the issue is as much related to cultures as it
is to technology.

On the one hand there is the cautious, conservative, and quite slow moving
world of banks and financial institutions while on the other there is the
fast moving, dynamic, entrepreneurial environment of the software and
technology companies which are moving into the financial services area.

This can lead to culture clashes based on mutual misunderstanding.

“It’s interesting,” says Deloitte head of financial services David Dalton.
“One of the things we do is figure out how to help large financial services
companies engage with fintech firms without getting into the technicalities
of security. How the financial services firms protect themselves is through
very complex legal procedures and agreements and these tend to be anathema
to the fintech start-ups so it can be very challenging.”

This disconnect can lead to a lack of awareness among fintech firms of the
regulations and security requirements which apply to them. In the UK, the
Financial Conduct Authority (FCA) is leading the way in bridging this
dealing with this issue. “The UK is leading on regulation,” Dalton points
out. “The FCA is actively engaging with the fintech industry and has
created a regulatory sandbox which allows for experimentation in a safe
environment. The UK is very much at the forefront of this when compared to
other locations.”

“What the FCA sandbox means is that if a fintech firm makes a misstep then
they can be reasonably comfortable that the FCA won’t move against them,”
explains Peter Oakes, founder of fintech industry advisory service Fintech
Ireland.

He doesn’t accept, however, the characterisation of the technology end of
the industry as being somehow laggardly when it comes to regulation and
security. “There are two schools of thought on this,” he notes. “The first
is that the technology industry hasn’t been subject to financial services
regulation and doesn’t understand security as a result. The other school is
that this is ridiculous; the technology industry writes the code for
financial services clients to provide technology and data security.”

He very much favours the latter view. “I have walked into banks with small
start-up firms and discovered flaws in their procedures. Banks just aim to
meet the standards. Tech firms tend to go beyond them. In many instances
the technology firms break through the ceiling.”

This is set to become a much bigger issue for all involved with the
introduction of the Payment Services Directive which requires banks and
financial institutions to allow third-party payment providers have access
to customer accounts once they have the customer’s permission. This will
present security issues for all involved.

Indeed, Magnet Networks chief executive Mark Kellett points out that
developments such as this are going to force more firms to rethink their
position in the market and their approach to security.

“There is a whole cohort of firms who don’t realise they are in the fintech
sector. These include insurance brokers, credit unions and so on. They deal
with our pensions, savings, cash transactions and store data on customers
and their finances but they don’t view themselves as part of the fintech
ecosystem.

“This has to change. They have to start looking at their external
connections to the internet and ask what their service providers are doing
to protect them as well as their internal systems and everything that is
connected to their networks and which might be vulnerable to attack.”

David Dalton agrees. “One of the things you have to recognise is that no
one is immune. Everybody has been hacked. No bank or company is immune. One
thing they have to do is to have the plans in place for how to deal with
the consequences of an attack.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160713/63611e42/attachment.html>