Security standards in the development of FinTech applications
The UK is a very demanding market for everyone. Including FinTechs, which must operate in the same way as traditional banking institutions. Legal and technological requirements are there to protect customers’ money. Applied FinTech security standards benefit FinTech customers and organizations and appeal to regulators. What regulations do you need to meet when entering this market and what do they mean for your business?
Security requirements from a legal point of view
It may come as a surprise at first glance, but the UK, the FinTech hub of Europe and the world for that matter, has no specific laws for the sector. FinTech products are all subject to the existing body of the UK financial regulatory framework. This unique fact places apps alongside institutions providing consumer credit, insurance services, crowdfunding and traditional consumer banking services.
There are also many cybersecurity laws which, for the most part, are compatible with the law made in the European Union.
The most important are:
- protection of personal data (including notification of breach)
- mandatory security measures (their absence may cause the FCA to take action)
- the Computer Misuse Act 1990 (amended in 2015, as part of the European directive on cybercrime)
The important difference between the UK and the EU when it comes to regulating the FinTech industry is that the UK Network and Information Systems Regulations 2018 do not apply to banks and financial institutions. According to
Networks and Information Systems Directive, (EU) 2016/1148 they should but that’s another problem. The reason for excluding the financial sector from this law is that it was seen as sufficiently regulated in the first place.
Safety standards from a technological point of view
Many startupers and managers would say that compliance with the law is the most important factor for any FinTech business. This is true, but there are other important factors. Like security and reputation in a market that is essential for customers. It is important for public and private companies. It doesn’t matter if your company offers stocks or if you own them 100%. There is always a question of public perception, which can derail even the best business and marketing plans.
The memorable market disaster happened in 2016 and is known as “saddest $ 5 billion deal in tech history”.
Core Security Solutions for FinTech
If you want your business to be safe and resilient to potential disasters, think about and implement these five steps:
A team dedicated to cybersecurity
To detect vulnerabilities and make the application resistant to potential attacks and other types of threats, you need cybersecurity experts. And not for a single occurrence but available on request. They worked on every stage of the System / Software Development Lifecycle (SDLC). They don’t come cheap, so you can think of a team raise to fill in the gaps. Their role does not end when the product is finished. They will support the app with updates and monitor the market for potential threats.
This does not mean that the specialists will be sleeping in your office. Much of their work can be automated with a security information and event management (SIEM) system. It monitors data in real time and can prevent any suspicious activity.
1. ISO 27001
ISO 27001 certification is a great way to ensure that your product meets all FinTech data security standards. It focuses on an Information Security Management System or ISMS. There are several steps to achieving certification, but it is well worth it. You will have proof that enhances the transparency of the product market. You will also go through a proper process of risk assessment, identification and remediation of application defects. It will also teach you how to properly implement safety valves and examine them regularly.
2. Penetration test
Penetration tests are a simulation of a hacker attack. Carried out by an ethical hacker called a “white hat”, it will expose your product to a qualified specialist who will overthrow it and search for security holes. Experts like these use a full range of weapons available to hackers; they can violate your system in any way they can, find loopholes, and suggest ways to manage and fix them.
The problem is the nature of their work. These are usually external testers hired for a job. They come, happen, leave a report and go away. They cannot replace an internal cybersecurity team. What is important, however, is that they protect your data and meet ISO 27001 standards, while also building product and brand credibility in the market.
3. Trained and professional employees
Unfortunately, many attacks occur without crossing any technological barrier. This is possible because many employees do not follow procedures carefully enough, if at all. In some cases, the problem is faulty procedures that can and should be changed or replaced entirely. Manipulating staff with high-level access through phishing emails or other types of internet scams is nothing out of the ordinary.
A good example is Twitter, which was victimized, as the company called it, “coordinated social engineering attack”. This could be avoided by educating the staff.
4. Quick and efficient responses
When the worst has already happened and you are the victim of an unethical violation, you need to think about the next step. In fact, stages, since nothing is easy after this type of unfortunate event. There are three basic rules that every organization must follow. With them you can react correctly to a security breach.
What do you need to do:
- Inform your customers and business partners of the situation. Be as detailed and possible. Transparency is the key. You are not the first, and certainly not the last, to have been hacked in some way. Inform about the condition of the product – what data has been compromised, how it affects the product and customer safety. Advise your users to block their credit cards and change passwords as soon as possible. This is a very easy step, but if handled poorly it can backfire on you. Especially in the transparency part, it is very important. Internal attacks and bad behavior happen. Instead of blaming, take action.
- Collaborate with the local information commissioner. In the United Kingdom, it is the
Information Commissioner. Each country has its own body which is essentially treated as an equivalent. You can find the full list on the
European Data Protection Board.
- Perform a professional security audit (both internal and especially external). With it, you will be able to understand the nature of the situation. What exactly happened, how was it possible and what to do in the future to prevent this type of violation.
When security is breached… Finastra case study
Developing FinTech applications is tricky. You should include factors such as safety and regulatory compliance. They are essential for your business and determine the entire process of creating a product. Even the largest and most established financial service providers can be punished or fall prey to hackers. Just like Finastra did last year. What is important in this particular case is that Finastra works with leading banks and that the business problems can affect millions of customers at all levels.
What can you do to avoid or mitigate the risks?
The weakest link – still human
Human error is the most common cause of attacks. Regarding Finastra, someone just forgot to patch the VPN to the latest version. This is a perfect situation for hackers; they can use already known exploits and rape quite easily. This was the case this time around. The hackers used a vulnerability known as CVE-2019-11510 and triggered chains of events that ended up shattering the security system. The attack also wrote arbitrary files to the host.
As a result, a company employing more than 10,000 people and with a turnover of $ 2 billion for 2019 was forced to take all systems off the internet and carry out an investigation. Worse yet, vital data on major banks in more than 40 countries could fall prey and be sold on a black market. If it hadn’t been for a simple error and an even simpler update …
Security breaches are preventable
All you have to do is choose the right technology partner to build and maintain your product. Security begins… well, at the beginning, when you and the development team choose the right technology stack and architecture for the application. Developing FinTech applications is not something we can all take lightly. Data and credibility are at stake.