Fintechs and cybersecurity: Why establishing a governance plan is more critical than ever

In 2023, the SEC adopted strict new cybersecurity disclosure requirements. The rules require public companies to disclose “material” cybersecurity incidents within four days; to periodically disclose cybersecurity risk management, strategy and governance in annual reports; and to describe the company’s oversight of cybersecurity risk by the board of directors, including management’s role and expertise. While these new rules only affect public companies, they serve as a reminder that thorough cybersecurity plans are critical to protecting investors from the expense and downside risk a cybersecurity attack can cause. And those costs aren’t insignificant. According to Forbes, cybercrime damage costs are expected to grow by 15 percent per year over the next two years, reaching $10.5 trillion USD annually by 2025.

For fintech companies, this reminder is even more critical. Because fintechs typically manage and store large volumes of sensitive data and Personally Identifiable Information (PII), they are a natural target for cyberattacks. According to Kroll’s Q4 2023 Cyber Threat Landscape Report, financial services was one of the top five most targeted sectors for cyberattacks in 2022 and 2023.

The importance of cybersecurity governance for fintechs

If you’re a fintech planning to reassess your cybersecurity policies this year, governance will be critical to your success. With a robust cybersecurity governance process in place, an organization is better prepared to effectively mitigate risks, address threats, and meet regulatory and compliance responsibilities. Cybersecurity governance means that the board and management understand the cybersecurity program; are involved in decisions; and actively participate in risk acceptance, mitigation or transfer.

How to ensure strong cybersecurity governance

As you work to ensure strong cybersecurity governance, there are three key questions you should ask yourself: What are you doing? Is it enough? How do you know? Let’s look at each of these questions and what they mean.

What are you doing?

First, you should fully understand the cybersecurity program and governance model you currently have in place. That means you need to:

  • Understand the data you’re collecting and how you’re collecting it.
  • Ensure you’re only collecting the data you need.
  • Make certain you are storing the minimum amount of data you need to run your business.
  • Understand your regulatory compliance obligations (from data retention to notification to the “the right to be forgotten,” etc.).

Is it enough?

Knowing if your cybersecurity plan is enough should involve a constant process of evaluating risk and ensuring you are comfortable with that risk over time. Suppose you determine that your residual risk is getting too high. In that case, it may be time to make additional investments in security and controls to reduce or transfer that risk, such as investing in cybersecurity insurance.

Questions to ask include:

  • Do you understand your risks?
  • Are you meeting compliance obligations and continuously testing to ensure you are meeting them?
  • What controls are in place to ensure only certain people have access to specific data and only certain people can modify that data?
  • Do you have redundancy, backup, recovery and resiliency plans in place?
  • Do you have a plan in place in case data isn’t accessible, whether due to a breach, an outage, etc.?

How do you know?

Knowing you are prepared is about having the right monitoring processes and understanding how you would react to various cybersecurity events. Ask yourself:

  • Do you have appropriate monitoring in place to detect and prevent a cyber breach from happening?
  • Has a third party validated that your risk register makes sense and that your controls function as intended?
  • Is the plan you have in place appropriate for the risk you face, the risk you’re willing to accept and the money you’re willing to spend?
  • If an attack succeeds despite your best efforts, do you have appropriate monitoring processes to ensure you are alerted quickly?
  • What processes do you have in place to help you recover from an outage or other incident should one occur?

How BPM can help you start building a cybersecurity governance plan today

Cybersecurity attacks aimed at fintechs are predicted to continue to grow in 2024 and beyond. As an organization operating in a highly targeted industry, you face not only monetary risk from a breach itself but also the potential for reputational risk and brand damage. We can help.

BPM offers Cybersecurity Assessment Services, including Penetration Testing and Incident Assessment Support. Our independent team evaluates your organization and works to identify your information security weaknesses to help you understand where threat actors are most likely to strike. Then, we will help you build a methodology to manage cybersecurity risk. We’ll develop risk-prioritized recommendations and controls that help you respond to and monitor an attack should the worst occur.

  • James Lichau

    With over 13 years in public accounting, James has provided accounting and audit experience to both public and private companies. James focuses on technology, including SaaS and FinTech companies, as well as financial service firms, including peer-to-peer, online and alternative lending. He specializes in complex equity transactions, business combinations and revenue recognition. James enjoys working with his clients on each engagement to align himself as more of a partner than just an auditor. James Lichau holds an active CPA license in California.

  • Fred Rica

    Fred Rica is a skilled technology professional with significant experience in cybersecurity, and technology risk management. He is a nationally recognized authority on the subject of cybersecurity and has performed or managed hundreds of security assessment, design and implementation projects of large and complex processing environments.