$GME (GameStop) and $AMC (AMC Entertainment) are breaking the market. These two stocks, driven by retail investor hype, have created pandemonium on Wall Street. Hedge funds are going bankrupt, and brokers are overwhelmed. None seem more overwhelmed than the SaaS brokerages like Stash App and Robinhood. Stash App has slowed to a crawl if you can even get it to work[1]. Robinhood is blocking trades and is sluggish as well. It’s not even their first time. Last year, Robinhood went offline several times costing its userbase in lost earnings[2]. If you’re using an app for your investments, how confident are you that your transactions are secure right now?
Breaches in the financial industry are expensive for everyone. The average total cost of a breach in the financial sector is $5.86 million[3]. That’s what it costs the company for tools, customer loss, remediation costs with affected customers, and regulatory fines. Don’t get me wrong, slow servers right now are not indicative that a breach would occur. But with 49% of breaches being human and or system error[4], there is the possibility a threat actor is foaming at the mouth right now.
“There is nothing more sensitive for a mobile fintech app than ensuring their platform is secure and resilient. Maintaining compliance with regulatory organizations governing online payments, working within various International Privacy regulations, and GDPR are vital to protecting your userbase and your company’s reputation.” – Donald Codling, Cyber Division Unit Chief (retired), FBI
Fintech companies have a responsibility to maintain compliance with regulatory bodies. Oftentimes this means PCI DSS compliance, GDPR, and security frameworks such as CCPA and SOC 2. But given the current situation, is compliance enough? Many of the most infamous breaches in history occurred while the victim was maintaining “compliance.” Regulatory compliance is a baseline of security, and in today’s world, where compliance never seems to equal security, it’s just that—nothing more.
Security and compliance are two fundamentally different principles.
Compliance in this context refers to the desired outcome from a collection of processes geared toward meeting a set of standards for securing certain data types. It’s determined by governmental, non-profit, or industry groups and is meant to set a minimum bar for security. Compliance means covered entities strive to complete extensive checklists of regulatory requirements validated through third-party audits or self-assessments. Therefore, compliance should be viewed as merely a result (reporting function) of a modest security program.
Almost like compliance, security refers to the sum of processes and features for safeguarding data. But while compliance is achieved upon completion of a checklist, security is frequently left incomplete. Considering that compliance is only meant to set a minimum bar for security, it shouldn’t be a company’s ultimate goal.
Secure at a Point in Time vs. Secure All the Time
Regulatory compliance only requires an annual test or validation and, therefore, only measures security at a point in time. Unfortunately, in a few cases, an organization has become “audit-ready” and put measures in place, only to turn them off after the audit is conducted. Even if this isn’t the case, what’s important to note about these one-time audits is that the security level will only hold true at a particular point in time instead of continually.
As time passes, a lot of things may happen to erode the baseline level of security:
- Controls implemented during the audit may become outdated;
- New threats may emerge;
- Zero-day vulnerabilities could be discovered by cybercriminals;
- Controls that are highly dependent on human cooperation might eventually be circumvented to give way to convenience.
Take this case, for example. Equifax suffered a data breach that impacted over 147 million customers[5]. The incident involved PII, including complete credit card numbers. With Equifax as a participating member in the PCI Security Standards Council program, the company was most likely within the scope of PCI DSS compliance. Still, that didn’t stop the data breach from happening.
Many companies that were “compliant” suffered significant public breaches. Think Uber, Yahoo!, Hyatt Hotels, Chipotle, Arby’s. Clearly, being compliant at one point in time doesn’t make your business secure forever.
Many of these breaches could have been prevented had the companies adopted a security-first mindset. Organizations that adopt this way of thinking carry out a proactive risk assessment, threat intelligence, and dynamic monitoring/analysis, thus enabling them to discover threats and vulnerabilities as well as ineffective or poorly-implemented controls at any given time. This continuous approach to implementing safeguards has a much better chance of keeping systems secure at all times.
Enhancing Security
Threats can appear and evolve right after a compliance audit or assessment. Hence, it’s essential that fintech companies build a security program that can adapt accordingly. Since regulations are mandated, it’s equally important to ensure that the same program incorporates compliance right from the start.
In-House Security Isn’t Easy
There’s a severe shortage of cybersecurity talent. In fact, in a study conducted by ISC[6], 65% of companies surveyed say they have a shortage of cybersecurity talent. And 51% of cybersecurity professionals say their organization is at moderate or extreme risk due to cybersecurity staff shortage.
If there aren’t security experts in-house, the success of any security and compliance efforts will rely heavily on a third-party vendor’s capabilities.
Fintech companies need providers that can show their industry-standard compliance reports, such as PCI, SOC 1, and SOC 2. The presence of these reports is indicative of providers who have undergone independent security assessments and, therefore, are more trustworthy.
Security and compliance must always be ongoing endeavors. Security is a plan for when, not for if. A robust security program that readily incorporates compliance can help meet regulatory requirements while also protecting systems and customer data from current and emerging threats.
Join Armor as we discuss Defending Fintech on Brighttalk.
[1] https://twitter.com/Stash/status/1354805539025248256[2] https://www.cnbc.com/2020/03/09/robinhood-app-down-again-during-another-historic-trading-day.html
[3] https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/
[4] https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/
[5] https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement
[6] https://www.isc2.org/Research/2019-Cybersecurity-Workforce-Study