Mobile purchase

In 2023, the SEC adopted strict new cybersecurity disclosure requirements. The rules require public companies to disclose “material” cybersecurity incidents within four days; to periodically disclose cybersecurity risk management, strategy and governance in annual reports; and to describe the company’s oversight of cybersecurity risk by the board of directors, including management’s role and expertise. While these new rules only affect public companies, they serve as a reminder that thorough cybersecurity plans are critical to protecting investors from the downside risk and damage a cybersecurity attack can cause.

For fintech companies, this reminder is even more critical. Because the fintech industry typically manages and stores large volumes of sensitive personal and financial data and Personally Identifiable Information (PII), they are a natural target for cyber threats and attacks. According to Kroll’s Q4 2023 Cyber Threat Landscape Report, financial services was one of the top five most targeted sectors for cyberattacks in 2022 and 2023.

The importance of cybersecurity governance for fintechs

If you’re a fintech company planning to reassess your cybersecurity policies this year, governance will be critical to your success. With a robust cybersecurity governance process in place, an organization is better prepared to effectively mitigate risks, address security threats, and meet regulatory and compliance responsibilities. Cybersecurity governance means that the board and management understand the cybersecurity program; are involved in decisions; and actively participate in risk acceptance, mitigation or transfer.

Download exclusive insights: A white paper on materiality and cybersecurity

How to ensure strong fintech cybersecurity governance

As you work to ensure strong cybersecurity governance, there are three key questions you should ask about your fintech security: What are you doing? Is it enough? How do you know? Let’s look at each of these questions and what they mean.

What are you doing?

First, you should fully understand the cybersecurity program and governance model you currently have in place. That means you need to:

  • Understand the sensitive data you’re collecting and how you’re collecting it.
  • Ensure you’re only collecting the personal and sensitive data you need.
  • Make certain you are storing the minimum amount of sensitive financial information you need to run your business.
  • Understand your regulatory compliance obligations (from data retention to notification to the “the right to be forgotten,” etc.).

Is it enough?

Knowing if your cybersecurity plan is enough should involve a constant process of evaluating risk and ensuring you are comfortable with that risk over time. Suppose you determine that your residual risk is getting too high. In that case, it may be time to make additional investments in security and controls to reduce or transfer that risk, such as investing in cybersecurity insurance.

Questions to ask include:

  • Do you understand your risks?
  • Are you meeting compliance obligations and continuously testing to ensure you are meeting them?
  • What controls are in place to avoid insider threats and ensure only certain people have access to sensitive data and only certain people can modify that data?
  • Do you have robust cybersecurity measures like redundancy, backup, recovery and resiliency plans in place?
  • Do you have a plan in place in case data isn’t accessible, whether due to a data breach, unauthorized access, an outage, etc.?

How do you know?

Knowing you are prepared is about having the right monitoring processes and understanding how you would react to various cybersecurity challenges. Ask yourself:

  • Do you have appropriate monitoring in place to detect and prevent a cyber attack from happening?
  • Has a third party validated that your risk register makes sense and that your controls function as intended?
  • Is the data protection plan you have in place appropriate for the risk you face, the risk you’re willing to accept and the money you’re willing to spend?
  • If a cyber attack succeeds despite your best efforts, do you have appropriate threat detection & monitoring processes to ensure you are alerted quickly?
  • What processes do you have in place to help you recover from an outage or other incident should one occur?

How BPM can help you start building a fintech cybersecurity governance plan today

Cybersecurity attacks aimed at fintech companies are predicted to continue to grow in 2024 and beyond. As an organization operating in a highly targeted industry, you face not only monetary risk from a security breach itself but also the potential for reputational risk and brand damage. We can help.

BPM offers Cybersecurity Assessment Services, including Penetration Testing and Incident Assessment Support. Our independent team evaluates your organization and works to identify your information security weaknesses to help you understand where cyber threat actors are most likely to strike. Then, we will help you build a methodology to manage cybersecurity risk. We’ll develop risk-prioritized recommendations and controls that help you respond to and monitor an attack should the worst occur.

If it’s been a while since you’ve evaluated your cybersecurity plan, contact us today to help ensure you are ready to handle whatever cybersecurity threat might come your way tomorrow.

Contact us today to get started.


James Lichau

Related Insights