Looking for Cybersecurity Framework for your FinTech Innovation?

Author: Salah Albenjasim, PhD Researcher, Prof Haifa Takruri, Dr Tooska Dargahi

Financial Technology (FinTech) is a new term referring to current interactions and, in particular, Internet-related technology (such as cloud computing and mobile Internet) and financial services sector operational processes (for example, lending money and banking transactions). Furthermore, Fintech is defined as an industry made up of companies that employ advanced financial technology to provide quick financial services without the need for lengthy processes. Fintech encompasses SMEs, start-ups, and partnerships with conventional financial and banking services.

The rate of digital transformation in the FinTech field is picking up. While on the other hand, the magnitude of the advancement of online and cyber threats is increasing at a similar rate.  According to FS-ISAC (Financial Services Information Sharing and Analysis Center), financial institutions faced major ransomware attacks and exploitation of zero-day vulnerabilities in 2021. Careful attention to challenges, such as maintaining the integrity and security of FinTech systems, is required with the strongest security standards.

In the FinTech business, cybersecurity is the top challenge and a major legislative concern. As a result, preventative measures must be implemented immediately and extended throughout the product and service lifecycles. This requires robust and effective controls to prevent and mitigate serious threats in the areas of privacy and cybersecurity.

This post is intended to assist FinTech businesses in better identifying and managing their cyber security risks while adopting a recognised cybersecurity framework.

Risk assessment helps protect your business

Risk assessment helps the FinTech industry to discover, manage, and safeguard the information that may be under the threat/at risk of cyber-attack. To safeguard the business’s assets, this analysis needs to be done to identify resources, evaluate risks, and devise a strategy for establishing security measures. Recognising an organization’s weaknesses gives a better view of where to concentrate the protective efforts. The next step is to follow the guidance of a cybersecurity framework or standard.

What are cyber security standards?

Cyber security frameworks and standards are techniques that are documented to safeguard the business’s cyber environment and lower cyber risks and attacks. They include tools, policies, security concepts, security guidelines, risk management approaches, actions, and best practices. The following table provides a list of cyber security frameworks and standards that can be used by SMEs.

List of cyber security frameworks and standards.

Governance bodies and FrameworksDescriptionTypeCommonly usedFocus Area
NISTThe National Institute of Standards and Technology is an NGO that specialises in cybersecurity and publishes a CS framework that can be used in practically any sector.Regulatory body, FrameworkUSARisk management
NCSCThe National Cyber Security Centre (NCSC) is a government body that advises and supports the public and commercial sectors on how to avoid cyber threats.Regulatory body, Advice and Guidance.UKIncident response management
PCI-DSS  The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that applies to all merchants and businesses that accept branded credit cards or other major credit card systems.StandardGlobalAccess control, protecting cardholder data
PSD2Payment services directive 2015/2366 sets requirements for financial institutions to support secure, efficient and innovative payment systems.RegulationEUSecure payments
COBITCOBIT (Control Objectives for Information and Related Technologies) is a framework created by ISACA for IT management and IT governance.FrameworkGlobalInformation and technology risks, audit
ISO 27001The ISO 27001, known as the information security management standard ISMS.StandardGlobalInformation security, protecting assets, access control
GDPRA privacy framework that specifies how organizations must secure their customers’ or users’ personally identifiable informationRegulation/ FrameworkEUcustomer’s and user’s data protection

Important factors to consider

Some factors should be taken into account while choosing the right cybersecurity framework or standard for your business, such as:

The nature of business: this covers the type of sector (financial, health, government, etc.) and size of the firm. FinTech institutions face unique threats, vulnerabilities, and risks that telecom operators and hospitals do not. As a result, the cybersecurity framework’s characteristics differ for each organisation, and the standards handle these characteristics differently. The size of the company has a direct correlation with the standard to be adopted. FinTech companies may want to consider using frameworks with lightweight versions. Numerous standards, including ISO 27001 and NIST, lack light versions.

Implementation cost: this factor might operate as a differentiator when more than one framework meets FinTech requirements and their implementation costs range. Typically, such implementations are carried out by consultants or third parties that charge hourly rates; nevertheless, this is not the only expenditure to consider. Additional expenses include project management, needed organisational changes and resources (awareness initiatives), and day-to-day activities to ensure compliance with the established standard.

Required skills: Not all frameworks need the same set of expertise for implementing and operating cybersecurity measures. Certain frameworks need business experience, project management, and budgetary competencies, while others necessitate greater technical knowledge. PCI DSS, for example, needs a higher level of technical skills than ISO 27001 or COBIT, which place a greater emphasis on business knowledge.

Generality: while looking for a cybersecurity framework for FinTech, it is critical to keep in mind that the framework should include all necessary features and details, rather than just covering the subject in general. Comprehensiveness is another factor to consider since it reflects the extent to which the framework provides coverage. ISO 27001 is a generic standard for risk management in information security, in contrast to NIST, which is a security-specific standard.