Employing financial technology solutions has become a comfortable and productive way of life for many corporate finance leaders, who increasingly rely on these cloud applications to optimise and enhance core pieces of their jobs, from treasury to accounting and beyond.
Despite the proliferation and rapid adoption of financial technology solutions by global organisations from all industries, solution providers should not escape scrutiny in one key area: security.
“Most FinTech vendors have access to highly sensitive financial information, so a company playing in this space needs to have some minimum things in place so their customers have a strong sense of their commitment to security,” said security expert Nick Biasevich, the director of technical sales enablement at Kyriba.
According to Biasevich, there are three minimum requirements any vendor should be able to provide:
1. A Cyber Defense Center: A dedicated team whose sole purpose is to protect clients and their customers from potentially disastrous cyberthreats and cyberattacks. The principal tool these defence teams use is a Security Information and Event Management system, or SIEM, which actively monitors every end-point in the company, looking for any type of suspicious activity. Without a SIEM in place, companies have to do this manually, an extraordinary amount of work that leaves organisations open to security risk.
2. Authenticated Pen-Testing for SaaS Platforms: There is probably no better test of platform security than authenticated penetration testing, or “pen-tests,” in which the software provider opens-up its SaaS-based application for a client’s IT personnel to take their best whacks in attempting to uncover security flaws. This compares to an unauthenticated pen-test, which is conducted outside of the platform and is not as rigorous or efficient in security screening. An authenticated pen-test requires full cooperation between the vendor and the prospect or client to complete, and is deep sign of the vendor’s security commitment.
3. SOC I and SOC 2 Type II Certification: These certifications are key in assuring that a vendor’s security practices are up to standard. SOC 1 is a statement of operational controls, which sets out the internal controls, processes and procedures that a FinTech vendor abides to when handling data. SOC 2 Type II is a report by a third-party auditor that has audited the vendor’s performance against those controls, on the basis of the evidence provided. A SOC 2 Type II certification means that a vendor has proven that its system is designed to keep its clients’ sensitive data secure. This latter type of certification is expensive and time-consuming and is hard proof that a vendor takes security extremely seriously.
There were more than 1,000 global FinTech vendors, according to a 2016 report by Atherton Research. That number has likely grown significantly, fuelled by new business models and increasing trust in cloud-based vendors to deliver secure, scalable global applications.
“There are, of course, other security factors to consider from a buyer perspective, but if a vendor is not doing these basic things, the maturity level simply isn’t there.” Biasevich said. “These three items are a good security sniff test for any vendor.”