How fintechs can turn their IT security into a USP

By Sam Khoury | BDO Canada | 17 January 2019

Watching how fintechs and established financial services companies come together is a bit like watching a romantic comedy.

There always seems to be some big mismatch between the two partners that may seem inconsequential but is actually quite serious. One or the other partner is too tall, too old, or too set in his ways. You pick the reason.

In the fintech space, just like on the screen and in real life, choosing the right partner is a difficult process and not to be taken lightly.

From my vantage point as an adviser to both fintechs and financial services organizations, I see that brilliant young fintechs that have caught the eye of mature companies must have more than great ideas and programming talent: They must also meet high standards for IT security set by established players.

In this first in a series of blogs on best practices for fintechs for managing IT security risks, I will share three ways fintech companies can turn their IT security into a unique selling point (USP). This is critical as they work to attract big-name companies – companies that are held responsible for protecting sensitive client information.

#1 - Fintechs should think like a large company when it comes to IT security

To a certain degree, big companies that work with fintechs are buying-in innovation, and that may come with risk: Control structures may not be as robust or formalized as their own, and the financial services organization can be held responsible.

This leads me to my first point. Those fintechs that are proactively adapting their processes and organizations to similar security standards as larger companies will make themselves more attractive to potential partners, investors or buyers.

#2 - Line up proof of meeting a potential client’s security standards

It’s also critical for fintechs to be ready in the early stages to attract quality relationships by having “proof” of IT security standards. Any investing company will want to see reports signed off by a neutral third party, as well as basic health check reports.

In my opinion, ISO27k and SOC for Cybersecurity, as well as other similar information security management frameworks and standards, require a benchmark analysis for good reason. My experience shows that after going through such a process, most companies will need some sort of remediation through additional controls. Then and only then can the company go and tell the world that they have proper IT security controls.

#3 – Get IT security right from the outset

No matter which industry you are in, cybersecurity presents serious risk and no company or individual is immune. What’s more, the way to protect your organization is always dependent on specific details, which means there is no out-of-the box solution.

Often, young companies need to give special attention to setting up best practices and standards at the very outset. Yet the wide variety of security frameworks make it very difficult for an organization to know where to start. They may include SOC 2, SOC for Cybersecurity, PCI DSS, HIPAA, ISO27k, HITRUST, NIST and many more.

By addressing IT security early, fintechs can do what they do best: think up brilliant, innovative and inspirational ways to serve clients and end customers.

Perhaps fintechs and large financial organizations can indeed be a match made in heaven…

See our whitepaper on How to Prevent an Equifax Type Data Breach here

 

Sam Khoury | BDO Canada
Tags:
cyberattacks, data, fintech, IT, prevention, security, startup