News
Risk Ledger CEO joins high profile panel discussion on public sector cyber security
FinTech systems underpin financial services used by millions of people worldwide, every day. The rapid growth of the FinTech sector is fuelled by multitudes of third-party suppliers, vendors and service providers to the sector that are integral to FinTech’s provision of their own services. These numerous dependencies make FinTech companies especially vulnerable to supply chain cyber security attacks. In this article, we examine the third-party risk management (TPRM) challenges facing FinTech firms, and the strategies and tools they can deploy to stay one step ahead of the cyber criminals.
Financial technology (FinTech) is one of the fastest growing sectors in the UK – and globally. Innovative FinTech firms are revolutionising the financial services industry by deploying technology to simplify transactions, reduce costs, strengthen security and enhance customer services. In the UK, the FinTech sector comprises more than 1,600 firms – a number expected to double by 2030. It contributes around £11bn to the UK economy and supports more than 76,000 jobs.
The pace of innovation in Fintech has accelerated over the past five or six years, with blockchain technologies, open banking, integrated payment systems and machine learning transforming the way people interact with banks, insurance companies and other financial service providers.
This rapid pace of change means that FinTech companies increasingly rely on third-party service and technology providers to support their growth and service delivery. Connecting with third-party suppliers is faster and simpler than ever in a world of digital relationships and cloud computing, meaning FinTech companies may be digitally connected to thousands of other organisations. These include direct third-party suppliers, but also the hundreds of suppliers connected to those third parties. This means FinTech companies are potentially at risk from cyber security breaches anywhere in that vast web of digitally connected companies.
There have been many high-profile examples in recent years of companies’ systems being compromised by security breaches originating in their supply chains. One of the most devastating occurred when cyber criminals exploited vulnerabilities in the MOVEIt file transfer software. This precipitated a wave of cyber attacks and data breaches that impacted more than 2,500 organisations and more than 60 million people. Many of these companies did not even use the software directly, but had suppliers and service providers that did. This demonstrates the ease with which a security breach anywhere in a digital supply chain can quickly impact thousands of connected organisations around them.
Financial services companies have seen a 63% increase in cyber attacks originating from their supply chains, and these attacks have become the second most prominent cyber threat facing organisations today.
The risks to any FinTech company may originate from any of the varied third-party suppliers, vendors and service providers in their supply chain. These could include cloud service providers, payment processing companies, data analytics firms, identity verification service providers, API integrators and providers of regulatory compliance services. In addition, different types of FinTech companies rely on different critical suppliers to support their specific services. Here are a few examples:
This reliance on such a broad and diverse range of third-party providers makes managing the associated cyber security risks a daunting prospect for any FinTech company. The growing threat of cyber security breaches causing catastrophic harm to an organisation means companies can no longer rely on simple tick-box exercises for their third-party risk management (TPRM).
FinTechs need to maintain a constant view of security vulnerabilities across their supply chains. But assessing, monitoring and addressing the security status of potentially hundreds of third-party suppliers is a significant challenge.
One of the key challenges is ensuring that TPRM activities support compliance with strict financial-sector regulations. These include GDPR and other data-protection regulations, DORA and new Financial Conduct Authority (FCA) regulations on operational resilience. The new FCA operational resilience framework requires financial services firms to ensure that any disruption to the business doesn’t harm consumers or the wider financial system. With most FinTech firms classed as financial service providers, they are subject to all of these regulations.
In addition, many FinTechs are themselves critical technology suppliers to larger financial institutions, such as banks, insurance companies and investment firms. That means they must also comply with regulations relating to critical third parties. In 2023, the UK government introduced new rules to increase the resilience of critical third parties providing services to financial firms. These rules require third parties to provide regular assurance, information and notifications to the financial regulators on their services, as well as carrying out regular resilience testing.
This places a considerable burden of responsibility on FinTechs not only to conduct extensive risk management on their own third-party providers, but also to safeguard their own systems to provide assurances to the organisations they supply. Many FinTech firms, particularly smaller companies, lack the resources, funds and capabilities to carry out the risk management necessary to provide these assurances. Most FinTech companies still don’t have a dedicated TPRM team.
Perhaps surprisingly for technology firms, many FinTechs have insufficient IT tools to conduct exhaustive TPRM procedures. Because they have in-house technology expertise, FinTech firms may feel equipped to develop their own TPRM tools. But such systems require specific TPRM expertise to deliver the functionality and capabilities required. That’s because effective TPRM today requires continuous monitoring of the security postures of all suppliers, providing real-time visibility of risks throughout the supply chain.
One of the greatest challenges in today’s technology-driven working environment is keeping track of all the IT tools and devices being used by people within the business. Being pro-technology and employing tech-savvy people means that FinTech firms are likely to be awash with external devices and software brought in by employees. This “shadow IT” introduces a host of potentially unseen third-party providers to the digital work environment, multiplying the potential cybersecurity risks.
When considering how to implement more robust TPRM, it’s important not to underestimate the risks posed by cyber security breaches. Cyber-criminals have many different modes of attack, including theft of login credentials through phishing attacks, social engineering or exploiting system vulnerabilities. Attackers can inject malicious code into software or firmware, which can be used to compromise systems. Once they have access to systems, criminals can steal sensitive data relating to the organisation or its customers. Or attackers can launch denial-of-service attacks, which disrupt operations and prevent a company from delivering its critical services.
Disruptions to the services provided by FinTechs can have far-reaching consequences throughout the financial services sector. Criminals could carry out fraudulent transactions once they have access to FinTech systems. Unauthorised transactions can also result from criminals gaining access via API vulnerabilities. Furthermore, when a large number of FinTech firms rely on a limited number of critical service providers, these service providers become especially vulnerable to exploitation.
With supply chain breaches having such potentially devastating consequences, FinTech companies need all the help they can get to mitigate the risks and proactively address vulnerabilities in their supply chains. This calls for robust and effective TPRM strategies and tools.
A good starting point is implementing comprehensive supplier due-diligence processes to identify security weaknesses at the earliest opportunity. Suppliers should then be categorised according to the risks they pose. FinTechs should draw up robust contractual agreements with suppliers, to ensure regulatory compliance, and have clear exit clauses to protect data security and service continuity when contracts are terminated. It’s vital to introduce and enforce secure data-sharing protocols with all suppliers, alongside strict access-control systems. FinTech firms can also build resilience by reducing over-reliance on a small number of key vendors. Diversifying the supply chain and spreading risk among a large number of trusted vendors prevents risk being concentrated in a small group of suppliers.
Strict rules and protocols are one important way to safeguard a Fintech business. But collaboration with third-party suppliers is absolutely critical to securing the entire supply ecosystem. Maintaining compliance with a multitude of regulations requires collaboration and information-sharing with suppliers, vendors and industry peers. Similarly, open and honest communication, regular intelligence-sharing and collaboration are the cornerstones of continuous real-time risk monitoring.
In an industry renowned for its rapid pace of innovation, it should be no surprise that sophisticated cyber-criminals are equally adept at innovation when it comes to breaching IT security systems. That’s why continuous security monitoring must become a business-as-usual activity, helping FinTech companies identify potential vulnerabilities, stay abreast of emerging threats and take proactive steps to minimise risks.
Fortunately, advanced new technology platforms to help FinTech’s introduce advanced TPRM solutions are now available. These enable supply-chain-wide security assessments, monitoring and alerts, alongside threat monitoring and intelligence sharing. The Risk Ledger platform offers these advanced capabilities, facilitating secure collaboration between participants.
Risk Ledger is an online platform that enables FinTechs and their suppliers to work together to build up a comprehensive overview of their entire supply ecosystem. It works like a social network. Each organisation creates a profile containing information about their business, security controls and other relevant risk areas. This profile is then shared with other organisations on the platform.
Companies can use Risk Ledger to monitor the security status of all other participants, suppliers and service providers. By mapping all of these connections, the platform can provide a unique visualisation of the wider FinTech supply chain network. Tracking vulnerabilities within the network enables areas where risks are concentrated to be highlighted.
Risk Ledger generates alerts whenever there is a security breach at any of the connected organisations. By flagging up these incidents in real time, the system can provide FinTechs with an early warning of potential security impacts, enabling them to take rapid action to protect critical services and customers.
In a sector founded on technology innovation and ingenuity, it’s time for FinTechs to adopt the most advanced strategies available to strengthen third-party risk management. Cyber criminals are innovating fast, seeking out vulnerabilities and acting ruthlessly to access critical FinTech systems via their supply chains. FinTechs must act equally robustly, harnessing new technology platforms to enable continuous third-party risk monitoring. That’s how FinTech companies can stay one step ahead of the cyber-criminals and protect the consumers, data and financial services that rely on their powerful technologies.
Look out for future articles from Risk Ledger on how to advance third-party risk management to protect your organisation and its supply chain partners.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
