Kickstart Your Start-Up’s Cybersecurity Program: A Focus on Fintech Companies

Being part of a growth-oriented start-up company can bring its own share of struggles. Do we have enough funding to secure the future? Can we guarantee we have a significant competitive advantage? How can we make certain we have the right people for growth? And, speaking of growth, are we sure we have an action plan to scale up over time?

Careful planning and foresight can help eliminate some pressures that start-up companies face with IT issues surrounding regulations, industry requirements and standards for certifications. According to a study performed on fintech start-up companies since 2016, more than $15.6 billion has been invested in U.S.-based fintech start-up companies. Our experience has been that consideration of IT risk and compliance concerns is often an afterthought due to early demands to support growth successes.

Within these roadmaps, it is paramount to make scaling as painless as possible. Instilling an appropriate corporate culture, incorporating corporate and data governance considerations, investing in infrastructure to support eventual growth, choosing the best channels for advertising and marketing, and forecasting financial planning are all large proponents of a successful outlook.

But what about the “tech” part of fintech?

In the early stages of the start-up process, prepare for IT regulatory assessments by examining the following questions for your business:

  • Are you effectively addressing regulatory controls that surround your IT infrastructure?
  • Have all critical assets and processes been identified and secured?
  • What process is used to vet vendors to check for deficiencies when handling data for your business and your customers?
  • Should a security incident occur, are all appropriate processes and recovery methods outlined to mitigate exposure?
  • Is your cyber insurance adequate in effectively covering you and your entities?

Addressing these questions in the early stages of the startup process can prevent overwhelming, grueling assessments that may be required of regulators or expected from your customers. For example, if your start-up transmits, stores or processes card payment information, then payment card industry (PCI) compliance is required. If you are handling, storing or transmitting data on behalf of other entities or customers, you may be asked to produce a System and Organization Controls (SOC) report to address key controls.

While these assessments and audits may seem endless and daunting, the following are common practices that could help prevent a last-minute compliance requirement from derailing the roadmap that was established in the early stages of planning:

  • IT Risk Assessment – a general assessment of the IT infrastructure with the intention of identifying key assets, systems and processes that are critical within the organization. The goal of this assessment is to identify risk within the organization for areas that are deemed critical and may need a corrective action plan.
  • System and Organization Controls (SOC) Reporting – an examination of controls in place to identify deficiencies within the IT ecosystem. While this may seem similar to the IT Risk Assessment, the purpose of the SOC report is to provide assurance to interested parties over company practices to maintain security, availability and privacy of information.
  • Network Security Assessment and Penetration Test – an assessment of IT infrastructure by performing a simulated attack on the network from the standpoint of an external threat actor. This technical assessment performs a deepdive into the cybersecurity controls in place by attempting to evade defenses while accessing an organization’s most critical data. By the nature of this assessment, results of the Network Security Assessment can help identify deficiencies within the overarching IT security program.
  • Payment Card Industry Compliance Data Security Standard (PCI DSS) – a compliance requirement for entities that store, transmit or process cardholder data. This assessment is meant to identify appropriate and effective security controls in handling credit card data and is required regardless of size, industry or number of transactions that are handled.

These assessments and audits will help alleviate pressures a start-up may face from investors, customers and regulators regarding IT infrastructure and overall cybersecurity effectiveness. While not an exhaustive list, these evaluations serve as the backbone of identifying gaps and potential pitfalls of security and controls for start-ups across all industries. Forecasting and identifying compliance requirements and beneficial assessments are an important piece to create a roadmap for your company’s success.