Prepping fintech platforms for the next cyberattack

Security officer standing guard over rows and rows of computer monitors

It’s critical for fintech firms to have incident response plans if a catastrophic event and subsequent cyberattack were to happen.

In observance of the 20^th anniversary of the September 11 terrorist attacks, the InvestmentNews team has written a series of reports looking at how the financial industry has changed in its aftermath and been preparing for the next 9/11 event. Though the specter of something worse continues to be a frightening possibility, rather than pushing 9/11 out of mind or writing it off as an aberration, InvestmentNews contemplates the impact and potential consequences of being unprepared for the next attack from several industry perspectives.

In the second installment of the series, Nicole Casperson asks experts in digital risk management for a gut-check on fintech’s preparedness in case of a cyberattack.

Today’s tech-fueled world has made every business dependent upon a vast and expanding digital infrastructure, making online security measures a national imperative.

The Biden Administration has made it clear that a cyberattack that could result in the degradation, destruction, or malfunction of systems that control infrastructure upon which firms depend could cause significant harm to the national and economic security of the United States.

For firms with prominent digital businesses, like online brokerages with millions of user accounts, it’s critical to have action plans in place to defend against bad actors who would take advantage if another catastrophic event, such as Sept. 11, 2001, were to happen again, says John O’Connell, president and founder of The Oasis Group, a fintech-focused consulting and coaching firm to wealth managers and technology providers.

It’s not a far-fetched reality that a bad actor gets into the U.S. financial system and causes it to fail, especially in times of crises, O’Connell said. This could be done through misinformation, he said, in a similar way that political propaganda contains misinformation.

“Let’s say for example a bad actor hacks sensitive information about bank executives like salaries or contact information, and starts floating it around as misinformation,” he said. “For example, misinformation where the bank president is stealing from the bank or maybe there’s been a lawsuit associated with the bank, all of which can be propagated via social media rapidly.”

That type of misinformation can cause clients to think their bank, brokerage, custodian or wealth manager is corrupt or financially shaky, causing them to remove their funds.

In order to manage a potentially catastrophic scenario, businesses should have action plans in place for a degraded environment, like a Plan B if communications and systems fail due to an uncertain event, said Gilles Hilary, a professor at Georgetown University who specializes in risk management.

Communications are likely to be cut first in a degraded environment, like a terrorist attack, cyberattack or a natural disaster, Hilary said. Larger institutions make easier targets, so it’s critical for those institutions to have a plan — like who will make immediate decisions when the centralized command or control system is compromised.

That response plan should include contact information for local FBI field offices and a cyberattack response team, as well as alternative methods of communication in case it’s difficult to get in touch with these incident response experts.

With the rapid expansion of fintech, a lot of firms have adopted technologies that they have not clearly vetted from a security perspective, O’Connell said.

But there are actions tech-driven firms can do today to prepare for something catastrophic down the road. First, review the cloud security of vendors, O’Connell said. Almost all information is in the cloud, and firms should be consistently reviewing what their cloud security looks like. An expert tip: Ask vendors if they have artificial intelligence to monitor potential threats, O’Connell said.

Look at what data encryption is put in place within your firm’s partners. Having strong data encryption protects data confidentiality by converting it to encoded information. Another practice is limiting the number of people that have access to a firm’s server.

When reflecting upon catastrophic events, it’s worth thinking of other emergency responders, like firefighters or even the military. Those experts are training every day for what they call mass casualty events.

“They do that training so that when something happens, they know precisely what to do, and that training has uncovered for them, over time, holes, gaps, mistakes, process problems, that they just continually improve upon and weed out,” O’Connell said.

“You need that same level of professionalism and coordination in a financial services firm for incident response.”