FinTechs told to do more to mitigate cyber risks

FinTech firms operating in the asset servicing and asset management space must be scalable and have protections in place to mitigate the risk of outages or cyber-breaches, according to panellists speaking at the Irish Funds Conference in London.

By Editorial

 FinTech firms operating in the asset servicing and asset management space must be scalable and have protections in place to mitigate the risk of outages or cyber-breaches, according to panellists speaking at the Irish Funds (IF) Conference in London.


A growing number of FinTech providers are coming to market. The use of advanced technology or “Reg Tech” to assist market participants with regulatory requirements has also proliferated. This regulatory reporting technology can often reduce operational errors, inefficiencies and costs in what has traditionally been a highly manual process at financial institutions. Regulators including the UK Financial Conduct Authority (FCA), the Monetary Authority of Singapore (MAS) and the Australian Securities and Investments Commission (ASIC) have even launched their own FinTech innovation hubs to encourage the creation and development of disruptive technologies in financial services. 


Some have warned that this technology – while hugely exciting – is simply not scalable. Blockchain, the shared distributed technology ledger, is a prime example. While Blockchain underpinned the Bitcoin cryptocurrency, the transactional volumes on Bitcoin were not significant and tiny relative to other transactional volumes in core markets. As such, there are questions whether Blockchain has the capacity to serve sizeable markets.
But FinTech offerings must also ensure they are robust and have excellent infrastructure to minimise a disruptive event such as a cyber-attack or outage. While global regulators have welcomed technological disruption, they are alert to the potential systemic risks it may bring. The International Organisation of Securities Commissions (IOSCO) published its risk outlook for 2016 and identified FinTech disruptors such as Blockchain as an area of possible concern. 


Tom Healy, business development director at CalQRisk, a risk management software provider, speaking at IF’s London Alternative Investments Seminar, said FinTech providers needed to ensure they had safeguards to guarantee security. “FinTech needs to have infrastructure in place to protect against cyber-threats. Many of these products are in the cloud or on mobile devices so protection is crucial. These organisations need to ensure they are capable of protecting sensitive information and that they are scalable,” he said. 


Cyber-security is of paramount importance to financial institutions. The last three years has witnessed a number of high-profile cyber-attacks which have culminated in information leakages, thefts and Distributed Denial of Service (DDoS) attacks. A survey of clients by the Depository Trust & Clearing Corporation (DTCC) in May 2015 found 46% identified cyber-crime as the biggest risk to capital markets, nearly double from 2014. It is something organisations need to be mindful of. KPMG surveyed institutional investors running more than $3 trillion and found that 79% of respondents would not put money in a business which had been hacked.

A study in 2013 by the then Committee on Payment and Settlement Systems (CPSS) and IOSCO, in conjunction with the World Federation of Exchanges found more than half of the 46 exchanges in the survey had suffered a cyber-attack over the previous year. Analysis by the US Securities and Exchange Commission (SEC) found 88% of broker-dealers and 74% of investment advisers had encountered cyber-threats directly or indirectly through a third party. Nonetheless, FinTech providers are often start-ups or quite small – at least relative to broker dealers and market infrastructures. This obviously heightens their vulnerability.

Having processes in place to reduce the risk of cyber-attacks is crucial. At a most basic level, this would entail having anti-virus software and education for staff on best practices and procedures. Cyber-threats are varied and can originate from a number of malicious parties including hostile nation states, sophisticated criminal gangs and disgruntled employees. “It is critical that these FinTech providers have business continuity planning (BCP) in place,” added Healy.

For example, if Blockchain were to take off and become a core component of the custody chain plumbing, its systemic importance would be huge. However, only a handful of Blockchain providers actually exist. As such, these entities would inevitably be designated systemically important and would have to ensure they have high-quality cyber-protections and BCP in place to mitigate any potential fallout from an outage. Furthermore, they would likely be subject to significant regulatory oversight.

FinTech has grown at an exponential rate. A report commissioned by HM Treasury and produced by Ernst & Young (EY) said the UK was a leading FinTech capital. The report said the UK FinTech sector had grown significantly since 2008 and had revenues of £6.6 billion in 2015 and had attracted £524 million in investment. Cillian Leonowicz, consulting manager at Deloitte, highlighted there was a huge push by governments on FinTech.

«