Fintech companies have been disrupting
the financial industry for almost 20 years,
introducing new products and services that seek to satisfy
the evolving needs of customers.
The changing consumer demands and behaviors drive the fintech industry
because customers are looking for easier,
faster and more accessible ways to manage their money
or do things like banking, investing and bill paying.
From 2019 to 2024, the number of fintechs
has more than doubled.
It’s been calculated that around the world there
were 12,211 before 2020, but as of 2024,
there are around 29,955 companies,
with the Americas, Europe, the Middle East and Africa
experiencing the most significant growth.

As these companies grow, so does the critical
need for robust cybersecurity measures
to protect sensitive financial data and maintain customer trust.
Fintechs can be impacted by the constant threat malicious actors pose.
Their sheer nature of being internet-based companies
makes them a coveted target for cyber threats
and leaves them open to data breaches, identity theft,
ransomware attacks, API vulnerabilities and other incidents,
not to mention that the value of the data fintechs manage
can motivate even insider threats.
Needless to say, any kind of incident in a fintech company
can lead to reputational damage, operational disruptions,
compliance issues, some leading to regulatory fines,
and loss of customers.
No company wants any of the aforementioned,
which is why cybersecurity needs to be an integral part
of the fintech industry.

Fintech companies

The fintech —short for financial technology— industry
is all about using technology to innovate
and change the way financial services have been provided.
Fintechs are part of different sectors,
among entities that offer products or services
like internet or mobile payment services,
peer-to-peer lending, e-money (electronic money),
wealth and financial management, insurtechs,
neo or digital banks, trading and cryptocurrency platforms,
virtual asset service providers (VASPs), and more.

Fintech companies’ services are delivered
via mobile apps and web-based solutions.
They rely on a combination of cutting-edge
and established technologies to provide their financial services.
The most prominent technologies utilized are:

• Application programming interfaces (APIs): APIs are messengers
  that allow different applications to talk to each other.
  Fintechs use APIs to connect with entities like banks
  or other financial institutions, accessing a wider variety
  of services from various providers.

• Artificial intelligence (AI) and machine learning (ML): Learning
  and problem-solving made easy.
  In fintech, AI and ML are used for customer data analysis,
  fraud detection, transaction patterns to detect abnormalities,
  and to provide automated customer service with chatbots.

• Blockchain: This makes decentralized
  and unchangeable ledger systems possible,
  where every financial transaction is recorded chronologically
  and securely, which makes it nearly impossible to tamper with the data.

• Cloud computing: Cloud platforms
  (like Amazon Web Services, Google Cloud Platform or Microsoft Azure)
  allow organizations like fintechs to expand their operations,
  store and process massive amounts of data,
  and access powerful computing resources without requiring
  a lot of on-premises infrastructure.

• Open-source software and software-as-a-service (SaaS): Open-source
  components might be used to build the core of fintech platforms,
  and SaaS solutions can assist in providing apps
  with different functionalities like customer management or marketing.

Fintech companies have access to a wide range
of sensitive data and personal information
due to the nature of the financial services they provide.
This data includes: Personally identifiable information
(full names, addresses, phone numbers, email addresses,
geolocation, birthdates),
financial information
(bank account details, credit and debit card numbers, transaction history,
account balance, loan details, investment portfolios),
authentication data
(usernames and passwords, security questions and answers, biometric data),
credit information
(credit scores, reports, history),
behavioral data
(spending habits, investment behaviors, savings patterns,
online and mobile banking usage data),
transactional data (peer-to-peer details, bill payments)
and corporate data
(financial statements, tax numbers, business credit scores, payroll,
supplier and vendor payment details).

Access to this diverse and sensitive information highlights
the critical need for strict cybersecurity measures
within each fintech company.
Data protection is crucial for maintaining strong consumer trust,
avoiding financial or reputational harm,
and adhering to legal and regulatory requirements.

Fintech security compliance

Depending on the location where the fintech operates
and the type of service it provides,
specific security standards apply and legal compliance must be ensured.
Some of those regulations are:

• Anti-Money Laundering (AML)
• Know Your Customer (KYC)
• 6th Anti Money Laundering Directive (AMLD)
• eIDAS
• PSD2
• General Data Protection Regulation (GDPR)
• ISO 27001 for the Fintech Sector
• National Institute of Standards and Technology (NIST) Cybersecurity Framework
• California Consumer Privacy Act (CCPA)

Security challenges and threats

Fintechs face a unique set of threats and challenges
because of their nature of operating online,
through internet portals exposed to cybercriminals
that are always lurking.
The sensitive data handled by fintechs makes them
especially attractive for the latter.
Data breaches from fintechs can expose
customer information to blackmail, identity theft,
financial fraud and fraudulent transactions.
These kinds of incidents are not uncommon.
In 2020, the digital banking app Dave
experienced a data breach that affected 7.5 million users.
Ransomware attacks could also happen to a fintech company.
In early 2024, a ransomware attack on EquiLend Holdings
ended in a data breach that forced the firm to suspend
its services for several days
and later inform its employees notifying them
that their information was stolen.
API attacks have been growing with
the use of fintech technologies.
In 2020, hackers breached the hardware wallet provider Ledger’s
API marketing tools, which were used for sending marketing emails,
and led to a million email addresses being exposed.
Not less disturbing are other attacks
like phishing, distributed denial-of-service
(DDoS),
and insider threats.

Fintechs also encounter challenges
that demand constant vigilance and adaptation.
One of those challenges is mobile security,
which is of special importance for some fintechs,
as mobile devices are their lifeblood.
From online banking to contactless payments apps,
their convenience often depends on smartphones.
However, mobile apps offer a large attack surface to be exploited,
are susceptible to malware or social engineering attacks,
and if overlooked, are not regularly updated
and present no fixes to security vulnerabilities.
Another challenge is third-party issues,
given that fintechs often rely on these suppliers’ networks.
Issues like overreliance on a specific vendor,
security gaps in third-party systems
and ensuring compliance with regulations
across various third-party vendors can occur.
An emerging challenge is now on the rise
with AI and machine learning being integrated
into the fintech industry.
It has been reported that there may be bias
in algorithms within the data they are trained with,
leading, for example, to unfair outcomes
for certain groups when asking for loans;
thus raising questions on the transparency
and fairness of systems using these technologies.

Cyber threats will keep evolving and new challenges will arise,
as this industry is fairly young.
But acknowledging and preparing for these issues
can make fintech companies more secure and trustworthy financial entities.

Fintech cybersecurity: Why is it important?

As previously stated, fintech companies deal
with a vast amount of personal and financial information,
making them a prime target for cyberattacks.
The importance of cybersecurity in this industry is paramount.
Any breach or security incident
can significantly erode customer trust,
which could lead to customer loss and long-term reputational damages.
Therefore,
implementing robust cybersecurity measures is essential
to protect this data from breaches and unauthorized access,
ensuring the privacy and security of customers.

Moreover,
the fintech industry is regulated with strict compliance requirements,
and adhering to these regulations
can be better achieved just by having robust cybersecurity practices,
thus avoiding legal repercussions or hefty fines.
Effective cybersecurity also
plays a crucial role in preventing financial fraud,
protecting intellectual property,
and ensuring business continuity by minimizing operational disruptions.

Security best practices for fintechs

By implementing cybersecurity technologies,
building a strong foundation,
managing third-party relationships and embracing a security culture,
fintechs can build a strong security framework
and thrive in the competitive financial landscape.
We present the following best practices for this sector:

• Data encryption: Through this process,
  the information is transformed from its original
  representation into an encrypted form.
  This is a crucial security measure that can shield information
  from unauthorized external access.

• Multi-factor authentication (MFA): This goes beyond passwords
  and requires additional verification steps,
  biometric scans or one-time codes be used for logins or transactions.

• Constant backups: Important information can be saved
  from being entirely lost by making a copy of it.
  Critical files need to be routinely backed up
  in order to preserve edited and modified data.

• Access controls: Apply the principle of least privilege
  and grant access to data and systems only on a role basis.

• Regular security audits: Proactively identify
  and address vulnerabilities through regular
  penetration testing
  and vulnerability management.

• Incident response plan: A documented plan should
  be in place that outlines the effective response to a security incident,
  which seeks to minimize damages and downtime.

• App security during development: Implement secure coding
  practices and conduct security testing in the early stages
  of development to identify and fix vulnerabilities in the systems.

• Vendor risk assessment: Thoroughly assess the security posture
  of third-party vendors and make sure they meet
  the necessary security standards before establishing partnerships.
  Monitor the security performance of third-party vendors
  and have established mechanisms to address any identified weaknesses.

• Keep software updated: Patching vulnerabilities
  and updating operating systems, mobile apps
  and all software components regularly is crucial.

• User and employee education: Educate employees and users
  on their particular best practices for staying safe.
  For employees, regularly train them on cybersecurity practices
  and vulnerabilities they are susceptible to.
  For users, inform them about safe mobile practices
  like keeping software updated,
  avoiding suspicious links and using strong passwords.

• Embrace a security culture for software development: Foster
  a culture of security awareness where everyone plays
  an important role in protecting data and systems.

Adopting a DevSecOps culture

In this dynamic time where threats evolve daily
and malicious actors are always coming up
with innovative ways to cause havoc,
security must also be an ongoing process rather
than a one-time effort.
Developing software should include constant security testing,
be it manually or automatically,
and throughout the whole software development lifecycle (SDLC),
not only after the software has been deployed.

A DevSecOps culture
can help to emphasize collaboration
and communication between development,
security and operations teams from the start,
where everyone has a share of responsibility for security.
By making security a part of the development process from the beginning,
the software product is developed collaboratively,
and security vulnerabilities and issues are found in it proactively,
which reduces the need for after-the-fact fixes.
Catching vulnerabilities early also means
a lowering on mitigation costs and time in remediations.
All of these serve to avoid negative consequences
like customer backlash.

Transitioning to DevSecOps
is a collective responsibility,
where security teams can take the lead in planning,
aiming to incorporate security with minimal disruption
to the existing workflow, and addressing
the identified vulnerabilities.
Developers do their part by writing secure code,
and operations maintain a secure infrastructure.

DevSecOps can be achieved by shifting security to the left,
which is moving security considerations earlier
in the development lifecycle and integrating
security testing tools and practices throughout
the development pipeline.
Also by breaking down silos by fostering
open communication and collaboration between the teams,
and integrating security testing tools into the CI/CD pipeline.

The fintech industry, among other sectors,
can greatly benefit from adopting a DevSecOps culture.
By proactively addressing security throughout the development lifecycle,
fintechs can significantly reduce the risk of data breaches and cyberattacks,
enhancing their security posture.
Fluid Attacks’ expertise shines here,
as we offer our security testing solution where
we leverage our ethical hacking team
and automated techniques
(SAST,
SCA,
DAST
and CSPM) to find as many real
vulnerabilities as possible and continuously
report them in our diverse platform.
By performing security testing early on
and identifying and resolving vulnerabilities,
DevSecOps helps expedite
the development process and ensure a secure deployment.
Because we believe in it,
we assist companies in implementing a DevSecOps culture.
Organizations that choose to use the DevSecOps methodology
will benefit from it, particularly in terms of the security
and quality of their products and operations.

Success stories

With our Continuous Hacking solution,
which is skilled at identifying,
exploiting and reporting vulnerabilities,
we continue to assist fintech organizations
in establishing robust security postures.
One of those fintech companies
is the digital wallet entity akaunt,
who operate in Colombia and have been using
our solution since early 2023.
Through the usage of our AppSec testing tools,
ethical hacking team and generative AI to find vulnerabilities,
they have been ahead of incidents
and reduced their risk exposure at a fast pace.
Here,
they discuss their success story.

Another fintech company that has benefited from
our solution is the payment gateway Payválida
that operates in Latin America.
They are pleased with our ability
to find vulnerabilities at the speed of their company,
deliver reports on schedule,
and quickly accommodate their needs for reattacks.
Payválida remediated 96% of their system’s vulnerabilities
while working along with Fluid Attacks,
remediating vulnerabilities throughout the development lifecycle,
leveraging the DevSecOps methodology.
More of their success story can be found here.

Let us know if you are interested in how Fluid Attacks
can help your fintech organization by contacting us.