Part 3: Fintechs and privacy – not to be taken lightly
Privacy is perhaps the most difficult to manage of the three areas of IT security risk that I’ve talked about in my blogs. (In the first article, I discussed security and in the second availability.)
Indeed, if privacy risk is not managed properly, it will end up weakening a fintech’s strategic partnerships and their main client – or potential client - relationships.
The General Data Protection Regulation (GDPR) set out the main responsibilities for organizations including new “accountability” requirements. Data privacy isn’t just an IT or legal problem, it’s an enterprise-wide issue that, if not properly addressed, can lead to significant business interruption and financial losses. Companies must update how they collect, handle, secure and ultimately dispose of personal information.
Instead of just checking a box, fintechs can provide their clients with extra value and security – helping them actively avoid a situation similar to what happened with the U.S. credit bureau Equifax in mid-2017.
The following controls, which are a subset of a complete cybersecurity control framework, are some of the primary controls that can provide the needed protection to mitigate privacy risk: Using Internet-facing firewalls for multiple zones for web, application and data servers, VLAN-segmented internal networks, and implementing two-factor authentication, especially for all privileged access accounts. Others are the encryption of databases and communications sections, as well as behavioral analysis of system and file-access logs.
Often, privacy risk is associated with cloud computing, a model that is being adopted quickly.
No matter where a breach occurs, the risks are substantial and include headline risk, legal liability and sanctions, as well as lost revenues and market share.