The rapid growth of custom and open source applications deployed in businesses worldwide means that all companies have significant software assets. In some industries, agile development and open source software have enabled a technological evolution, to the point of creating new business models. FinTech is one example of an industry established around technologies, delivering automated and self-service financial solutions across platforms.
I think the current state of policy-making for financial services compliance is in flux as the industry adjusts to massive and rapid changes in technology and software development.
FinTech essentially trades brick-and-mortar Financial Services for connected devices, API services, and user-driven functionality. These companies offer software-driven solutions for consumers, businesses and enterprises, typically in a Software-as-a-Service model with full access to their users' financial profiles. While FinTech companies touch the same data as Financial Services firms, FinTech must take cybersecurity seriously to safeguard user data and avoid costly compliance violations.
Regulatory bodies are changing too, modifying requirements and standards to fit a connected world of personal and corporate finance. The process of instituting financial compliance requirements is a long one, however, and FinTech is innovating too quickly for organizations like the SEC, FDIC, FFIEC, FS-ISAC and the United States federal government to keep pace. But they’ve got to start somewhere.
Organizations have begun to address the need for regulatory and compliance standards by targeting FinTech security risks and technology-enabled financial services first, particularly those related to application vulnerabilities. Here's an overview:
- Basel II: This set of international standards for financial services requires organizations to evaluate and mitigate operational risk losses. Basel II specifically identifies external fraud through insufficient systems security and business disruption and system failures as critical loss events — each of these potentially a consequent of hacking and malicious vulnerability exploitation.
- FFIEC Uniform Rating System for Information Technology (URSIT): The Federal Financial Institutions Examination Council (FFIEC) has established a standard for evaluating FinTech cybersecurity and operational risk. This enables objective comparison of application security across the industry, examining a company’s Audit, Management, Development and Acquisition, and Support and Delivery processes. They take a close look at open source vulnerability management, application security testing, and software development lifecycle (SDLC) practices.
- Financial Services Information Sharing and Analysis Center (FS-ISAC) Report: FS-ISAC took the initiative in this 2015 report to spell-out control types to enhance FinTech cybersecurity by implementing an open source management policy to address vulnerabilities prior to shipping the application. The report also recommends the creation of an open source Bill of Materials (BOM) to identify open source components within financial services applications. This BOM clearly catalogues all open source components within the applications, a critical step to identifying vulnerabilities that may impact the codebase.
- Gramm-Leach-Bliley Act: Requires financial institutions to ensure the security of personal and financial information. The FTC issued the Safeguards Rule under the GLBA, requiring an information security plan which includes risk assessments (among other steps) and extends these initiatives into the supply chain wherever information is accessed or stored.
- PCI-DSS: Requirement Six of the Payment Card Industry Data Security Standard (PCI-DSS) offers guidance that includes the use of open source vulnerability scanning — like that provided by Black Duck Hub — and open source code review. Extending open source vulnerability management into the SDLC can both enhance FinTech security and reduce the cost of remediation. It is expected that, in 2018, PCI-DSS will include a requirement for an open source BOM.
- Sarbanes-Oxley: SOX, or SarbOx, requires an internal controls report to prove the accuracy and security of financial data. An audit of internal controls includes an examination of IT assets and software for resilience against data breaches and cybersecurity controls to accelerate application vulnerability remediation.
- FDIC Proposed Rulemaking for Cyber Risk Management: The most recent resource is the FDIC’s recommendation for requirements, which covers five categories of financial services cybersecurity. Proposed in late 2016 with comments accepted on the proposed rulemaking through February 2017, the FDIC’s proposition focuses on cyber risk governance, cyber risk management, internal and external dependency management, and incident response and cyber resilience for FinTech, Banking, and Financial Services. This is arguably the first concerted push into the future of FinTech, which is being structured with new technologies and business models in mind. We'll watch this closely at Black Duck in the coming months; I'm interested to learn which security and development standards the FDIC will identify as critical to FinTech cybersecurity.
- EU General Data Protection Regulation (GDPR): Going into effect on May 25th, 2018, the GDPR requires proactive effort by organizations that control or process personal data — and yes, financial data is quite personal. This includes requirements to establish processes for regular assessment and testing of application security. We discuss the implications of GDPR on Financial Services’ risk management practices in our GDPR Deadline blog.
These regulations, controls, and compliance standards for financial services companies and FinTech are important to safeguarding the sensitive financial and personal information of individuals and businesses who function in today’s connected economies. Financial organizations must maintain regulatory compliance and mitigate the risk of data breach. Our recent Open Source Security and Risk Analysis report showed Financial Services and FinTech had the highest number of open source vulnerabilities per application, highlighting the need for this industry to take a closer look at open source use.
A few simple steps to get started:
- Scan applications and identify third-party open source components within them
- Automatically catalog each component in an open source BOM
- Map the BOM to a comprehensive and relevant knowledgebase of open source projects, vulnerabilities, and licenses
FinTech and Financial Services organizations need to take these simple steps to increase financial application cybersecurity and augment their regulatory compliance efforts for the wide range of financial regulations and agencies taking shape.