Employing financial technology solutions has become a comfortable and productive way of life for many corporate finance leaders, who increasingly rely on these cloud applications to optimize and enhance a core piece of their jobs, from treasury to accounting and beyond.
Despite the proliferation and rapid adoption of financial technology solutions by global organizations from all industries, however, the solution providers should not escape scrutiny in one key area: security.
Additional reading: Kyriba Now Enables Clients to Conduct Their Own Pen-Tests
Additional reading: Four Key Questions a CTO Needs to Ask When Evaluating a New TMS
“Most FinTech vendors have access to highly sensitive financial information, so a company playing in this space needs to have some minimum things in place so their customers have a strong sense of their commitment to security,” said security expert Nick Biasevich, the director of technical sales enablement at Kyriba.
According to Biasevich, there are three minimum requirements any vendor should be able to provide:
A Cyber Defense Center: A dedicated team whose sole purpose is to protect clients and their customers from potentially disastrous cyberthreats and cyberattacks. The principal tool these defense teams use is a security information and event management system, or SIEM, which actively monitors every end-point in the company, looking for any type of suspicious activity. Without a SIEM in place, companies have to do this manually, an extraordinary amount of work that leaves organizations open to security risk.
Authenticated Pen-Testing for SaaS Platforms: There is probably no better test of platform security than authenticated penetration testing, or “pen-tests,” in which the software provider opens-up its SaaS-based application for a client’s IT personnel to take their best whacks in attempting to uncover security flaws. This compares to an unauthenticated pen-test, which is conducted outside of the platform and is not as rigorous or efficient in security screening. An authenticated pen-test requires full cooperation between the vendor and the prospect or client to complete, and is deep sign of the vendor’s security commitment.
SOC I and SOC 2 Type II Certification: These certifications are key in assuring that a vendor’s security practices are up to standard. SOC 1 is a statement of operational controls, which sets out the internal controls, processes and procedures that a FinTech vendor abides to when handling data. SOC 2 Type II is a report by a third-party auditor that has audited the vendor’s performance against those controls, on the basis of the evidence provided. A SOC 2 Type II certification means that a vendor has proven that its system is designed to keep its clients’ sensitive data secure. This latter type of certification is expensive and time-consuming and is hard proof that a vendor takes security extremely seriously.
There were more than 1,000 global FinTech vendors, according to a 2016 report by Atherton Research. That number has likely grown significantly, fueled by new business models and increasing trust in cloud-based vendors to deliver secure, scalable global applications.
Related reading: Top Security Considerations for Selecting a Treasury Management Vendor
“There are, of course, other security factors to consider from a buyer perspective, but if a vendor is not doing these basic things, the maturity level simply isn’t there, and certainly is not on par with Kyriba,” Biasevich said. “These three items are a good security sniff test for any vendor.”