By Nitin Chavan, CEO, Aquapay
Today, Financial technology (fintech) companies are a necessity, providing essential services that have become even more so during the ongoing pandemic. Digital payment products, services, banking products, and their usage overall has grown geometrically, adding immense ease and convenience to customer lives. And what keeps this happening, nano-second by second by minute, hour, day in an ongoing cycle? Cloud Technology and Cloud security – a critical part of the fintech backbone
The cloud lowers the cost and technology burden for fintechs and provides unprecedented flexibility, scale and security.
With the launch of the mobile app Bharat Interaface for Money, or BHIM, the honble Prime Minister Shri Narendra Modi flagged off a wonderful new convenience for the people of India, who downloaded BHIM more than 17 million times in less than two months. India’s leading mobile wallet service provider has more than 160 million users; a key player in the Government of India’s ’Digital India’ initiative are the digital payments that act as a key enabler for financial inclusion.
But cyber fraud is constantly nipping at the heels of such initiatives. Today, digital payment frauds account for about half of all bank frauds in India. The Rajya Sabha was informed that there were 1,477 frauds in FY 2018-19 reported with regard to ATM/debit card, credit card and internet banking transactions of more than ₹1 lakh each. And with payment systems like UPI/IMPS likely to grow beyond a 100% annualized rate per the RBI’s 2021 vision iteration, every fintech’s offerings could be at risk. However, those that depend upon Cloud security complemented by intensive internal SoPs through coordination with CSPs and QSAs plus other employee training protocols in full compliance with laid down regulatory norms, will not have to fear.
The PwC’s Financial Technology 2020 and Beyond report said that while fintech companies are adopting the cloud for growth and scale, there remain challenges like data protection, security and regulatory compliance, throughout the foreseeable future. Hence, the belief is that going forward, the only successful fintech start-ups / entities will be those that are fully aware of security threats, issues or hurdles that the cloud infrastructure presents.
Enter Cloud Security
Even as of 2019, more than 65% of FS companies said they had adopted Cloud-based security. Why? Because, as fintechs have risen to prominence, so has the motivation for hackers to get their hands on customer data and transactions in any way possible – breaking into cloud servers with the use of botnets, or insider attacks, or the use of malware, or any other means they can use.
Initially, the notion of storing sensitive data on the cloud and not within the walls of a mainframe computer, was anathema too many who couldn’t correlate the ensuring of cyber security while relying on cloud computing.
There were almost 160,000 ransomware attacks in 2017 as in 2016 (82,000), and as cloud computing has become the norm, so has cloud security. But while the fintech company is responsible for the security of data and transactions, CSPs too are working to provide better security.
So, what are cybersecurity’s most important goals, and therefore, what kind of information can be most at risk? We are talking accounts’ login information, bank accounts and card and aadhaar numbers, or other personal information such as a person’s name and address. Also at risk could be confidential documents resting on the fintech’s servers that could include design and trade secrets about their own next offering. So, all the personal and business information must be secured at all times.
And it is here that Cloud security steps up. Not only has cloud technology been a huge plus for the fintech industry by providing unprecedented flexibility and scalability, it also provides extremely strong security against criminal intent and cyberattacks on data security.
Best Practices for Cloud Security
But in the same breath, one must add that that is definitely true only if every fintech adopts strong precautions, has a collaborative approach and open communication with its employees, the Cloud Service Provider and the Qualified Security Assessors. That will lead, always, to unbeatable, impenetrable cloud defence and protection of each and every bit critical and confidential information about the operations and customers.
Because it all begins and ends with responsibility for data and system protection and safety from cyberattack. And that responsibility rests with the fintech company.
When a fintech company decides to migrate to the cloud, it must remember that the ultimate responsibility for security of all confidential information and data rests with it, itself. So, it must remember that (1) Not all CSPs are equal in their ability to provide strong cybersecurity. So even when a CSP states they are compliant with all stipulated security imperatives, it is critical that you, the fintech, understand what level of evidence they are willing to provide; only then can you decide to consider migrating into their cloud. Because even at this stage, after your first due diligence, You cannot go ahead without the considered and qualified advice of the QSA, whose job it is to completely validate and certify all compliances by the CSP. The QSA will certify the CSP’s ability for providing a secure cloud only after it has considered the contract, the scope and other matrix from the report of compliance, and also after discussions with the chief of security at the CSP. And yes, do not leave such diligence to the QSA alone; check it out yourself, during the initial phase of consideration of and discussions with, the CSP.
Keep in mind – it’s the fintech that is responsible for all cyber security – whether you perform the control in-house or source it to an external provider. The security of all payment and customer and merchant data stored, processed or transmitted by you, rests only and entirely with you. Assume that, make sure your QSA too is delivering fully and in letter and spirit with the deliverables on the CSP’s due diligence and procedures for reviews. And keep your staff and employees and associates trained, aware, and always constantly alert.