Troy Fine, Senior Manager, Cybersecurity Risk Management & Compliance, Drata
The challenge of meeting and maintaining data compliance is complex and confusing, and those responsible must spend considerable time and effort ensuring their systems adhere to legal requirements and that their data is safe.
With the accelerating pace of regulatory change in the financial sector including ESG regulations, and operational resilience policies financial organisations and fintechs are struggling to remain compliant and protect data.
Getting compliance right must be a top priority as a fragmented approach will only lead to damage – such as a phishing scam, exposing confidential information or at worst the next data breach.
Here are the top five mistakes fintech companies make when it comes to compliance:
1) Lack of leadership buy-in
It’s one thing to have your company’s leadership acknowledge compliance as necessary to attract new (and larger) customers. Still, it’s another to provide the right resources and capital to build a comprehensive program. Consider the globally recognised ISO 27001 certification, a crucial step in implementing a strong culture of security. The leadership focused clause of ISO 27001 emphasises the importance of information security being supported, both visibly and materially, by senior management. With new processes and controls to safeguard data, the leadership team will need to communicate the importance of these changes to the rest of the organisation. If leadership fails to fully embrace all the time, investment and changes that come with compliance, expect to see siloes within the organisation and a growing lack of trust from your customers. The ISO 27001 certification also provides the level of confidence to its clients regarding an organisation’s commitment in managing information security and compliance.
2) Using a check-box strategy
One of the most common mistakes companies can make is to treat compliance as a “check the box” exercise and move on to the next task. Compliance is the baseline for a robust risk management program and just one piece of the security puzzle. For example, even though some compliance frameworks don’t require advanced endpoint detection and response solutions, they should be considered as complementary tools that strengthen the overall security posture. As your customer base diversifies, so will your need to meet various compliance frameworks.
- Lack of monitoring
Completing an annual audit isn’t enough to fully protect company data – security and compliance should be an ongoing priority that is constantly refined and evolving. If your company isn’t adapting to the latest threats and security trends, your walls of protection become weakened over time, and it won’t be long before you see cracks in the foundation.
It’s not uncommon for GDPR violations to stem from either insecure or illegal measures to properly safeguard personal data or a failure to continuously monitor security controls, and oftentimes it’s a combination of both.
Once companies achieve the requirements to adhere to data privacy regulations, their security efforts shouldn’t stop there. It requires continuous monitoring to ensure they remain compliant over time in order to lawfully protect and manage personal data.
4) Pursuing compliance manually
Compliance requires a deep understanding of existing and new evolving rules, regulations, industry standards and frameworks and showing proof of that understanding. When factoring multiple departments and employees, providing evidence to meet compliance requirements can take hundreds of hours to compile on its own. Without knowing where to start, companies often attempt to achieve compliance manually, significantly derailing their time and focus away from critical business needs. There are security and compliance tools that automate the manual burden of evidence collection, screenshots, spreadsheets, etc., and offer templates to model policies and controls instead of starting from scratch. Investing in the right automation technology feeds into an ongoing compliance program vs. a static checklist collecting dust in an overlooked security corner. Whether your company has five employees or 500, compliance is time-consuming – but the right partner can jump those hurdles for you while you cross the audit finish line.
- Lack of visibility into vendor networks
The days when financial institutions ran every business function in-house are long gone, replaced by business services and cloud applications that integrate to varying degrees with internal systems. With greater integration, however comes greater risk. Organisations that don’t have adequate visibility into their increasingly complex vendor networks with the rapidly changing regulatory environments are exposing themselves to high risks. Strong Vendor Risk Management (VRM) processes and practices is essential to ensure that vendors maintain consistent compliance with internal processes and evolving regulations. It is important for fintechs and financial organisations to prioritise and understand vendor risk management, its implementation, and VRM practices.
Security and compliance can be daunting in any scenario when you’re establishing a security footprint, addressing a customer request, or reactively implementing necessary safeguards to protect data. Without support from leadership, investment in the right tools and an ongoing process to continuously monitor their systems, companies can stand on shaky ground that may lead to failing an audit, losing customers or a data breach. Taking the time to properly understand what compliance asks of your company sets up for long-term success and instils a security-first mindset within the organisation to keep internal and external data safe. Avoid costly mistakes that compromise your company’s integrity and establish the suitable systems and protocols to keep your compliance up to date over time.