Out-Law Analysis | 09 Oct 2019 | 9:36 am | 5 min. read
Sound cybersecurity is vital for all businesses operating in the digital age, with a heightened risk of substantial data protection fines and claims being brought against companies that get things wrong. With personal financial data so central to the solutions they offer, good cybersecurity is particularly important for emerging fintechs looking to impress business and consumer customers.
Speakers at a recent panel session hosted in Glasgow by Pinsent Masons, the law firm behind Out-Law, in conjunction with trade body FinTech Scotland, highlighted some of the ways fintechs are using data to improve consumer outcomes and how a focus on innovation and best practice on cybersecurity can both be achieved.
At the event, attendees heard from Nicola Anderson, strategic development director at FinTech Scotland, who explained how the 'open banking' reforms has encouraged growth in the number of fintechs operating in Scotland. She said there are now 110 fintechs in the country compared to just 26 in 2018.
According to Anderson, open banking has helped businesses to focus on consumer needs, like better access to credit, thinking about the current credit model and making access to credit more affordable. She highlighted how debt advice companies in particular have made use of customer account data available via open banking APIs to shave weeks off the advice process.
Access to customer account data via open banking is helping debt agencies to better understand what instalments consumers can afford to make in order to repay debt owed to other companies, such as to electricity suppliers, explained Anderson.
Anderson added that FinTech Scotland has been listening to consumer organisations and working with fintechs in the debt advice space to ensure open banking data is used to develop holistic solutions and not just those that target one specific debt issue in recognition of the fact that consumers who may be in debt to one business may have wider debt problems that require a broader solution which takes into account the whole picture in terms of an individual's financial situation.
Technology and data are at the heart of fintech propositions and Sophie Lanc, chief creative technologies officer at cybersecurity company Cyborn, explained how that combination can also be used to better protect systems from hackers.
Lanc said artificial intelligence (AI) can help businesses to detect suspicious activity on the perimeter of their IT networks. She said AI tools take time to build up a learning pattern and that the next stage in the evolution of AI as a cybersecurity tool will be more advanced training of data to improve the base level that the solutions start operating from to help businesses better assess threats before they develop into anomalous patterns, and not after.
Lanc said fintechs should ensure they have security touchpoints throughout their processes, and that having the ability to revoke access to systems and data, as well as control access to different bits of data is vital to stop the wrong people getting in and manipulating it.
Both Lanc and Anderson said that, beyond technology, industry has a role to play in improving consumers' cyber IQ.
Anderson said work on this should be accelerated in schools and that account providers and governing bodies could look to share intelligence and best practices appropriately with the fintech industry, taking into account the changing operating model. Lanc said industry must be cognisant of the fact that not all customers will be digitally savvy and that product designers therefore have a role to play to make security language easier to understand. She said businesses should look to collaborate on security standards and ensure that, regardless of medium, everyone has the same access to education on cyber risks.
Cyber risk specialist David McIlwaine of Pinsent Masons said the growing threat to businesses from cyber criminals requires fintechs to look beyond just how they protect data to how they should respond in the event their systems and data is compromised.
Fintechs should develop a cyber incident response plan – one which is not just written down, but which is rehearsed, he said. Staff need to know what to do and how to act, and so it is important to designate the people that are to lead in responding to incidents and what their roles are. A team of cyber incident responders will typically bring together people from the c-suite, IT, information security, communications and legal.
McIlwaine highlighted the threat posed by ransomware and how that can prevent companies gaining access to their systems and data. He said it is vital that cyber incident response plans and key contact information for external experts are available offline so that they can be accessed in a crisis situation.
He said fintechs should look to segregate their different IT systems to make it more difficult for hackers to move laterally across systems.
McIlwaine said cyber insurance policies should also be considered as, in addition to providing indemnities, policy holders will often gain access to a panel of external experts to help them manage forensic investigations into breaches, external communications and legal and regulatory responses.
Regulated fintech companies in the UK face data security obligations under both the General Data Protection Regulation and the FCA rulebook, and under both regimes there are obligations to notify certain data breaches.
McIlwaine explained that it is important for businesses that experience a data breach to take care around the communications they issue on such a breach to ensure that they are consistent with what they tell regulators and are honest with affected individuals. He said the FCA and the Information Commissioner's Office (ICO) have a memorandum of understanding in place to share information concerning regulatory action and that both regulators have powers to issue substantial fines to companies that fall short with the efforts they take to protect customer data.
While more large fines, like those levied on British Airways and Marriott, are likely in future, McIlwaine further warned that financial services companies face a further risk from 'class action'-like litigation in the area of data protection.
The UK's Data Protection Act provides scope for data subjects to raise compensation claims against organisations that breach data protection law where those breaches lead to them experiencing damage or distress.
Case law in the area of data protection claims is developing quickly and, for financial services companies, there is a risk that it could soon become the new PPI should awareness of the rights to compensation increase as it seems likely to do with the emergence of new claims management companies and law firms into this area of the market, McIlwaine said.
More claims will lead data controllers to look to shift greater liability for data security towards their supply chain, and McIlwaine predicted that this will spur an increase in data protection litigation between controllers and their contractors too.
Lauren Jones is an expert in technology law at Pinsent Masons, the law firm behind Out-Law.