Receive CohnReznick insights and event invitations on topics relevant to your business and role.
10/20/2022
What fintech companies need to know about the convergence of cybersecurity and data privacy
This article was first published by Benzinga.
As the world continues to digitize rapidly, and more and more issues around cybersecurity and data privacy come to the forefront, it’s no longer feasible to keep conversations around the two separate.
Cyberattacks tend to be eye-catching and make flashy headlines. However, privacy violations and data compromises that accompany such intrusions are not as widely reported. Part of the reason is that most people don’t understand the importance of data privacy and how it’s tied to cybersecurity.
It’s time to take a different approach to understanding how both cybersecurity and data privacy are interlinked.
Fintech companies and financial institutions benefit from a partial exemption under state-level privacy laws (and in accordance with compliance with requirements like the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and Privacy Rule). Nonetheless, the companies and institutions hold critical consumer data, and therefore must make efforts to understand the direct impacts their data practices have – for better or worse.
Numerous institutions such as the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB), and Securities and Exchange Commission (SEC) are now starting to crack down on weak practices. Increasingly, laws and regulations are being introduced that no longer give companies a pass on poor cybersecurity and privacy practices. Companies that aren’t implementing sound measures to protect their users’ privacy are met with fines and disciplinary actions.
Part of the problem is that fintechs today don’t always have the best grasp on what critical data exists within their ecosystem and what they should be doing to protect it. As more financial institutions become increasingly digitized, it’s becoming harder to conceptualize and track the large quantities of information constantly flowing through systems.
“Once a business has an understanding of its data ecosystem, it can start measuring the necessary privacy and the adequacy of its security around that data,” said Bhavesh Vadhani, global leader of cybersecurity, technology risk and privacy for the advisory, assurance and tax firm CohnReznick. “Historically, companies have addressed the latter without truly understanding the former.”
As soon as data resides on enterprise systems, a connection between data privacy and cybersecurity is established. The business is now accountable for designing cybersecurity controls and programs that protect personal information from theft, unauthorized access, and damage.
Not Just a Cost Center
In the coming years, an increased emphasis will be put on privacy and security maturity as a business differentiator – not just a cost center. In the meantime, businesses need to understand that the boundaries of data protection extend beyond internal systems to their third-party service providers. Companies remain responsible for ensuring that their partners are also meeting requirements around privacy and security.
Another critical step is for businesses to take stock of their commercial solutions’ security posture, ensuring that products in the market – from code and application program interfaces to full-stack applications – have up-to-date security and privacy patches. If products aren’t equipped with the utmost protection, is it really worth the risk of taking them to market?
Finally, fintechs must remember that anyone in the organization can be a point of entry for possible breaches like phishing, smishing, and vishing. Consider your employees the first line of defense against data compromises, and ensure they are both vigilant and well-equipped.
“Consumers are more informed than ever and want to know how their information is used.” said Asael Meir, CPA, CohnReznick’s technology industry leader. “It is no longer optional to build a trusted relationship with your consumers.”
At the end of the day, a unified information security and data privacy program will be a business decision that weighs the cost of collecting and using personal data with the advantages.
Learn more about cybersecurity and data protection services provided by CohnReznick here.
Subject matter expertise
Alex Castelli
CPA, Managing Partner, Emerging Industries
Bhavesh Vadhani
CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
Asael Meir
CPA, Partner - Technology Industry Leader
Close
Contact
Let’s start a conversation about your company’s strategic goals and vision for the future.
Please fill all required fields*
Please verify your information and check to see if all require fields have been filled in.
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.