As CISOs at financial organizations continue to analyze the cybersecurity risks facing their industry, embedded finance is a newer area to keep any eye on. It’s the growing trend of consolidating and centralizing all of an organization’s financial services in one place. With this approach, customers don't have to be redirected to third parties to complete their transactions. Embedded finance is an easier and more efficient approach that can be integrated into an organization’s infrastructure.
Embedded finance serves an organization’s customers, as well. Today's digital consumers have a high expectation for customization and 24/7 availability. This trend meets those needs, creating a higher standard for organizations that offer financial services and a competitive advantage over those who do not apply the trend to their business.
It's no wonder, then, that embedded finance has become so popular that the market is projected to be worth $1.9 trillion by 2029. However, embedded finance brings with it cybersecurity risks that must be addressed.
Understanding the cybersecurity risks of embedded finance
In addition to the strong cybersecurity and data protection policies that must be in place to protect against all of the cybersecurity threats facing financial services organizations, there are some additional things to be aware of when it comes to embedded finance.
When converging financial products and services into non-financial platforms or products, be mindful of the possibility of conflicts of interest and make sure your company is open and honest with customers about the terms and conditions of those products and services.
Keep an eye out for potential dangers of data exploitation or abuse, especially when working with non-financial partners who might lack the same degree of knowledge or experience in financial services.
Education is key. As the embedded finance trend grows, CISOs have to keep a careful eye on new regulations as they’re introduced.
Consider whether it makes sense to go all of this alone or look to specialized partners other industry professionals to ensure your organization is prepared for the new threats in the context of embedded finance.
Six steps for grappling with new risks
Here are six best practices to help your organization stay secure even amid new and evolving risks.
Discover your danger zones: The most pivotal business processes must be identified and given a risk evaluation to determine which ones should be prioritized. CISOs must communicate with the rest of the company to identify the organization's risks and vulnerabilities.
Automate: To close the cybersecurity skills gap, automation and augmentation are essential. Teams can receive actionable notifications from a single pane of glass thanks to AI/ML technologies. These technologies allow teams to control and coordinate network and security throughout the entire digital corporate environment. Additionally, this will lower the number of human errors.
Traditionally, the majority of banks had their own in-house third-party governance teams that compiled extensive spreadsheets of all the controls. This manual method was cumbersome and prone to mistakes. Some FSIs were forced to hire vendors and contract out their compliance work, but as additional rules are put into place, this approach will become increasingly unmanageable and impossible to scale.
These new requirements could result in lower profit margins and rising operating expenses for FSIs. FSIs are not likely to comply with laws and regulations if their infrastructure isn't automated and their data isn't interconnected.
Study others' experiences: FSIs and their CISOs must be aware of what is happening beyond their own borders. In Europe, the DORA regulations permit information sharing among FSIs to assist them in becoming aware of the most recent indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) being used "in the wild."
Consider employing a DRP (digital risk protection) tool to increase your awareness of the external digital attack surface. Up-and-coming cyberattacks can be foreseen by using the Dark Web and other such sources.
Train for cyber awareness: FSIs must upskill their personnel to help their companies make up for the worldwide dearth of cybersecurity talent. Regardless of their position, every employee needs cybersecurity awareness training, including ongoing updates on the most recent threats and attack methods.
Become regulation-savvy: Set the stage to embrace your technology's vision and recognize feedback loops between the stakeholders who will be impacted by the policy and those who will be devising it. With the rapid digital acceleration they are currently experiencing, many firms lack a broad vision and are not setting the stage properly. Understanding the specific requirements that you must comply with is essential from both a business and IT and security standpoint.
Communicate at a high level: A CIO or CISO needs to talk in a manner that business stakeholders can understand. Furthermore, if the dialogue is centered on low-level controls, the business team won't get it. But if the IT leaders elevate the message and only talk about the business' risk and protection, threat detection, response and recovery, it will be much easier to have a conversation across the organization.
Plan to defeat risk
Embedded finances represent a new model that is easier and more efficient for both businesses and their customers. But any time infrastructure is involved, so is risk. Data security and compliance are essential for any business, but especially for companies offering financial services. Use the best practices discussed above to fine tune your current strategy or create one from the ground up.
By Michael Brown, field CISO for financial services, Fortinet