7 Key Questions to Ask your Fintech Vendors
Over the past few years, the headlines about security breaches seem to be nonstop. Examples range from ransomware attacks that interrupt operations to compromised servers that expose Personally Identifiable Information (PII) of employees and customers. The ramifications of inadequate security practices can be steep, costing millions of dollars for settlements, reputation management and repairing customer loyalty. As a result, securing end-user and corporate data is a top priority for financial institutions.
Our digital-first world demands reliability, security, and scalability. But implementing and maintaining enterprise-grade security protocols can be complex and costly. Yet, protecting your customers’ PII and your corporate data is paramount. As one of the “front doors” to your organization, your Digital Customer Service (DCS) platform should have security built into the foundation—not just added as a feature!
When you evaluate your digital communication options, ask your vendors about their security practices:
- Is the vendor’s support and development staff easily accessible? Is the staff located in time zones that align with your business hours? Does the development take place in-house or through outsourced resources?
When issues arise, you want to be sure that qualified staff is at-the-ready to bring you to a resolution. Unfortunately, many providers take shortcuts to develop products on a budget. While this can help produce features quickly, it creates a long-term security and knowledge deficit that is impossible to recover from and not acceptable for most financial institutions.
- Does the vendor have a team of dedicated GIAC GSEC-certified security personnel who have responsibility for hardening the cloud infrastructure across the organization?
Dedicated security staff is necessary given the nature of the financial institution data available. Having credentialed experts on staff to monitor and maintain internal and external security practices is paramount.
In many respects, security is everyone’s responsibility and each staff member is on the frontline of securing systems. In addition to your internal security practices, ensure that your providers have GSEC-certified security personnel on staff. These staff members champion a broad corporate culture of security by educating users on best practices and ensuring iron-clad policies are enforced across all corporate assets.
- Is endpoint protection used throughout the entire organization?
As you may see in the news, individual computers are highly susceptible to data breaches. For example, a costly ransomware attack began with an employee clicking on a nefarious link promising a browser update. Strong security practices and controls throughout the organization provide extra assurance that your data and applications meet and exceed your standards.
- Are penetration tests and network port scans run by a reputable third party?
Even the best development teams need to have white hat professionals check their work and provide insights into potential weaknesses and new innovations. If these types of professionals are not brought in, there could be unseen blind spots creating more opportunities for breaches.
- Is all code subjected to both manual and automated security code review in a least-privileged, controlled environment?
In addition to having the vigilance of properly trained and credentialed staff, it is also necessary to provide automated reviews to guarantee production code. While no software is infallible, robust and fully automated testing processes ensure delivery of world-class feature stability and security to meet the requirements of the most demanding customers.
- Is the vendor using true end-to-end encryption within their network and servers—not only from point to point and encryption at rest? Vendors are able to provide encryption to and from their servers and even encryption at rest. But the issue is once their systems are breached, the data is normally unencrypted and vulnerable when moving within.
- Is the vendor insured for millions in cyber security and errors and omissions?
Premiums have significantly increased over the last few years, so it can be costly to carry insurance. However, this should be a necessary investment for vendors to provide you with organizational and personal peace of mind.
Don’t be afraid to ask your vendors the hard questions, and put their practices to the test. Since Digital Customer Service is one of the “front doors” to your business, it is imperative that security is at its core. You wouldn’t lock your real front door with duct tape, so why risk the same with your digital properties? To learn more, request our Architecture and Security white paper.