Ransomware, malware, social engineering and supply chain attacks are some of the more common cybercrimes that financial startups fall victim to. This article tackles some of the reasons behind this and explores Luxembourg’s level of vulnerability.
In 2021, “70% of the attacks on financial firms were on banks, 16% on insurance organisations, and 14% were on other financial organisations,” according to the X-Force Threat Intelligence Index 2022 from IBM. As fintechs serve this industry with technology solutions that facilitate transactions, handle, exchange and store sensitive financial data and personal information, their staff, assets, platforms and applications have also become an attractive target for cyberattacks.
Too many vulnerabilities
According to a study conducted by ImmuniWeb in 2019, 98 of the 100 most prominent and well-funded fintech startups were vulnerable to phishing, web and mobile application security attacks. “100% of the companies have security, privacy and compliance issues related to abandoned or forgotten web applications, APIs and subdomains,” the report says. “8 main websites and 64 subdomains had at least one publicly disclosed and exploitable security vulnerability of a medium or high-risk”. And “100% of the mobile applications contained at least 1 security vulnerability of a medium risk.”
Due to their small size, fintechs also lack human and capital resources to manage security challenges, like any other SMEs and MSEs. In 2021 52% of French companies targeted by ransomware attacks were VSEs, SMEs and MSEs, according to Anssi, the French National Information Systems Security Agency.
For Guillaume Carballo, cybersecurity leader at EY Luxembourg, small companies mistakenly think they are safe from attacks: “Hackers do not think this way. Targeting SMEs, allows them to reach the suppliers and customers of the latter in order to operate a supply chain attack on large groups or critical infrastructures.”
Furthermore, a large majority of SMEs do not have adequate protection: “Many do not have a security manager, and this is a real cyber-handicap because very often, it is the boss or director (financial for example) with most of the IT knowledge who acts as IT director,” Carballo adds.
Cyber-challenges
According to Ideasoft, fintechs tend to be exposed to six cyber challenges:
Systems Vulnerabilities: “The rising number of security breaches, hacking attacks and third-party penetrations only confirms their importance in the Fintech world,” Ideasoft, the Estonian Software development company explains. “The financial and banking industry is closely tied to sensitive and private data, so software security will remain one of the primary areas of focus for 2021-2030”.
Digital Identities: Banks and fintechs will account for nearly 62% of digital identity verification spending by 2026, a study by KPMG says. Hence, “Fraudulent attempts to create false identities or impersonate others can be difficult to detect and prevent, and might lead to loss, theft or corruption,” Ideasoft warns.
Data Ownership: Low-secured software solutions allowing and regulating the access, creation, modification and deletion of data can significantly increase the risks of third-party system breaches and potential data compromises, as well as numerous reputational and financial losses.
Third-Party Service Integrations: “Over 93% of companies suffered a cybersecurity breach in 2021, due to significant weaknesses in their supply chain/third-party vendor, research by BlueVoyant shows. “The insufficient security of third-party service integrations in Fintechs can compromise the security of their apps, as well as the digital security of any company’s operations and data,” Ideasoft says.
Cloud Migration: “When analyzing critical fintech challenges, it’s also worth mentioning the risks of cloud computing adoption for banks and financial institutions,” the Estonian IT firm explains. “Though experts claim increased efficiency and reduced costs, not all firms can successfully and safely integrate cloud solutions into their systems..”
Malware Attacks: During the 2015-2020 period, finance and insurance was the most targeted industry by cybercriminals, who use malicious software (viruses, worms, Trojan horses), to gain access to a system or network.
Cyber risks in Luxembourg
In February 2023, the Commission de Surveillance du Secteur Financier (the Luxembourg regulator, CSSF) issued a cybersecurity alert on “an unpatched Microsoft Exchange vulnerability”. In Luxembourg 533 Microsoft Exchange servers identified were “left unmaintained when it comes to patching them with the latest security updates,” the CSSF said.
Such vulnerabilities can lead to risks including “a potential compromise of the server, unwanted modification or deletion of data, lateral movement and infection of other parts of the infrastructure, financial loss through blackmailing, productivity and financial loss by re-installing the infrastructure,” the CSSF warned.
Fintechs are not immune to cyber risks. For Pascal Steichen the CEO of the Luxembourg House of Cybersecurity (LCH) the first step is therefore prevention.
“In terms of protection and regardless of their size, startups should among other things, raise the awareness among their teams of cyber risks and best practices,” he recommends. “This is an absolutely necessary investment, inexpensive financially, whereas time-consuming.”
Pascal Steichen the CEO of LHC
The LCH has developed a dedicated support program, delivered by experts who know the world of startups and who can advise them, especially on cybersecurity. “In addition, there are a whole series of basic technologies, such as antivirus and firewalls that protect workstations, networks and infrastructures, and prevent any spread,” he said.
For Steichen however, cybersecurity concerns the whole startup ecosystem: “Especially in Luxembourg, where many startups (Fintech, Spacetech, Biotech…) are primarily specialized in technology, but few only are specialized in cybersecurity,” he concluded.
This article was first published in the Silicon Luxembourg magazine. Get your copy.
