Why Cyber Risk is a Boardroom Issue for Fintechs

Cyber risk is not ‘just’ a technical issue but a business risk that threatens all parts of fintech organisations and therefore needs to be dealt with at a boardroom level.

In order to protect fintechs appropriately, boards must ensure clear responsibility and ongoing vigilance as senior managers are increasingly required to engage in ‘legal’ conversations around this topic.

While not a fintech-related event, last year’s ransomware cyber-attack in the US that forced Colonial Pipeline to shut down the main part of its network has again showed the devastating effect such incidents can have on an organisation. The 5,500-mile (8,900km) pipeline network supplies nearly half of the East Coast's fuel. With high-tech sensors and safety systems taken
offline, the firm was forced to hire dozens of staff (opens a new window) to walk or drive the 5,000-mile length of the pipeline every day. The incident caused gas prices to surge and gas stations in multiple states to experience shortages, while exerting immense pressure on executive board members as the incident gathered attention globally. 

Liability exposure

Quite apart from the business management of risk, the issue of potential personal exposure for directors and officers for failing to mitigate cyber risk is a real and ever-present issue. Despite the recent surge in cyber-attacks, and particularly ransomware assaults, research by the Institute of Directors indicates a disconnect between IT staff, who live and breathe cyber-security and understand the consequences, and other staff in an organisation who may be aware of the issues but are not internalising them.

A failure to recognise certain events as financial threats is a management oversight and a potential directors and officers (D&O) liability exposure. Consider the following examples:

  • Cyber extortion demands and expenses

  • Liability to third parties for data breaches and the failure to protect confidential information

  • Liability to third parties for cyber events, such as spreading of malware, or an inability to access online services

  • Regulatory fines and penalties

  • First party costs to remediate a cyber-attack, including legal fees, public relations costs, IT forensic costs

  • Reallocation of internal resources

  • Business interruption loss

  • Reputational harm

  • Damage to hardware and/or software including digital assets

Quantifying the financial risk

A financial quantification of expected or probable losses arising out of a number of different scenarios is a sensible starting point. Companies can benefit from decades of historical loss data in the insurance sector and calibration tools are available to assist in the calculation of potential losses.

Financial quantification is the first step to enable fully-informed decisions, including a consideration of whether possible loss outcomes to a fintech organisation can be mitigated by:

  1. Investment in tighter cyber security protocols

  2. Risk transfer to insurers

  3. Both

Assessing the cyber robustness

Cyber risk readiness can be measured. Performance indicators might include, for example, a high vendor measured security rating, or an analysis of performance when compared with similar organisations. Peer benchmarking, in particular, is highly valuable when assessing whether a business is meeting a broader sector standard of care.

Performance metrics will extend across a number of disciplines but can include the timely patching of vulnerabilities, regular employee awareness training among other ‘maturity’ benchmarks.

These metrics can help identify vulnerabilities and areas that need improvement, which over time will reflect in better performance and ratings. The higher the performance, the less likely a fintech organisation is to experience a cyber breach, and the less likely that organisation is to suffer a financial or reputational loss.

High cyber security performance is a key indicator of good governance, which is likely to translate into better business confidence and shareholder value.

Recommendations for board members

It is vital that there is a strong alliance between the board and the fintech’s cyber risk professionals; not just communication of the relevant performance measures themselves, but also the contextual and situational awareness to bring those performance measures to life.

If improvements are required, costs might be measured against the benefits, for example, of:

  • expedited international expansion

  • reinforced product security

  • an embedded competitive differentiator

  • well-informed management of the supply chain risk.

The board needs this information to allow a translation of the raw performance numbers into opportunities and financial return. This contextual level of discussion will instil confidence in non-technical directors, customers and other stakeholders, and allow the board to understand, rationalise and fulfil its oversight responsibilities appropriately.

Constant monitoring

The fintech cyber threat does not stand still ― it is a dynamic environment that requires constant monitoring to allow for the development of appropriate response measures. 

Investments in cyber security mean future proofing the company in critical areas of legal risk, data handling and security breaches, ensuring that the organisation and its officers are well protected from a D&O liability perspective, client liability, regulatory issues, and other financial implications.

For further information, please contact or visit our Fintech page to find out more about our products and services:

Vanessa Cathie 
Vice President Global Cyber & Technology
T: +44 (0)20.7933.2478
E: Vanessa.Cathie@lockton.com

Latest Cyber Content

Internet system attack concept.The shield symbol was destroyed. notification about threat of Internet attack, cybercrime concept.vector illustration.

Professional services firms: how to navigate cyber risks