Introducing Qstream’s Microlearning Course Library: Explore our collection of ready-to-use courses on a broad range of topics today!   Start Browsing >

< Library Home

Cybersecurity in FinTech

Cybersecurity is the protection of internet-connected systems such as hardware, software, and data from cyber threats. It is important because it protects all categories of data from theft and damage. This includes personally identifiable information (PII), protected health information (PHI), personal information, and intellectual property. Learn about cybersecurity with this starter Qstream microlearning course.

Category: Safety and Risk Management

Industry: Finance Technology

Questions: 13

Share:

Content Preview

Cybersecurity in FinTech

Navigate through the Qstream questions below to preview. Each challenge is designed following Qstream’s best practices for maximum knowledge reinforcement and engagement. This Qstream is free for clients to use as a starting point.

1. Organization Security Requirements >
2. Benefits of Cybersecurity Controls >
3. Cyber Threat Risk Assessment >
4. The Most Significant Risk to the Economy >
5. Incentivizing Cybersecurity >
6. Fragmented Response to Cybersecurity >
7. Cyber Threat Approach Strategy for New Territories >
8. Developing New Cybersecurity Services >
9. De-fragmentation of Standards >
10. Security Control Model >
11. Cybersecurity Frameworks >
12. Factors of a Controls Framework >
13. Criteria for Baseline Frameworks >

Follow the interactions on each screen to answer Qstream questions as a Participant.

Jason is a cybersecurity professional and is talking to Sarah, a colleague in his professional network. Sarah asks Jason if he has any new insights on cybersecurity for her small start-up business.

Jason tells Sarah that it’s difficult to apply what he learned while attending the World Economic Forum’s FinTech Cybersecurity Consortium in 2018 because the security requirements for small businesses:

Answer explanation:
Jason knows that security requirements, whether for large or small organizations, vary due to the organization’s
• Country
• Customers
• Services

The World Economic Forum’s FinTech Cybersecurity Consortium believes that “the security of the wider financial system requires the acceleration of FinTechs’ access to methodologies for identifying cybersecurity risks and applying the practical steps needed to mitigate them.” They identified an essential first step is to simplify a baseline cybersecurity requirement for all organizations.

Learn More
Systems of Cyber Resilience: Secure and Trusted FinTech (20-min report)
http://www3.weforum.org/docs/WEF_Systems_Cyber_Resilience_2020.pdf

Camelia is sharing insights about cybersecurity controls with her new intern, Zoey, who is curious to learn more about their benefits.

Camelia explains that a benefit of a cybersecurity controls framework is streamlined due diligence for which of the following?

Answer explanation:
Camelia understands that a cybersecurity controls framework ensures a win-win outcome for multiple stakeholders including:

• FinTechs
• Incumbents
• Regulators
• Consumers
• Venture Capitalists
• Talent

Incumbents and Venture Capitalists (VCs) both benefit from a streamlined process of due diligence using this framework.

After meeting with several cybersecurity consultants, Jillian is reconsidering her risk assessment of her organization. She now understands how important it is to protect her organization from various cyber threats.

As she writes a brief to her management team, she makes sure to highlight which of the following?

Answer explanation:
Jillian needs to communicate to her team that established financial service providers like theirs, as well as regulators and central banks, typically see innovative new FinTechs as partners to take advantage of new business opportunities. As financial services are becoming more modularized, the variance in their cybersecurity maturity complicates the risk management landscape.

The pace of technological and regulatory change only amplifies the ever-increasing number of frameworks, standards, language, and industry-driven initiatives. This “noise” makes finding a consistent solution more difficult because even though a security objective may be the same (e.g., protecting client data), how to make that happen or what to even consider varies significantly.

The World Economic Forum’s Global Risks Report 2020 named ________ as among the most significant risks to the economy and society in general due to its likelihood and negative impact.

Answer explanation:
Financial services are a high-value target to cyber attackers due to the business’s inherent activities. These services are becoming more complex and involve many parties who are modular and distributed. This has expanded the number of potential targets to cyber attackers. Also, client data and assets are spread across multiple platforms and providers, each often with varying levels of security requirements and capabilities.

Tobias leads the information security team for EMC Solutions, a growing company that was established three years ago. During an executive team meeting, the CFO asks Tobias if the amount of time, energy, and resources they are spending on cybersecurity is a sound investment. “After all,” the CFO states, “we haven’t had any security issues.”

In response, Tobias explains how having a robust cybersecurity architecture can _______their business assets and _______ commercial partnerships.

Answer explanation:
Building a robust cybersecurity architecture is vital to building and/or maintaining business credibility. In Tobias’ case, even one cyber breach can be devastating to his company’s credibility in the market and current/future commercial partnerships.

If security considerations are not prioritized in their product and services development, EMC Solutions may end up in a security-related technical debt that would be difficult and expensive to address in the future. However, if Tobias can explain how his security team can protect business assets and facilitate commercial partnerships, the CFO and the rest of the executive team will better understand and likely prioritize security.

Cybersecurity is an international threat, yet the response by FinTechs and regulatory agencies has been fragmented. This is evidenced by which of the following?

Answer explanation:
No organization wants to compromise its cybersecurity standards. Yet the current state is unsustainable when there is non-coordination between governmental authorities as well as a lack of coherence among FinTechs in their baseline standards/implementations/reporting. This variation and duplication of requirements needlessly increase the cost of compliance without always enhancing operational security.

During an executive team strategic meeting, Natasha leads a discussion about expanding their operations to new countries. As they consider the security implications, Natasha is asked how the security risks are different in these new territories.

The best plan of action when addressing new cyber threats when entering new countries is to do which of the following?

Answer explanation:
Applying a previous approach to new territories is not advisable since it does not address new regulations and doing so would open up Natasha's company to substantial new risks. Yet relying solely on current regulations won’t protect them from new threats either. Finally, while conducting an exhaustive review would yield insights, it would be cost-prohibitive for them and take too much time.

Natasha’s strategy is modeled after other highly globalized sectors, such as aviation, in which her organization will leverage frameworks that manage risk, rather than focus solely on regulations. Often, countries’ central banks and financial services regulators are ill-equipped to address the complexities of sophisticated cyber threats, which evolve faster than policy development. Cyber attackers often target technical innovations used by legitimate service providers specifically because there are no regulations against them yet.

Chris is meeting with his team of senior FinTech developers that he manages. His team has the understanding and experience of how to build, adapt, and assess financial controls (i.e., client confidentiality) to protect their organization. One of Chris’s developers has come up with an innovative approach to a cybersecurity control involving cryptocurrency and asks Chris if they should pursue development.

Which of the following should Chris be focused on when considering developing a new cybersecurity service?

Answer explanation:
Many government authorities are more interested in whether controls used by industry are effective and properly applied rather than the development of specific, granular controls. Chris’s best chances of success in developing cybersecurity controls that are accepted by the industry involve him consulting with cybersecurity experts from other sectors, governmental agencies, and relevant civil society organizations. His team’s efforts to build more effective approaches will struggle to succeed if they fail to reflect the requirements of key regulators or cannot gain at least some regulatory support.

As cybersecurity regulations continue to proliferate across nation-state boundaries without ______, it becomes difficult for FinTech organizations to design controls that have wide applications.

Answer explanation:
If FinTechs can align using a single, global, industry-wide baseline standard, it will improve and encourage cybersecurity, especially in low-maturity FinTech firms.

Victoria is presenting an overview of universal cybersecurity controls to her staff. She shows the following graphic and explains that this framework was created and adopted by the World Economic Forum in Switzerland in 2019.

Victoria shares a memorable fact that the framework was designed to be similar to ______ in that it addresses both baselines as well as higher-level security controls.

Answer explanation:
Although Victoria’s staff gets a laugh that the framework is modeled after a certain Swiss chocolate bar, the meaning behind the model is something they will likely remember. The bottom tier (i.e., the base of the “chocolate bar”) contains security essentials applicable to all FinTech companies, regardless of their business model. The top-tier trapezoid peaks represent specific requirements that depend on the business in which a company is active, such as payments or lending.

The _________ of cybersecurity frameworks and regulations makes it difficult for some FinTechs to understand where to begin and what the consequences might be of their choices for their future commercial partnerships, international growth, and/or technical debt.

Answer explanation:
When there are many frameworks to choose from, smaller FinTechs may find it difficult to determine an effective approach to evaluate and improve their cybersecurity readiness. A global standard for FinTech cybersecurity is necessary to both enable partnerships and provide a measure of what level of security to set as a benchmark.

Sasha is conducting a virtual instructor-led training for newly hired/promoted managers at a mid-sized FinTech. To introduce the topic of cybersecurity controls, Sasha poses the following question to her participants, “What areas should be considered when a FinTech wants to apply cybersecurity controls?”

Sasha is looking for answers that include which of the following?

Answer explanation:
Sasha clarifies misconceptions from some participants:
• Risk management priorities at times diverge as well as converge
• The focus of cyber resilience should be across the supply chain, not just the products and services

She also elaborates on other criteria of cybersecurity controls including:
• Variation in needs
• Regulatory oversight
• Measuring their impact on the business
• Return on investment
• Cyber resilience across the supply chain
• Framework proliferation

One of the criteria for an effective baseline cybersecurity control for FinTechs is that it should be applicable in multiple _________.

Answer explanation:
Effective baseline cybersecurity controls should be available in multiple jurisdictions because either:
• The controls are generic and apply to multiple sectors or
• They take account of regulatory requirements in the world’s primary financial services hubs

Other criteria include:
• Mapping to commonly accepted cybersecurity standards and financial services regulation
• Tiered to maturity level
• Implementation tools
• Self-assessment
• Peer-to-peer comparison
• Regular update cycles
• Potential for external validation
• Scalable

Jason is a cybersecurity professional and is talking to Sarah, a colleague in his professional network. Sarah asks Jason if he has any new insights on cybersecurity for her small start-up business.

Jason tells Sarah that it’s difficult to apply what he learned while attending the World Economic Forum’s FinTech Cybersecurity Consortium in 2018 because the security requirements for small businesses:

Answer explanation:
Jason knows that security requirements, whether for large or small organizations, vary due to the organization’s
• Country
• Customers
• Services

The World Economic Forum’s FinTech Cybersecurity Consortium believes that “the security of the wider financial system requires the acceleration of FinTechs’ access to methodologies for identifying cybersecurity risks and applying the practical steps needed to mitigate them.” They identified an essential first step is to simplify a baseline cybersecurity requirement for all organizations.

Learn More
Systems of Cyber Resilience: Secure and Trusted FinTech (20-min report)
http://www3.weforum.org/docs/WEF_Systems_Cyber_Resilience_2020.pdf

Camelia is sharing insights about cybersecurity controls with her new intern, Zoey, who is curious to learn more about their benefits.

Camelia explains that a benefit of a cybersecurity controls framework is streamlined due diligence for which of the following?

Answer explanation:
Camelia understands that a cybersecurity controls framework ensures a win-win outcome for multiple stakeholders including:

• FinTechs
• Incumbents
• Regulators
• Consumers
• Venture Capitalists
• Talent

Incumbents and Venture Capitalists (VCs) both benefit from a streamlined process of due diligence using this framework.

After meeting with several cybersecurity consultants, Jillian is reconsidering her risk assessment of her organization. She now understands how important it is to protect her organization from various cyber threats.

As she writes a brief to her management team, she makes sure to highlight which of the following?

Answer explanation:
Jillian needs to communicate to her team that established financial service providers like theirs, as well as regulators and central banks, typically see innovative new FinTechs as partners to take advantage of new business opportunities. As financial services are becoming more modularized, the variance in their cybersecurity maturity complicates the risk management landscape.

The pace of technological and regulatory change only amplifies the ever-increasing number of frameworks, standards, language, and industry-driven initiatives. This “noise” makes finding a consistent solution more difficult because even though a security objective may be the same (e.g., protecting client data), how to make that happen or what to even consider varies significantly.

The World Economic Forum’s Global Risks Report 2020 named ________ as among the most significant risks to the economy and society in general due to its likelihood and negative impact.

Answer explanation:
Financial services are a high-value target to cyber attackers due to the business’s inherent activities. These services are becoming more complex and involve many parties who are modular and distributed. This has expanded the number of potential targets to cyber attackers. Also, client data and assets are spread across multiple platforms and providers, each often with varying levels of security requirements and capabilities.

Tobias leads the information security team for EMC Solutions, a growing company that was established three years ago. During an executive team meeting, the CFO asks Tobias if the amount of time, energy, and resources they are spending on cybersecurity is a sound investment. “After all,” the CFO states, “we haven’t had any security issues.”

In response, Tobias explains how having a robust cybersecurity architecture can _______their business assets and _______ commercial partnerships.

Answer explanation:
Building a robust cybersecurity architecture is vital to building and/or maintaining business credibility. In Tobias’ case, even one cyber breach can be devastating to his company’s credibility in the market and current/future commercial partnerships.

If security considerations are not prioritized in their product and services development, EMC Solutions may end up in a security-related technical debt that would be difficult and expensive to address in the future. However, if Tobias can explain how his security team can protect business assets and facilitate commercial partnerships, the CFO and the rest of the executive team will better understand and likely prioritize security.

Cybersecurity is an international threat, yet the response by FinTechs and regulatory agencies has been fragmented. This is evidenced by which of the following?

Answer explanation:
No organization wants to compromise its cybersecurity standards. Yet the current state is unsustainable when there is non-coordination between governmental authorities as well as a lack of coherence among FinTechs in their baseline standards/implementations/reporting. This variation and duplication of requirements needlessly increase the cost of compliance without always enhancing operational security.

During an executive team strategic meeting, Natasha leads a discussion about expanding their operations to new countries. As they consider the security implications, Natasha is asked how the security risks are different in these new territories.

The best plan of action when addressing new cyber threats when entering new countries is to do which of the following?

Answer explanation:
Applying a previous approach to new territories is not advisable since it does not address new regulations and doing so would open up Natasha's company to substantial new risks. Yet relying solely on current regulations won’t protect them from new threats either. Finally, while conducting an exhaustive review would yield insights, it would be cost-prohibitive for them and take too much time.

Natasha’s strategy is modeled after other highly globalized sectors, such as aviation, in which her organization will leverage frameworks that manage risk, rather than focus solely on regulations. Often, countries’ central banks and financial services regulators are ill-equipped to address the complexities of sophisticated cyber threats, which evolve faster than policy development. Cyber attackers often target technical innovations used by legitimate service providers specifically because there are no regulations against them yet.

Chris is meeting with his team of senior FinTech developers that he manages. His team has the understanding and experience of how to build, adapt, and assess financial controls (i.e., client confidentiality) to protect their organization. One of Chris’s developers has come up with an innovative approach to a cybersecurity control involving cryptocurrency and asks Chris if they should pursue development.

Which of the following should Chris be focused on when considering developing a new cybersecurity service?

Answer explanation:
Many government authorities are more interested in whether controls used by industry are effective and properly applied rather than the development of specific, granular controls. Chris’s best chances of success in developing cybersecurity controls that are accepted by the industry involve him consulting with cybersecurity experts from other sectors, governmental agencies, and relevant civil society organizations. His team’s efforts to build more effective approaches will struggle to succeed if they fail to reflect the requirements of key regulators or cannot gain at least some regulatory support.

As cybersecurity regulations continue to proliferate across nation-state boundaries without ______, it becomes difficult for FinTech organizations to design controls that have wide applications.

Answer explanation:
If FinTechs can align using a single, global, industry-wide baseline standard, it will improve and encourage cybersecurity, especially in low-maturity FinTech firms.

Victoria is presenting an overview of universal cybersecurity controls to her staff. She shows the following graphic and explains that this framework was created and adopted by the World Economic Forum in Switzerland in 2019.

Victoria shares a memorable fact that the framework was designed to be similar to ______ in that it addresses both baselines as well as higher-level security controls.

Answer explanation:
Although Victoria’s staff gets a laugh that the framework is modeled after a certain Swiss chocolate bar, the meaning behind the model is something they will likely remember. The bottom tier (i.e., the base of the “chocolate bar”) contains security essentials applicable to all FinTech companies, regardless of their business model. The top-tier trapezoid peaks represent specific requirements that depend on the business in which a company is active, such as payments or lending.

The _________ of cybersecurity frameworks and regulations makes it difficult for some FinTechs to understand where to begin and what the consequences might be of their choices for their future commercial partnerships, international growth, and/or technical debt.

Answer explanation:
When there are many frameworks to choose from, smaller FinTechs may find it difficult to determine an effective approach to evaluate and improve their cybersecurity readiness. A global standard for FinTech cybersecurity is necessary to both enable partnerships and provide a measure of what level of security to set as a benchmark.

Sasha is conducting a virtual instructor-led training for newly hired/promoted managers at a mid-sized FinTech. To introduce the topic of cybersecurity controls, Sasha poses the following question to her participants, “What areas should be considered when a FinTech wants to apply cybersecurity controls?”

Sasha is looking for answers that include which of the following?

Answer explanation:
Sasha clarifies misconceptions from some participants:
• Risk management priorities at times diverge as well as converge
• The focus of cyber resilience should be across the supply chain, not just the products and services

She also elaborates on other criteria of cybersecurity controls including:
• Variation in needs
• Regulatory oversight
• Measuring their impact on the business
• Return on investment
• Cyber resilience across the supply chain
• Framework proliferation

One of the criteria for an effective baseline cybersecurity control for FinTechs is that it should be applicable in multiple _________.

Answer explanation:
Effective baseline cybersecurity controls should be available in multiple jurisdictions because either:
• The controls are generic and apply to multiple sectors or
• They take account of regulatory requirements in the world’s primary financial services hubs

Other criteria include:
• Mapping to commonly accepted cybersecurity standards and financial services regulation
• Tiered to maturity level
• Implementation tools
• Self-assessment
• Peer-to-peer comparison
• Regular update cycles
• Potential for external validation
• Scalable

You may also be interested in:

Not a Qstream client but interested in this content and learning more?

Schedule a Call with Qstream

Looking for more questions?
We have the answers.