While the term ‘fintech’ is said to have been coined in 1993, its growth over the last decade in particular has been astonishing - it’s currently estimated to grow at a rate of 26.2% per year, achieving a market size of $936bn by 2030. With an estimated 64% of consumers worldwide using one or more fintech platforms, it’s increasingly becoming embedded in our personal and professional lives. As a result, big players in the market, such as Monzo and Starling, are becoming more and more entwined in financial markets and infrastructure. While the growth of the fintech market is good news for businesses and consumers alike, it's naturally drawn the unwanted attention of cyber criminals. 

Fintech is a lucrative target: access to significant amounts of money, data and personal information is a tantalising prospect for any hacker. Many of these attacks have made headlines - Revolut suffered a cyber attack in September 2022 where a data breach affected 50,000 customers worldwide. On a much larger scale, the breach of Equifax in 2017 led to the private records of 143 million Americans being compromised. 

Fintech companies know that they’re a target - a recent survey from the Bank of England found that 74% of financial sector executives deemed a cyber attack to be the biggest threat to the industry. Cyber security should be high on the list of boardroom priorities at financial technology businesses, but many overlook the opportunity to tackle potential vulnerabilities at source: the design flaws in software. 

Growth at a cost

Software security is the application of techniques that assess, mitigate and protect software systems from flaws and vulnerabilities, and it is fundamental to ensuring that fast-growing fintech companies can continue to scale and safely serve a growing customer base. 

As consumers and businesses become more reliant on financial technology infrastructures, it is imperative that these cyber threats are taken care of before software is deployed and put in the hands of end-users. However, this requires effort and commitment from programmers and engineers in the development stage. 

It’s not uncommon for fast-growth companies to overlook some fundamental software security principles. The main reason being that other mission-critical priorities arise when a company is looking to scale at pace. Moreover, as companies do grow rapidly, they may find that they do not have the budget to finance their software security practices appropriately - a reality which may become even more acute given the current economic downturn and pressure on budgets. 

Make the basics a priority

Fast-growing fintech companies must prioritise software security and should consider a cyber attack as an inevitability. The reality is that the faster a company grows, the more data they collect and store. As data streams and sources increase, so too does the security that protects them. These ‘treasure chests’ of data make businesses all the more attractive to cyber criminals, and they will be specifically targeting those without adequate software security strategies, processes and protocols.

Financial transactions have always been a natural focus for cyber attacks. For this reason, traditional banks are governed by and adhere to comprehensive software and cybersecurity regulations. Financial technology businesses also have to adhere to regulations, but do not have the scale of security that legacy organisations have in place. If these organisations scale without securing software properly, it can result in a loss of customer trust and reputational damage when a breach occurs, inflicting devastating consequences on a company in hyper-growth.

The best option for fintechs is to analyse the different techniques available when implementing software security measures - from secure coding to sandboxing to threat modeling. Threat modeling helps organisations document knowable security threats to an application and make informed decisions about implementing countermeasures.

In order to create robust software security, threat modeling is one of the most  important parts of software design and development. It is theoretically possible to build applications and systems that comply with corporate security policies and privacy and regulatory requirements - without actually mitigating any significant threats. A more effective way to avoid this and ensure secure software is with ‘start left’ security. 

Starting left is the idea of introducing security at the beginning stages of development, and when combined with DevSecOps, it incorporates checks at each development step to ensure the application is secure before release to end users. This results in development teams within fast-growing fintechs having a greater responsibility for the security of their code, and ultimately the total cost of delivering the secure software is lowered. Indeed, there are further benefits, like increasing developer output because they can be confident of the security of designs, creating efficiencies and bolstering a businesses’ bottom line. 

For a fintech company to be able to detect flaws earlier in the software development process, this ultimately helps to build trust with consumers as the reliability of their infrastructure is significantly improved. 

Take the pressure off

The threat of a cyber attack will only grow in the years to come. Fast-growing companies, and especially fintech businesses, need to be alert to this and maintain a constant proactive security posture. However, it takes extra time, money, and resources to ensure that software is secured against potential threats and these businesses are under pressure to maintain the pace of growth.

There is a way to balance these objectives, and that is to ‘start left’ with security. By introducing security as early as possible into the software development lifecycle and building in threat modeling processes, organisations can identify threats early, mitigate against them, and ultimately accelerate the development of their products. Having the best of both worlds is possible - by embedding these processes from the start, developers can increase their output, adhere to regulations, end users are better protected and the organisation as a whole can reduce the threats they face in an ever-increasingly complex cyber landscape.