Growing Security Debt Leaves Fintech Exposed

Growing Security Debt Leaves Fintech Exposed

Biometrics, once considered the holy grail of banking cybersecurity, is now facing critical vulnerabilities in the wake of generative AI. As institutions struggle to keep pace with technological advancements, rogue actors are adapting at an alarming rate, putting banks and insurers at risk.

It's not just biometrics that pose a challenge; technological revolutions often expose institutions to new security threats. According to Elliott Frantz, CEO of Virtue Security, a security firm providing penetration testing in financial services, the result of complex infrastructure designed to seamlessly serve customers is a "high point for fragility and enormous security debt."

The increasing technical complexity of financial institution architecture, rather than access to tech talent, poses the greatest risk. This is largely due to the growing number of applications used by banks, with McKinsey reporting that the average number of applications increased from 133 per billion dollars in revenue in 2013 to 224 in 2022 – a jump of over 68%.

Furthermore, the use of cloud computing and white-labeled applications has expanded the attack surface for banks. According to Frantz, "banks are like every enterprise, in nature. They are using a broad range of technology platforms." However, their systems architects and engineers are often experts in building, not hacking, making traditional penetration testing models no longer effective.

The issue is exacerbated by generative AI, which requires proprietary data to train models. As banks and third-party vendors compete to derive value from these models, they're collecting and ingesting large amounts of data without adequate security assessments. This represents a deep vulnerability in the system.

Frantz notes that traditional security assessments designed around predictable, standardized security experiences won't cut it in this new environment. Sophisticated hackers with generative coding agents at their disposal are designing attacks targeting the multi-system environment of modern financial institutions.

"People with sharp technical skills are becoming more and more valuable," Frantz says. "Changing our approach to thinking about technical systems starts with conceptualizing contemporary enterprise security testing protocols. Great hackers, both ethical and unethical, are systems-minded."

The solution lies not in stopping the development of customer applications or training models but rather accepting that new security assessments are needed. Banks must adapt their approach to thinking about technical systems, acknowledging that traditional methods won't suffice in this era of complex infrastructure and generative AI.

Key Statistics:

  • The average number of applications used by banks increased from 133 per billion dollars in revenue in 2013 to 224 in 2022 – a jump of over 68% (McKinsey).
  • The number of application vendors used by banks has also increased, with a 60% rise during the same period.

Expert Insights:

"Banks are like every enterprise, in nature. They are using a broad range of technology platforms." – Elliott Frantz, CEO of Virtue Security

"People with sharp technical skills are becoming more and more valuable." – Elliott Frantz, CEO of Virtue Security

Call to Action:

Banks must adapt their approach to thinking about technical systems, acknowledging that traditional methods won't suffice in this era of complex infrastructure and generative AI. By conceptualizing contemporary enterprise security testing protocols, institutions can better protect themselves against emerging threats.