Why Fintech Should Focus on Availability

Robinhood, an investing and trading platform, experienced every startup’s nightmare: service outages at a crucial time, leaving frustrated customers unable to trade. TechCrunch explains, “It’s perhaps the worst-timed bug in the history of the seven-year-old company, because it coincided with one of the biggest single-day gains in the history of the Dow Jones Industrial Average, and huge gains on the Nasdaq, as well. In all, markets gained $1.1 trillion in value while Robinhood users were forced to sit on the sidelines.” This outage points to a critical component for successful fintech: availability.

Fintech Case Study

In 2014, Robinhood became a “pioneer” for online, commission-free trading and was an attractive platform to millions of customers. As a startup, it raised $1 billion in capital and had a valuation of $7.6 billion, competing with E-Trade and Charles Schwab. But after continuous service outages this week, the fintech company is experiencing significant customer loss and mistrust, financial consequences, and a damaged reputation. Customers have been vocal on social media about leaving Robinhood and now the company will look at compensation for customers on a case-by-case basis.

One of Robinhood’s most blatant mistakes was the lack of communication to its customers. When there’s a service availability issue, your customers need to know what’s happening – especially what’s happening with their money. Robinhood didn’t publicly acknowledge the first outage for several hours, and the New York Times reported that when Robinhood customers reached out, they couldn’t even get a response from the support team. The outages have continued throughout the week, with no exact cause given.

Richard Rieben, Lead Practitioner at KirkpatrickPrice, commented, “System availability and contingency planning is exactly the type of thing we look at when we are performing SOC 2 assessments for fintech companies. We look at availability, and not just in the way of backups and stuff, but more so in the ability to scale, to monitor and meet surging demands, in testing high loads on your platform, and in preparing to respond to all of it.”

Growth is key to a company’s success – so why not proactively prepare your platform for all levels of growth? Let’s talk about availability and now critical it is to business continuity.

Availability in Fintech

Availability is a key concept for fintech. When you’re handling someone’s money (and data), your services need to function when you say they’re going to function. Many information security frameworks include availability topics, but under the SOC 2 Trust Services Criteria, availability is covered through requirements like:

  • The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives.
  • The entity tests recovery plan procedures supporting system recovery to meet its objectives.

In the simplest terms, the availability category for SOC 2 compliance tests organizations to determine if their system is available for operation and use as agreed upon. Points of focus for the availability category include:

  • Does the entity measure the current usage to establish a baseline for capacity management?
  • Does the entity forecast the expected average and peak use of their system components?
  • Does the entity make changes to their system based on the forecasts?

In Robinhood’s case, many areas missed the mark on availability, from IT to developers to customer service. How can your organization avoid an incident like this one? Let’s talk today.

More Availability Resources

Preparing for Current and Future Availability Needs

Data Backup Best Practices

PCI Backup Requirements

Vendor Due Diligence Checklist (With Downloadable PDF)

What is a Vendor Due Diligence Process?

Vetting and choosing vendors are some of the most important decisions you’ll make for your business, especially when it comes to information security. They could do everything from run your call center to store your data, monitor your systems, or destroy your records. Yes, you can outsource a process or a department to vendors – but you can never outsource risk. No matter the vendor, they pose some level of risk to your organization – especially financial risk, operational risk, reputational risk, and cyber risk – because they have access to your data, network, hardware, cloud, and more. This is why you must thoroughly vet potential vendors using a vendor due diligence checklist.

Once you’ve narrowed your vendor options to those that can support your needs, it’s time to gather the information that will help you take a risk-based approach to vendor selection – this is the vendor due diligence process. This information should help you rank the risk that potential vendors would pose to your organization, which strengthens your organization and protects you from insecure or irresponsible vendors.

Streamlining the vendor due diligence process is essential to its success so that it doesn’t become arduous and intimidating. Plus, vetting your vendors isn’t a one-time process; you should continually assess whether they’re introducing more risk into your environment or meeting your security standards. In order to streamline this process, we’ve put together a vendor due diligence checklist as a guide. This checklist isn’t extensive – questions could change based on your requirements or the company, industry, size, or region. It asks potential vendors to submit general information about their company, a financial review, reputational risk information, evidence of insurance, technical documentation regarding information security, and their policies. The more you know about potential vendors, the easier it is to assess their risk. Let’s take a look!

Vetting with a Vendor Due Diligence Checklist

General Information

There are obvious, foundational documents that are absolutely necessary to obtain from potential vendors. This general information will confirm that the company is legitimate and licensed to do the work you need. This includes items like articles of incorporation, proof of location(s), any dba, aka, or fka information, and an overview of the company structure.

Financial Review

Assessing financials may seem irrelevant to your vendor selection process, but you do want to ensure that potential vendors are financially solvent. Would you want to partner with a company that may not be in business next year? To perform a financial review, you will need to know major assets, principal owners, loans, etc.

Reputational Risk

When you choose to work with a vendor, you’re putting part of your business in their hands. Take choosing an audit firm, for instance. Would you want to hire a firm whose managing partner for audit quality was convicted of fraud? Absolutely not – that’s why assessing reputational risk is so important, even with companies you would typically trust (like a Big Four firm or even household names). If you don’t include reputational risk in your vendor due diligence process, you may miss information that would have changed your decision, like complaints or reports from the CFPB or BBB.

Insurance

Gathering insurance information from potential vendors is similar to gathering general information – it’s a must-have and foundational to your decision-making. Gather information on general liability insurance, cyber insurance, or insurance specific to services.

Information Security Technical Review

When a vendor performs a service for you that impacts your data security or privacy programs, you must do a thorough vetting of their information security program. The more they are willing to show you during the vetting process, the better. A good starting point is collecting internal or external audit reports, pen testing reports, and their history of data breaches.

Policy Review

Policies and procedures are the backbone of any organization. If a potential vendor cannot provide policies that cover change management, data retention, or privacy, they probably do not have the controls needed to protect your organization’s data network, hardware, or cloud.

 

 

Choosing Vendors

Once your potential vendors have submitted all of their answers from the vendor due diligence checklist, you may be in one of the following situations:

  • A potential vendor is not willing to answer all of your questions. Depending on the nature of your question, you may have the right to be suspicious of their processes and determine that they do not understand your standards.
  • A potential vendor answers all of your questions but their evidence proves they pose significant risk to your company, and it is unreasonable to try and mitigate. Cross them off your list!
  • A potential vendor doesn’t quite meet your standards, but the risk they pose isn’t significant, and they are willing to improve their information security practices in exchange for your business. Now it’s up to you to determine what you require of them to change – more frequent pen testing? A SOC 1 Type II report? The inclusion of new Trust Services Criteria in their SOC 2 audit? Better policy documentation?
  • You have more questions based on a potential vendor’s initial answers. Ask them! If they want your business badly enough, they will cooperate with your due diligence process.
  • One potential vendor’s security processes stand out among the rest – your choice is easy!

If you don’t currently perform vendor due diligence, consider using our vendor due diligence checklist as a guide. If you choose a vendor without vetting and assessing what types of vendor risk they present and whether the relationship will help achieve your objectives, you can put your business in jeopardy. Have more questions about vendor relationships and they can impact information security? Want to put KirkpatrickPrice through your vendor due diligence checklist? Let’s talk today!

More Vendor Due Diligence Resources

What to Look for in a Quality Vendor

How to Read Your Vendor’s SOC 1 or SOC 2 Report

Vendor Compliance Checklist

Common Gaps in Vendor Compliance Management

Most Common Privacy Gaps

As more and more governing bodies are implementing data privacy laws, it’s becoming even more important for organizations to mitigate gaps in their systems before they are met with a data breach and hefty fines. We can see the effects laws GDPR and CCPA have had on the privacy and security landscape already. Take it from British Airways’ experience – the airline was fined $228 million for leaking 500,000 customers’ personal data and violating GDPR. That’s just the cost of the fine and not what it cost the organization to respond to and contain the breach. In a day and age where personal data is valuable to malicious individuals, you need to take every measure to protect your data by avoiding common privacy gaps that many organizations get trapped in.

10 Most Common Privacy Gaps to Mitigate

After evaluating several organizations’ responses to security breaches, we noticed a common thread of areas that are susceptible to hackers. These top 10 privacy gaps should be your first line of defense against malicious individuals. To reduce security risks and increase proper privacy procedures, take note of these common privacy gaps:

  1. Data Mapping: To protect the privacy of secure data, you must know where that secure data is and who has access to it. Data mapping should be a priority in creating proper records of your systems.
  2. Device Management: Data encryption, anti-malware software, and strong passwords are all important parts of device management that help to increase the security of private information.
  3. Application Development: Whether it’s secure practices for logging personal data or creating clear terms and conditions, you need to be implementing secure procedures for personal data in the application development stage.
  4. Breach Notification: When a breach occurs, certain governing bodies must be informed of the breach according to the regulatory standards. Developing a thorough breach notification policy is necessary to mitigate common privacy gaps.
  5. Privacy Policies: When you gather personal data from any individual, they need to have access to a privacy policy with clear, understandable language that explains their privacy rights. Whether in the form of an online privacy policy statement or a written posting, you need to construct privacy policies that meet regulatory requirements and review them annually.
  6. Security Testing: In order to respect the privacy rights of your customers, you need to also keep their data secure. Diligent security testing in the form of vulnerability scanning or penetration testing should be conducted annually, or as big organizational changes occur to keep personal data private.
  7. Employee Training: All employees should be trained to uphold privacy laws and implement proper procedures to protect secure data. Training should occur at least once yearly.
  8. Documentation: Documenting all handling of PII as it is transferred throughout your organization is an integral part of avoiding common privacy gaps.
  9. Continuous Monitoring: You can further protect private information by implementing continuous monitoring of your organization’s processes to be notified of risks and gaps that need to be addressed.
  10. PII Retention and Destruction: To properly handle PII, you must also develop policies to determine how long you retain the data and implement detailed procedures for disposal of the data.

Learning to Adapt and Minimize Privacy Gaps

As privacy laws change and new regulations are enforced, your organization needs to be prepared to adapt to the ever-shifting landscape of information security. Whether that looks like investing in yearly penetration tests or implementing a thorough risk analysis, you need to start minimizing these common privacy gaps if you’re trying to stay on top of any changes in privacy law. Adaptation is key to avoiding hefty fines and loss of personal data. Don’t be another organization that falls victim to a hacker’s malicious intent because you weren’t mitigating known common privacy gaps. Contact KirkpatrickPrice, today, to learn how you can continue protecting your secure data.

More Resources

Best Practices for Data Privacy

Privacy vs Security: What’s the Difference?

Preparing for CCPA: 4 Data Privacy Best Practices to Follow

Understanding Your Audit: Locations and Sampling

During the audit process, our qualified Information Security Specialists use best practices to determine the scope of the work. If you’ve never completed an audit, you’ve probably had questions about scoping and sampling. How many locations should be audited? Which locations are most important? How does an auditor develop a scope? What kind of sampling takes place during the audit? These are all valid questions asked by organizations undergoing an audit for the first time. Let’s talk about locations and sampling.

Locations, Locations, Locations

If you’re an organization with multiple office locations, you may be wondering which locations to include in your audit. While our expert-level Information Security Specialists will audit multiple locations, it’s not necessary that they physically visit every office location that you have. Instead, you can include the locations that hold key systems and processes. If you are storing data or backing up your systems in an office location, you should expect that location to be included in your audit. Do you have remote employees with no access to data? Wherever you’re looking to check security controls and protect data, you need to have those processes tested.

Do you have an office located overseas? Have you ever visited this office location to confirm proper security processes are in place? Out of sight, out of mind is a reality for many organizations with overseas locations. That’s why it’s important to have a qualified Information Security Specialist in person completing an onsite visit and auditing your security controls. Many of our clients are appreciative of our auditors who are willing to travel oversees to verify that their vendors are doing what they say they’re doing. Whether that location is in Canada or India, you’ll want the security of that location to be thoroughly audited.

How Does Sampling Work?

Imagine you have hundreds of employees across hundreds of office locations with countless amounts of data you’re planning to audit. If one of our Information Security Specialists were to use every one of your data points from every location in an audit, the audit process would take years to complete. Instead, auditors use sampling to take a portion of the data that is necessary to reach reasonable assurance during the audit. When designing the sample, auditors evaluate the purpose of the sample, outliers, and behavior to select the proper sample size. Sample risk should be determined to understand how many possible errors could be in the data so that the Information Security Specialist can do a job of reaching reasonable assurance.

Overall, sampling is a tool that is used to gather a reasonable amount of data that can be used in the audit. Instead of auditing 400 retail locations, the auditor may take a sample from each region. You can expect to participate in sampling during the audit process as an effort to complete a quality audit.

Completing an Audit with KirkpatrickPrice

When you choose to complete an audit with KirkpatrickPrice, you’re also choosing to receive quality education throughout the audit process and guidance from our expert information security team. We’ll guide you through the decision-making processes as you choose which locations to include in your scope. During the onsite visit, your Information Security Specialist will further expand on the sampling tool as they work to audit your security controls. You can count on KirkpatrickPrice to reach reasonable assurance in all of our audit practices. Interested in learning more about completing an audit with KirkpatrickPrice? Contact us, today!

More Resources

Auditing Basics: What is Scope?

How to Streamline the Audit Process

What Does Reasonable Assurance Mean?

Most Common HIPAA Gaps

It’s not uncommon for healthcare breaches to make the headlines these days. Whether it’s a major breach like Anthem’s $16 million breach or a smaller HIPAA violation such as improper disposal of secure records, healthcare organizations are falling victim to security breaches at an alarming rate. According to IBM Security’s 2019 Cost of a Data Breach Report, the highest industry average cost of $6.45 million is the healthcare industry. Do you have $6.45 million that you’re ready to use if your systems are breached? Are you prepared to spend years dealing with the OCR for failing to protect privacy rights? Of course not. One of the best ways to avoid these detrimental consequences is to make sure you’re compliant with HIPAA and start mitigating common HIPAA gaps now.

Missing the Mark with HIPAA Gaps

Maybe you’re preparing for a HIPAA audit and looking for the first step to compliance or you don’t know anything about HIPAA and you’re struggling to get started. Either way, you need to know about these common HIPAA gaps to avoid possible threats and hefty fines. What are HIPAA gaps that are most prominent vulnerabilities revealed in recent healthcare industry security breaches? Let’s discuss four common HIPAA gaps.

Non-Compliant Business Associate Agreements

A Business Associate Agreement, or BAA, is a document between a covered entity and business associate confirming that both entities will do their due diligence to protect PHI that is transferred between businesses. Not having a thorough written agreement in place to protect PHI is a violation of HIPAA. According to recent OCR findings, non-compliant BAAs are common HIPAA gaps that you should be working to mitigate. If you aren’t already practicing proper BAA procedures, you need to start now.

Missing Risk Analysis

How often should a risk analysis be performed? What should you do with your risk analysis findings? These are good questions to ask when mitigating common HIPAA gaps, as missing a risk analysis tends to be one of the first weaknesses found during a HIPAA audit. A risk analysis should be performed after any major changes in your organization and, at the very least, once annually. Once the risk analysis is performed, your organization should adjust and correct any vulnerabilities found. Don’t be a victim of this common HIPAA gap!

Physical Security Holes

Your physical security is one of the most important defense practices you can establish to protect valuable PHI. Without proper locking of secure documents, the use of security badges for access to secure areas, or proper desktop auto-locking procedures, you’re creating vulnerabilities that could be breached by malicious individuals. To comply with HIPPA, you have to be diligently working to mitigate common HIPAA gaps like holes in your physical security.

Lost or Insecure Devices

While it may seem obvious that all devices with PHI need to be protected against loss or theft, it’s still one of the most common HIPAA gaps found during the compliance journey. Encryption is a big piece of the puzzle, as all devices in your organization should be protected against malicious use in the case of loss or left. Taking the next step to back up your systems and encrypt those backups vital in mitigating any threats to your organization.

Learning to Close Common HIPAA Gaps

By mitigating these gaps early on, you’re setting your organization up to avoid costly fines and unexpected breaches. You can start your compliance journey by closing these common HIPAA gaps and implementing company-wide procedures that address vulnerabilities plaguing your systems. These practices will help you avoid becoming another number in common healthcare security statistics. Instead of joining the hundreds of other healthcare organizations that were victims to 466 security incidents in 2019, your organization can join the many KirkpatrickPrice clients who are satisfied with the expert-level, quality audits we perform. Contact us to start your journey to becoming more than an information security breach statistic!

More HIPAA Resources

Penetration Testing in Support of HIPAA

Dangers of XSS Attacks at Healthcare Organizations

Why is Information Security So Important in Healthcare