Acupay Cybersecurity Challenges and Solutions
Cybersecurity is a crucial operational pillar of Acupay. The company processes high-value transactions for international investors, and protecting their data, our operations, client privacy, and our reputation are all primary to the success of Acupay. Cybercrime is a massive problem and constantly growing worse and more sophisticated. In 2024, global financial losses from cybercrime are estimated to be over $9 trillion and are only expected to go up from there. The fintech industry alone has experienced a 30% increase in cyberattacks year-over-year.
Briefly, Acupay’s strategy is to create a cybersecurity ecosystem. That ecosystem has multiple control categories, such as administrative, operational, physical, privacy, reliability, and recovery. It also includes security for applications, networks, hosts, and data.
So, how did Acupay build its cybersecurity infrastructure? In an industry where 60% of small companies report that they lack sufficient cybersecurity measures, it is clearly challenging to provide effective protection from cyber-attacks.
This article explores Acupay’s cybersecurity journey. We will delve into the challenges we have faced in creating and implementing our cybersecurity strategy and the innovative approaches used to overcome those challenges. In a future article, we will share the results of our efforts.
Challenges
What are the challenges of creating and implementing a cybersecurity strategy?
The first challenge is the breadth of the problem. Even in small companies such as ours, the complexity and volume of technology presents multiple hurdles. The emergence of recent technologies and ever-evolving threats further complicates the situation. Protecting a growing technology infrastructure from an increasing number of threats only accelerates the problem.
Secondly, there are the organizational and human factors. For cyberattacks, employees are a rich source of targets, who, if not careful, can provide direct access to technology. Adding to this, like most companies, we use a fair number of vendors, who have their own employees, increasing the potential for a human error-based data breach. Ensuring that both your employees and vendor network are safe creates an operational obstacle that needs to be addressed.
Regulatory requirements and compliance audits that Acupay needs to meet add complexity to this. As an international company, Acupay processes the data of system users and beneficial owners from around the world, so data privacy and security regulations such as GDPR, CPRA, and soon EU DORA (Digital Operational Resilience Act) regulations are all relevant. Additionally, working with large multinational banks and large compliance departments, we may be asked to comply with additional regulations that they are subject to, and completing compliance audits and due diligence questionnaires is an annual event. Likewise, being a member of the Swift network, we must complete a separate annual third-party cybersecurity attestation. All these compliance sources add up, creating a large set of similar, but often slightly different, cybersecurity requirements. Developing and implementing a strategy to ensure coverage of all regulatory requirements can be daunting.
This leads to the next challenge, which is cybersecurity resources. With the scope and amount of work discussed above, few companies will have the resources to address all issues simultaneously. This is true for budget, time, personnel, and skills. Cybersecurity skills are in high demand, so making sure you have all the right personnel to staff a cybersecurity team adequately can feel almost impossible. Security technology is also in demand and expensive, which can easily stress a company's budget. The final challenge is ensuring that the efforts are effective. Determining effectiveness of cybersecurity controls is not always simple and straightforward. The lack of a security breach should not be the sole test of the effectiveness of cybersecurity controls.
Solutions
Given all these challenges, the search for solutions can seem overwhelming. Before starting, it is important to remember not to panic. Keep in mind that everything cannot be done at once, will take time, and then work in a structured manner.
Performing a risk assessment is a good first step. A risk assessment, whether formal or informal, helps to identify, rank, and set priorities, which is the core of all efforts. Initially, our risk assessments were informal and purely operations-related, but as the company matured and our Risk and Compliance team was established, they have grown to encompass all teams’ activities.
Along with identifying the risks, the related impact and likelihood of each were identified, and the planned response for each risk. This provided an initial roadmap, with annual updates to correct course, as necessary.
With that done, the next step is to implement the cybersecurity controls. Our implementation planning used a few simple approaches that created a balanced approach.
Address the risks that were the highest impact, external, and people threats first.
Resolve low-hanging fruit to do something about as much as possible, even if the action only partially mitigates the risk at that time.
Spend time on controls that could be created in-house and spend money on those technologies and skills that are unavailable in-house.
By using this balanced approach, a broad foundation was laid while addressing the most pressing risks. It also prioritized external threats, with the viewpoint that it is difficult to breach technology that cannot be reached. As an example, one of the first controls implemented was external penetration testing because it was not possible to do it internally.
In our next newsletter, we will talk about the results that came out of implementing our strategy. If you are not already, make sure to subscribe to our mailing list to see this when it is posted and to be notified on future Acupay updates!
Sign up to receive our newsletter