FinTech & Cybersecurity


Since the annual RSA conference was in San Francisco last week, the topic of this week’s edition of The FinTech Blog is cybersecurity.

I was at RSA last year with Morgan Stanley, and just read that the key takeaways for 2015, according to Network World, are: 1) visibility (i.e. seeing how you’re doing); 2) data center security; 3) two-factor authentication; and 4) services. 

I’m emphatically not a security expert, but can speak to certain aspects of security – from a business perspective – which can be of value to early-stage FinTech startups and industry enthusiasts less familiar with security.

I recently sat down with Barry Schneider, CEO of LOYAL3, perhaps one of the most interesting of the FinTech firms based in San Francisco. While a later edition will include the full interview, I was struck by his comment that doing things right on security, regulation and privacy isn’t just ‘important’ – “it’s everything.”

Security Is Everyone’s Business

From my own experience in financial services and at FinTech startups, the role of security is more than technology. At Morgan Stanley, for instance, everyone takes an annual training class on the importance of protecting private information, knowing your customers (KYC) and enforcing Anti-Money Laundering (AML) rules.

There’s a lexicon of terms, beyond KYC/AML, such as PII (Personally Identifiable Information) and Material Non-Public Information (MNPI) to learn.  It’s a lot to learn, but I’ve found Intuit Developer maintains a great security blog.

Risk Officer

Having briefly played the role of a risk officer – which convinced me of the need to return to role in product management and/or digital strategy – I can tell you that the people in this area play critical roles. I’ve learned a lot from some great managers working in risk, such as Morgan Stanley’s Lynn Riehl.

If you’re at a FinTech startup in engineering or operations, you should be aware of requirements for who are regulated. The rules are complex, but a good start is familiarity with PCI rules for cards and the FFIEC guidelines for some banks.

Although too costly for a seed-round firm, mid stage startups would be smart to seek out experts such as Adam Shapiro, at Promontory Group, who can help navigate regulatory issues, and legal advice as they build their products.

Role of the CISO

Over the last few years, some of the larger financial services firms, along with some other industries, created a new role, the Chief Information Security Officer (CISO). Morgan Stanley has one of the best in Gerard (Jerry) Brady, who taught me a lot about information security.

From knowing the difference between IDS (Intrusion Detection Systems) and IPS (Intrusion Protection Systems), I later learned you should assume you’ve been made, i.e. never think you are secure, and the old paradigm of securing a perimeter is no longer sufficient (which speaks to key takeaway from RSA on visibility).

Startups probably think less about some issues, like data centers, since many use AWS instead of their old data centers, but  it’s never too early to have a CISO if you are even a partner to a bank, or other financial services company.

Jerry also had an almost encyclopedic  knowledge of companies in the security space, being able to explain and cite the pro’s and con’s of working with innovators such as CloudFlare, Passages Security, vArmour and Prevoty.

The old paradigm of securing the perimeter is no longer sufficient…

The CISO can play various roles, but should lead thinking on new threat vectors, staying on top of what’s new, manage the vulnerability assessment and Information Security (InfoSec) teams looking at third-party providers.

Data Center Security

illumioIn terms of data center security, another key theme at RSA, I won’t speak to this as much, but advise mid-stage FinTech startups to follow the industry leaders in this space, such as Palo Alto Networks and more players to enter this place, such as  Illumio (backed by Joe Lonsdale’s Formation 8;  Joe co-founded Palantir, a key player in security at banks).

Two-Factor Authentication

RSA-logoWhile it’s less relevant to a FinTech startup, I was intrigued to read that two-factor (2FA) security was a key theme at RSA last week. At many banks, employees use RSA token generators, but seldom make clients out of concern over cost. For clients, the second factor in 2FA is often the mobile phone. Many have asked whether banks are doing enough.


Although I didn’t get as much opportunity to work with Dave Chen – the leader of Morgan Stanley’s banking team focused cybersecurity – as I’d liked when on Sand Hill Road, it was clear Dave is the banker in the world for security technology.

The final key theme at RSA was services – so it’s telling that Dave was ahead of the curve, putting together the deal to merge Mandiant, the services team called in to address crises such as the breach at Sony Pictures, with FireEye.

Although excited to be back on the business side, I wanted to give a shout out to one of the truly great service providers that I had the chance to work with recently:

Screen Shot 2015-04-29 at 12.04.33 AM

Bracket Computing. I’m a big fan of this company and its CEO, Tom Gillis, along with his stellar team, including CTO Jason Lango; VP of Sales, Chris Pappas; and VP of Product & Marketing, Ambika Gadre.

I’d also like to congratulate Bracket on their selection last week into Wells Fargo’s exciting new Accelerator program.

Final Thoughts

Hopefully this week’s post will shed some light on the criticality of security, complexity of the regulatory issues,  for for some of the FinTech startups or others who haven’t worked in strictly regulated industries.

Screen Time!

And if you want gain deeper insights into security from actual security experts, check out these videos of keynotes from last week’s RSA event!

Apple Watch & Apple Pay

Screen Shot 2015-03-09 at 11.38.56 PM

There are plenty of places where you can read about Apple Watch, but I’d like to focus on how Apple Pay fits into FinTech world and its digital banking potential.

After the event hosted by Tim Cook, Apple Watch has been winning a lot of praise for its innovation. Despite a lot of comments out there, my personal favorite comment was David Pogue’s tweet:

Screen Shot 2015-03-09 at 4.13.56 PM

I also loved that Tim Cook said he’s been wanting something like this since he was 5 years old. But from a FinTech perspective, beyond Apple Pay, one announcement that stood out for me today was launch of Mint for the Apple Watch.

Screen Shot 2015-03-09 at 4.16.45 PM

It’s fascinating to watch an entirely new third-party software ecosystem start up literally before our eyes, with other favorites including the new Salesforce apps announced today. Details on these are available in Marc Benioff’s twitter feed.


I was in Mountain View last week at Intuit, owner of, and was impressed by recent developments, especially at the Intuit Developer Group. IDG has embraced an API and platform-centric model (see my earlier post on this topic).

With Intuit products like QuickBooks Online (QBO) and winning in the marketplace (e.g. 1M+ subscriptions for the QBO’s cloud offering) and strategy of moving from product > platform like Salesforce, I was hardly surprised to see Mint as an early partner in the nascent Apple Watch ecosystem.

apple watch

Since at both the announcement of the watch last fall, and even at today’s SF event with Tim Cook, there were not a lot of details on how Apple Pay will work with Apple Watch, it’s useful to recap what we know at this point.

According to a recent report from CNET, who caught up with Edy Cue, SVP of Apple, last week, customers have an option to lock or unlock the Apple Watch, so that you don’t have to approve each transaction on the watch.

What’s fascinating is the the way most customers can use their Apple Watch with Apple Pay by authorizing it when they put on their watch, so that they don’t need to have their iPhone with them to use it.

Seen as a clever and novel approach to authentication, as reported in GigaOM today, wearing the watch to maintain approval for the payment, means if you take off the watch (or it’s stolen), the watch recognizes this and payments will no longer work (unless you reenter passcode or pair it with iPhone).

It’s a new way of thinking about multi-factor authentication that seems natural to me. I can envision lots of digital banking innovation with Apple Watch.

Today’s news also makes it clear Apple Pay’s hardware-based (so-called “secure element” that introduces hardware based security) and tokenization of credit card info is used by both phone and watch, so you don’t need the phone to be secure.

A lot of commentators, included Benedict Evans, have said the there’s a “delight” vs. utility story to the Apple Watch, and I think that’s true, just as Apple Pay is more than a story of how to make an in-store payment.

Personally, with Apple Pay, for instance I love being able to download an app and authorize transaction using TouchID (vs. having to put in Apple ID password).

apple watch sport

My wife’s already asking for the Apple Sport Watch for her birthday next month (I guess I’m lucky she didn’t fall for the Apple Watch Edition).

Screen Shot 2015-03-09 at 5.08.35 PM

If you missed my post last week on the launch of Samsung Pay and Android Pay, you can read it here, however it’s striking that at last week’s World Mobile Conference in Barcelona, as many pointed out, the big banks were conspicuously absent – despite the key role of mobile to the future of banking.

I was glad to have been at Jason Calacanis’ Launch Festival last week, catching up with old friends like Adam True from Morgan Stanley. I was also glad to catch up with Emmanuel (Manny) Dounias, a private banker who focuses on tech sector.

Although there weren’t a lot of FinTech companies at Launch, the winner of the startup competition was a Bitcoin startup called Abra to help the unbanked (and those paying high fees for money transfer to developing countries).

But this week it’s all about the Apple Watch. You can read more at TechCrunch, but I suggest reading initial observations from Benedict Evans when it was announced, or reviewing AdWeek‘s summary of major brands working with Apple.

And by all means watch the keynote or ad video on Apple’s site since I think that to understand Apple Watch you have to see and experience it, rather than just read about it (so I’ll stop writing).