FinTech & Cybersecurity


Since the annual RSA conference was in San Francisco last week, the topic of this week’s edition of The FinTech Blog is cybersecurity.

I was at RSA last year with Morgan Stanley, and just read that the key takeaways for 2015, according to Network World, are: 1) visibility (i.e. seeing how you’re doing); 2) data center security; 3) two-factor authentication; and 4) services. 

I’m emphatically not a security expert, but can speak to certain aspects of security – from a business perspective – which can be of value to early-stage FinTech startups and industry enthusiasts less familiar with security.

I recently sat down with Barry Schneider, CEO of LOYAL3, perhaps one of the most interesting of the FinTech firms based in San Francisco. While a later edition will include the full interview, I was struck by his comment that doing things right on security, regulation and privacy isn’t just ‘important’ – “it’s everything.”

Security Is Everyone’s Business

From my own experience in financial services and at FinTech startups, the role of security is more than technology. At Morgan Stanley, for instance, everyone takes an annual training class on the importance of protecting private information, knowing your customers (KYC) and enforcing Anti-Money Laundering (AML) rules.

There’s a lexicon of terms, beyond KYC/AML, such as PII (Personally Identifiable Information) and Material Non-Public Information (MNPI) to learn.  It’s a lot to learn, but I’ve found Intuit Developer maintains a great security blog.

Risk Officer

Having briefly played the role of a risk officer – which convinced me of the need to return to role in product management and/or digital strategy – I can tell you that the people in this area play critical roles. I’ve learned a lot from some great managers working in risk, such as Morgan Stanley’s Lynn Riehl.

If you’re at a FinTech startup in engineering or operations, you should be aware of requirements for who are regulated. The rules are complex, but a good start is familiarity with PCI rules for cards and the FFIEC guidelines for some banks.

Although too costly for a seed-round firm, mid stage startups would be smart to seek out experts such as Adam Shapiro, at Promontory Group, who can help navigate regulatory issues, and legal advice as they build their products.

Role of the CISO

Over the last few years, some of the larger financial services firms, along with some other industries, created a new role, the Chief Information Security Officer (CISO). Morgan Stanley has one of the best in Gerard (Jerry) Brady, who taught me a lot about information security.

From knowing the difference between IDS (Intrusion Detection Systems) and IPS (Intrusion Protection Systems), I later learned you should assume you’ve been made, i.e. never think you are secure, and the old paradigm of securing a perimeter is no longer sufficient (which speaks to key takeaway from RSA on visibility).

Startups probably think less about some issues, like data centers, since many use AWS instead of their old data centers, but  it’s never too early to have a CISO if you are even a partner to a bank, or other financial services company.

Jerry also had an almost encyclopedic  knowledge of companies in the security space, being able to explain and cite the pro’s and con’s of working with innovators such as CloudFlare, Passages Security, vArmour and Prevoty.

The old paradigm of securing the perimeter is no longer sufficient…

The CISO can play various roles, but should lead thinking on new threat vectors, staying on top of what’s new, manage the vulnerability assessment and Information Security (InfoSec) teams looking at third-party providers.

Data Center Security

illumioIn terms of data center security, another key theme at RSA, I won’t speak to this as much, but advise mid-stage FinTech startups to follow the industry leaders in this space, such as Palo Alto Networks and more players to enter this place, such as  Illumio (backed by Joe Lonsdale’s Formation 8;  Joe co-founded Palantir, a key player in security at banks).

Two-Factor Authentication

RSA-logoWhile it’s less relevant to a FinTech startup, I was intrigued to read that two-factor (2FA) security was a key theme at RSA last week. At many banks, employees use RSA token generators, but seldom make clients out of concern over cost. For clients, the second factor in 2FA is often the mobile phone. Many have asked whether banks are doing enough.


Although I didn’t get as much opportunity to work with Dave Chen – the leader of Morgan Stanley’s banking team focused cybersecurity – as I’d liked when on Sand Hill Road, it was clear Dave is the banker in the world for security technology.

The final key theme at RSA was services – so it’s telling that Dave was ahead of the curve, putting together the deal to merge Mandiant, the services team called in to address crises such as the breach at Sony Pictures, with FireEye.

Although excited to be back on the business side, I wanted to give a shout out to one of the truly great service providers that I had the chance to work with recently:

Screen Shot 2015-04-29 at 12.04.33 AM

Bracket Computing. I’m a big fan of this company and its CEO, Tom Gillis, along with his stellar team, including CTO Jason Lango; VP of Sales, Chris Pappas; and VP of Product & Marketing, Ambika Gadre.

I’d also like to congratulate Bracket on their selection last week into Wells Fargo’s exciting new Accelerator program.

Final Thoughts

Hopefully this week’s post will shed some light on the criticality of security, complexity of the regulatory issues,  for for some of the FinTech startups or others who haven’t worked in strictly regulated industries.

Screen Time!

And if you want gain deeper insights into security from actual security experts, check out these videos of keynotes from last week’s RSA event!

And the Winner Is …

socal blog pic

Inspired by last night’s Academy Awards, I wanted to link this week’s post to a couple of related themes, namely Los Angeles area startups (including those in FinTech), and explore the concept of winners vs. losers in the FinTech category.

But to kick off, as far as this year’s Oscars, I think John Battelle said it all:

So damn over

Yes, the awards show was a bit of a let down – but having just returned from a trip last week to Los Angeles, where I’d lived for about five years, I wanted to talk a little bit about the area (not traditionally known for its startup scene).

Last month, I was excited to hear the news that that my friend, Bill McKnight, had joined RealtyMogul as SVP of Product.

realtymogulI’ve known Bill since 2006 when he was at (acquired and later spun out of eBay). RealtyMogul is a FinTech success story, but will write more about real estate in a future post.


But since the focus is on Los Angeles, I have to call out another innovator in this space that’s more focused on lending (vs. buying an ownerships stake in a building) and with a slightly greater emphasis on residential vs. commercial property: Patch of Land.

patchThey get a lot of buzz in the FinTech circles, and should have a break out year in 2015.

Beyond RealtyMogul, other local FinTech firms to track are Zest Finance, FastPay, CapLinked, and StockR.

Later I’ll write a more detailed overview of these, but one SoCal company I’d like to call out for special attention is Acorns.


To me, Acorns is one of the better FinTech stories out there. It combines many things that I believe in. First, the move away from a “unified app” view of the world, i.e. the idea that’s championed by the big banks out there that you need to sign into your bank account  to do anything. I think in today’s world, it’s far better to have a focused app strategy.

Second, Acorns employs good “behavioral science” to actual problems. Specifically, most people say they want to save, but due to inertia or banks making it hard, people often don’t do the right thing. Prof. Schiller from Yale has written persuasively on this, leading to simple but effective changes, such as auto enrollment of people into 401k plans (vs. requiring filling out forms).

I’m also a fan that they take something somewhat arcane, i.e. the Markowitz portfolio theory of investments (which was maybe my favorite concept from B-school) and make it simple to understand and apply to real life.

By encouraging savings (“pay yourself first’), making it inexpensive and smart, I think Acorns has a lot of potential to do real social good, which is the other reason I like Acorns, with the last being its a mobile first business. Check them out!

FinTech startups or banks should check out LA-based startup, Prevoty.


Winners vs. Losers?

Sticking with the Oscar theme, a question I’ve been thinking a lot about of late is who are the winners and losers in FinTech. What’s striking to me is the recent focus on which regions will win.

I was intrigued by a recent claim by a UK newspaper that 50k people work in FinTech in London. The article didn’t say, but I think the figure makes sense only if you include tech workers at banks (e.g. Barclays) and related providers (e.g. IBM).

This table shows the SF / Silicon Valley FinTech players ranked by employees (adapted from recent SF Business Times article).

FinTech SF : SV

While I’ve seen lots of lists of “most innovative” players in FinTech, I would like to see this table showing actual employment for other cities (e.g. London, New York).

It’s a Wrap

As an Oscar night-inspired post, I’d like to give a shout out to those based in Los Angeles I admire:  Gary Braitman, a colleague from Scient, now EVP at Wells Fargo. Jason Farmer, at Dollar Shave Club. Bridget Baker at Baker Media (ex NBC Universal).  Robert Cerny, investor and lawyer at Hinshow & Culbertson. Drew Planting, real estate investor.  Bennett Pozil at East-West Bank.

In terms of FinTech VC’s, there is of course CoreVC, which is one of the best, led by Arjan Schutte, who founded Core after leaving CFSI. I’m also a fan of Kat Utecht at CoreVC. It’s good there are other tech-oriented VC’s like Upfront Ventures in Santa Monica.

It’s appropriate that I wrap up this Oscar inspired post with a short video: Just in case you missed it, here’s the short commercial narrated by Martin Scorcese from last night’s ceremony (reportedly made entirely on an iPad 2): Roll tape (link)

Good night!