Securing A Fintech Organization

November 23, 20212 min read
Share on facebookShare on TwitterShare on Linkedin

Security in a fintech company is an important and difficult task. How do you build enough guardrails without impacting innovation?

Recently, Yieldstreet has undertaken two measures (the SOC2 and ISO27001 reports) that reflect how well we’re performing our security, privacy, confidentiality, availability, and processing integrity controls over a given period. We thought to do it early and build a strong security foundation as we build our teams and services. That way, we already have the framework in place that is prescriptive but can be improved upon as we grow as a business – the snapshot today isn’t how we’ll look a year from now. We started a security initiative to get these reports in 2019, and in March 2021 Yieldstreet received its SOC 2 Type 1 certification for availability, confidentiality, and security without noted exceptions.

In 2021, there have been several high profile hacks on critical infrastructure and international organizations. One of the most notable occurred through a platform called Kaseya. We do not use Kaseya products, so we were not impacted by this breach. However, we wanted our security team to offer a breakdown (though incomplete) of some of the various security controls we do have in place to protect us and our investor/borrower data:

  • We’re conducting annual third-party penetration tests on Yieldstreet.com’s infrastructure and application. The most recent one was conducted in March 2021and the results yielded no “critical” security vulnerabilities and two vulnerabilities classified as “high”. The high vulnerabilities were something we already knew about and had a plan for tackling.
  • Each server and employee workstation in the environment is protected with next generation anti-virus solutions that provide us full visibility to malicious behavior at the origin and throughout the system processes.
  • We have deployed Cloudflare to protect our application at the edge, and have mitigations against common web attacks and bad bots.
  • We have deployed a risk based authentication platform to prevent investor account takeover.
  • Yieldstreet deploys data loss prevention tooling across each workstation, messaging applications, and SaaS products. This allows us to track the flow of company confidential and personal identifiable information safe from exfiltration.  
  • We are monitoring our ability to fight phishing tests with our routine phishing exercises. We are doing well and we can and will do better in the coming months as more training becomes available.
  • Our code undergoes static code analysis to ensure that we are coding securely and alerting us when we don’t.

We have many more protections planned and are constantly evolving our security posture against the evolving threat landscape. Just as we think about liquidity for our investors, we think about security among the risks we face.