Michael Dooijes, the co-founder and managing director at Startupbootcamp’s Amsterdam-based FinTech and cybersecurity accelerator, explained why banks are looking to FinTech startups in the race against cybercrime, in a research interview with FinTech Global.
The WannaCry ransomware attacks last month highlighted just how far reaching and damaging modern cyberattacks can be. Within a day the attack was reported to have infected more than 230,000 computers across 150 countries, with services such as the UK’s National Health Service, Spanish telecom Telefónica and FedEx all hit. These kinds of headline-grabbing incidents stress just how important cybersecurity needs to be at any business holding customers’ data. With client trust a crucial factor for banks and financial services, cybersecurity is becoming a major area of focus for FinTech startups and investors.
Dooijes emphasised the growth in the importance of security at financial institutions and said: “It’s in everyone’s priority list and it’s a board-level consideration. Every large corporation understands the need to step up because it’s a race between the owners of the data and the hackers. Whoever has the most data is going to win this race.”
Combining FinTech and cybersecurity
Startupbootcamp operates 20 accelerators around the world, with FinTech programmes in London, Mexico City, New York, Mumbai and Singapore, as well as a London-based InsurTech-focused programme. Amsterdam, however, is its only programme that combines FinTech with cybersecurity, and Dooijes thinks more FinTech accelerators will follow suite. “The security aspect will become more important because corporate partners and clients demand this. I’ve clearly seen the demand from corporate clients,” he said.
Dooijes highlighted the appetite among corporate and government organisations to access FinTech security startups with most of the Netherland’s banks and insurance firms signed on as partners as well as the national police’s high-tech cybercrime team. This close corporate connection to the programme is influencing the type of companies Dooijes looks for, with risk-adverse partners such as financial institutions preferring to work with more mature startups than many of Startupbootcamp’s other programmes look for.
“Startupbootcamp initially focused on early-stage companies, but in cybersecurity the partners need to see more advanced startups,” he explained. “They prefer not to experiment or run a proof of concept with very early-stage startups. They want proven technology. That’s why I had a few ‘scale-ups’ in residences next to early-stage startups.”
2017 is set to be a record year for FinTech cyber security funding
There are significant levels of venture funding flowing into the cyber security FinTech space at present, with $375.6m raised across 33 deals in 2016. Funding has accelerated further in 2017, with $665.3m raised over 18 funding rounds so far this year. That rapid increase owes largely to a series of sizable rounds such as Palo Alto firm Rubrik’s $180m Series D round led by Institutional Venture Partners.
Banks must follow the lead of tech companies and constantly innovate
The shift in banks from financial services companies where employees use computers into technology companies operating in financial services means they must follow the lead of tech companies and constantly innovative to stay relevant to consumers, as well as to protect themselves from attacks. Dooijes suggests banks are getting-to-grips with this approach to business and are, for now, keeping pace with hackers and scammers – something that will come as a relief to the billions of consumers around the world whose data and savings are at stake in this race.
He claimed banks are facing “thousands of attacks a day globally” and an increasing number are able to handle these attempted breaches but it’s still a race requiring banks to make continuous efforts to innovate and keep pace with the capabilities of modern cybercriminals.
This requires a change in mindset from the banking businesses of old to one more akin to tech giants such as Apple, Alphabet and Amazon. “You don’t build something then push it out for three years,” said Dooijes. “You need to test, check and validate. It’s very different from what these large corporates used to do.”
Spanish bank BBVA is often pointed to as one of the leaders in this space, and Dooijes highlighted the firm’s CEO Carlos Torres as key in putting the bank out ahead in its approach to digital transformation. “He has a tech and consultancy background, the bank is very open API driven. In every speech he makes, he talks tech and realises they’re a tech company that does financial services,” Dooijes said.
He also positively pointed to fellow Dutch company ING, commenting: “They’re working together in these small, multi-disciplinary and agile teams. Those are fundamental transitions in these institutions. Banks that stick with the old hierarchy will be in trouble but there are still plenty of banks that are changing their organisations.”
The role of startups in driving security innovation
Just as in other, often more consumer-facing verticals, banks are looking to work with FinTech startups in order to learn from them as the narrative in the industry shifts from competition between banks and startups to cooperation. “We all know banks lacked in addressing the new market needs and slow to adopt but that was four years ago,” explained Dooijes. “You had a lot of startups in the FinTech scene saying they’d disrupt all the banks. Did that happen? Not really. We now see startups in FinTech 2.0 aiming for a collaborative model, and so are banks.”
Startup engagement, whether it’s through corporate accelerators, investments or other means, is now a key part of many financial institution’s R&D strategies – and Dooijes highlights the executive-level interest now being shown in engaging with startups. “Global heads of security are taking time out just to interact with startups, that’s a huge change from four years ago,” he commented. “But now they feel it’s important to listen to startups and what they’re working on. It’s very important as a senior manager in the security space to tap into that.”
The idea of handling massive sets of crucially important data worth billions of dollars might sound worrying, but the more mature nature of the entrepreneurs tackling challenges in the security space makes them reliable partners. “These startups are not school kids that found something cool and want to start a company,” said Dooijes. “These are often very experienced people from the industry who are frustrated with clearly recognised problems and are looking for solutions to those problems. They understand the industry and are seasoned entrepreneurs who have experienced cybercrime attacks, learned the hard way and have stepped up to build the technology.”
Opportunity for acquisitions
This increased engagement between deep-pocketed corporates and investor-backed startups creates a fertile ground for potential exits, and Dooijes predicts a spree of acquisitions in the space as investment flows into the pace. “This is a very promising space,” he said. “I’ve seen companies come into the programme and three months later have four or five million in funding – mostly from the US. We’ve already seen a massive influx of venture capital investment into FinTech but now cybersecurity is growing fast.”
In addition to the core technology that can help keep financial institutions on the front foot in the race against cybercrime, acquisitions also offer the potential to bring in new talent and help banks to create a culture of innovation. Creating an environment in which the most talented people want to work in, however, can be challenging for century-old institutions and Dooijes suggested: “The talent management side is an issue. Do these people actually want to work for a bank? What do you do about the culture once you buy a company and want to integrate it? Isn’t a better to create a pool of fast and flexible speedboats next to the corporate “oil tanker”?”
The constant need to react to new trends
Dooijes highlights three main areas of importance in cybersecurity at present as: access and identity, protection against infiltration and the deflection of threats, and the detection and management of attacks once they’re in a company’s system. The nature of innovation, however, means that as banking and consumer demands change so to must security. Dooijes pointed to the Internet of Things as a crucial trend corporates need to be ready for. “Everyone and everything will be connected,” he said. “Banks will have to provide new services related to the internet of everything. It’s not only about fraud detection and keeping the bad things out. That’s the constant fight, but it’s also how do you deal with everything being more connected. The consumer side of the bank is constantly innovating, because customer behaviour is changing and security teams must also have answers.”
Alongside these consumer trends creating a need for banks to adapt their security capabilities, new regulation is also forcing them to keep pace -primarily PSD2. Dooijes emphasised that the payments service directive will “open loads of opportunities” but adds “there’s going to be a lot of cyber criminals that now have an opportunity to get hold of ones’ data.”
This will create new avenues for startups in the customer data space and ultimately move banks away from their legacy core systems some of which are more than a quarter of a century old. This, Dooijes believes, will be beneficial to the end user and safer. He said: “With flexible API layers you don’t need a core, you just integrate with the best upgrades out there. It’s more secure and its better.”