Global fintech and funding innovation ecosystem

Technology Due Diligence Process and Cyber Risks for Fintech Start-ups

Forward Security Inc. | Farshad Abasi | Nov 17, 2021

Cyber risks for fintech startups - Technology Due Diligence Process and Cyber Risks for Fintech Start-ups

Picture this. You are the CEO of a large financial services company and are looking to acquire a smaller fintech company to expand your business. Everything within the company’s infrastructure looks normal.

Turns out, technology and security of the company wasn’t thoroughly tested, and after acquiring the company, you inherit a major security breach along with it, costing you millions of dollars. Believe it or not, this is exactly what happened to Paypal, when it acquired TIO Networks and they are not alone.

Paypal’s example proves the importance of incorporating thorough technology due diligence into the acquisition process of a company.

What Does the Due Diligence Process Entail?

To gauge what the due diligence process entails, let’s consider the example of a VC or a CEO of a fintech company who is interested in preparing their company for acquisition. After taking the first step to hire an investment banker to show the company to investors, there are three main stages of the Due Diligence Process. The first round of bids includes a high-level company evaluation, addressing the condition of the business, financials, and management team. A handful of bids progress to the second round of bids, which takes a deeper dive into the business. The interested party then submits a Letter of Intent (LOI) to indicate interest in acquiring the company.

See:  OFSI Publishes Draft Guidelines on Technology and Cyber Risk Management

At the LOI stage, things could go awry if issues are found while evaluating the health of a company during the due diligence process (including legal diligence, accounting diligence, customer diligence, and technology/cybersecurity due diligence). After the LOI stage, if the investor is still interested in the company, the deal moves to the closing stage.

Why is Security Important in the Due Diligence Process?

In any investment, buyers are clearly looking for no problems with the company, as this could cost them millions in the future.

A buyer’s priority is to minimize risks and solve for sustainability and scalability through assessing three aspects of the company: people, process, and technology. Risks surrounding people could involve code development and knowledge distribution, while risks around the process typically entail sustainability and scalability. Risks surrounding technology often involve security issues and documentation surrounding open-source code. If you think your company will need to embark on the due diligence process in the next 6-12 months, it’s crucial to be thorough with documentation regarding all aspects of due diligence.

See:  Crypto scams, DeFi hacks, and rug pulls: Why the crypto industry needs insurtech

To prove that a company doesn’t have issues, it’s important to provide the correct documentation and engage security from the beginning of the development process and have it ready for the due diligence process. Engaging security from the start leads to strong foundations in governance and policy as well as in the applications themselves. Consistent and diligent documentation from the start of the process also strengthens the validity of the company’s security posture.

Regarding the technology and security aspect of due diligence, it’s important to note that doing a risk assessment shows buyers that a company is truly worth the investment. It’s also crucial to know where your security issues lie by having a 3rd party look at the code to find loopholes. It assesses business impact and how likely a security breach is to occur, making it more valuable than security gaps or vulnerabilities. If any security issues are found, it’s key to have a plan of action for the investor or show progress on the issues that were found. Where open-source software is used, keeping thorough documentation on what is used will help tell the company’s story while preventing it from being put on the defensive.

Going forward, sellers should expect more scrutiny for technology and security aspects of the company. Therefore, any preparation on this front would be valuable. Buyers are also becoming more aware of what breaches exist and will ask sellers how they’ve prepared themselves. Buyers need to be able to ensure these breaches aren’t impacting them, as they don’t want to inherit liabilities.

What Are the Next Steps?

In short, add security early in the development process and document your controls to cover your bases. Apply security best practices while building your company and applications. Though it may seem more efficient in the short run, refrain from cutting corners, and get professionals to support you during the due diligence process. Spending money on a 3rd party assessment to find potential security loopholes is valuable, as this could save millions in transaction value. Remember, investing in security initially to ensure a strong security posture will only save millions of dollars in the long-term.

See:  Fintech & Cybersecurity: Key Risks and Solutions

If you’re looking to learn more about what to do to secure your company including your products and infrastructure, check out the Security 4 Startups (S4S) framework: S4S was designed by a group of investors and small, mid, and large-corporation CISOs to help startups combat their biggest security risks in a balanced manner. If you’re looking for an in-depth security consultation, Forward Security and RiskAware are always here to help, so get in touch:

Authored by:

Farshad Abasi, Founder, Chief Security Officer at Forward Security Inc.

Farshad - Technology Due Diligence Process and Cyber Risks for Fintech Start-ups

At Forward Security we are all about doing application, cloud, and information security better. Our team tackles security using a systematic approach, leveraging standards based and repeatable processes. We are incredibly passionate about delivering the best security solutions, and are driven to help our clients achieve the highest level of security to enable business growth.

Michael Castro, Founder, Risk Executive at RiskAware

michael - Technology Due Diligence Process and Cyber Risks for Fintech Start-ups

RiskAware was incorporated in 2018 to help address the gap with organizations utilizing part-time or fractional CISO and to offer executive leadership services. We serve organizations of all sizes and specialize in small and mid-size businesses (SMBs) in all verticals, including Not-For-Profits and Startups.

NCFA Fintech Confidential Issue 4 250 - Technology Due Diligence Process and Cyber Risks for Fintech Start-ups

This article is featured in NCFA's digital magazine, Fintech Confidential (Issue 4 Oct 2021). Click to read the latest thought leadership, insights and trends about Fintech in Canada:

Checkout NCFA's digital magazine, Fintech Confidential (Issue 4) --> here


NCFA Jan 2018 resize - Technology Due Diligence Process and Cyber Risks for Fintech Start-ups The National Crowdfunding & Fintech Association (NCFA Canada) is a financial innovation ecosystem that provides education, market intelligence, industry stewardship, networking and funding opportunities and services to thousands of community members and works closely with industry, government, partners and affiliates to create a vibrant and innovative fintech and funding industry in Canada. Decentralized and distributed, NCFA is engaged with global stakeholders and helps incubate projects and investment in fintech, alternative finance, crowdfunding, peer-to-peer finance, payments, digital assets and tokens, blockchain, cryptocurrency, regtech, and insurtech sectors. Join Canada's Fintech & Funding Community today FREE! Or become a contributing member and get perks. For more information, please visit:

Latest news - Technology Due Diligence Process and Cyber Risks for Fintech Start-upsFF Logo 400 v3 - Technology Due Diligence Process and Cyber Risks for Fintech Start-upscommunity social impact - Technology Due Diligence Process and Cyber Risks for Fintech Start-ups

Support NCFA by Following us on Twitter!

NCFA Sign up for our newsletter - Technology Due Diligence Process and Cyber Risks for Fintech Start-ups


Leave a Reply

Your email address will not be published. Required fields are marked *

5 + 17 =