Evaluating Cybersecurity in FinTech Investments

Cybersecurity and data protection are a priority when evaluating FinTech companies because of the sensitivity around the data they use.  This report focuses on the current state of cybersecurity and data protection in Africa and primary questions we recommend when evaluating FinTech investments in Africa.

Current State of Cybersecurity in Africa

According to Nigeria’s TechCabal research company, Africa is losing $4 billion annually to cybercrime.  Many of these losses are related to preventable employee mistakes, such as responding to phishing attacks.  For this reason, cybersecurity and data protection is critical in ensuring an easy and smooth flow of business for FinTech companies.  

Advancements in FinTech have closed the digital gap between Africa and the rest of the world.  Africa’s connection to the rest of the finance world has increased the importance of Africa adopting data protection and privacy laws at par or better than the rest of the world.  And Africa has responded: law firm Mayer Brown reports 33 out of 54 countries in Africa have data protection laws, and we anticipate the rest to follow in the decade.  

Although Africa has seen significant advancements in its data protection laws, we encourage FinTech founders not only to rely on new local regulatory requirements to secure their data, but to follow industry standards, seek industry certifications in cyber security, and to learn from the mistakes of other companies in this space.  Doing so can encourage customer and investor trust, which is paramount for early-stage companies. 

Due Diligence:

In doing your due diligence, we recommend the following minimum questions to evaluate the reliability of a target or portfolio company’s cybersecurity profile:

1. Investment: Does the company have a dedicated compliance officer and policies and procedures for cybersecurity?

2. Experience: Has the company experienced a security incident in the previous 5 – 10 years and has it been resolved?

3. Standards: Does the company observe PCI DSS and industry requirements?

4. Technology: Does the company implore ISO/IEC 27001 and other technical protections for its uses of data?  

5. Protection: Does the company have cybersecurity insurance?

Authors: Sunga Mkwezalamba, Imaaculate Odwera

REF:

FinTech Data Protection and Privacy: Principles for Digital Threats (crosscountry-consulting.com)

https://www.bakermckenzie.com/en/insight/publications/guides/africa-data-security-and-privacy-guide

https://techcabal.com/2022/05/06/africa-cybercrime-cyber-africa-forum/

https://www.mayerbrown.com/en/perspectives-events/publications/2022/08/africas-innovation-july-developments-signal-attention-must-be-paid-to-data-privacy-developments-in-africa#:~:text=In%20addition%20to%20the%20above,data%20and%20cross%2Dborder%20transfer