Why Fintechs Should Shrink Their Attack Surface—Not Just Get Certified

Security certifications like SOC 2 & PCI DSS aren’t enough to prevent breaches. Fintechs must shrink their attack surface by self-hosting tools. Learn how GrowthBook’s secure, self-hosted solutions protect sensitive customer data.

· 2 min read
Why Fintechs Should Shrink Their Attack Surface—Not Just Get Certified

TL;DR

When I got an email from my bank saying “nothing to worry about,” my gut told me otherwise.

The message referenced a data breach at Evolve Bank & Trust—one of the infrastructure providers behind fintech platforms like Mercury, Affirm, and Wise. The attackers reportedly accessed 33 terabytes of data—a staggering amount, possibly encompassing most of Evolve’s Azure Cloud storage.

What’s unsettling is that Evolve wasn’t negligent by traditional standards. They held all the right security certifications: SOC 2 Type II, HIPAA, HITRUST CSF, PCI DSS. And yet, their defenses were breached.

We don’t yet know exactly how—but this much is clear:
Compliance alone doesn’t keep customer data safe.

What Does Keep Data Safe? A Smaller Attack Surface.

Security professionals often talk about “attack surface”—the number of ways a system can be accessed or exploited. The more entry points, the greater the risk.

In fintech, where trust and regulation are paramount, minimizing your attack surface is non-negotiable.

In 2022, the financial sector suffered 566 data breaches, exposing over 254 million records.

SaaS tools that run in the public cloud often expand your attack surface—regardless of their certifications. This is especially dangerous in highly regulated industries like banking, healthcare, and insurance.

Why Self-Hosting Is the Best Way to Reduce Risk

The safest data is the data that’s never exposed to the internet. When you self-host, you keep tools and infrastructure inside your private network or behind your firewall, significantly reducing risk.

Self-hosting doesn’t have to slow you down. Most modern platforms, including GrowthBook, offer full-featured self-hostable versions of their services. You get the innovation you need without opening new doors for attackers.

GrowthBook provides:

The Bottom Line

If you work in fintech, healthtech, or any industry handling sensitive data, it’s time to move beyond compliance checkboxes.

Self-hosting your experimentation stack is one of the most effective ways to keep your customers safe while still shipping fast.

Learn more about GrowthBook’s self-hosted solutions for secure A/B testing and feature flagging.

Learn more about how GrowthBook supports self-hosting for enterprise-grade security.

Want to give GrowthBook a try?

In under two minutes, GrowthBook can be set up and ready for feature flagging and A/B testing, whether you use our cloud or self-host.