Digital / Online Payment Systems Risk
This blog was authored by my colleague Sundeep Bablani, IT & Cybersecurity Director
There are several payment systems available today to enhance the ease and convenience of making financial transactions. Payment systems continue to be developed and offered by both financial and non-financial institutions with just a few clicks to authenticate and transmit funds. The audience of these newly introduced applications are dependent upon the respective vendors to ensure that all required controls have been implemented to protect the data at rest as well as during transmission. Regulatory bodies have also addressed these risks through additional compliance requirements, and established frameworks continue to heighten industry standards to further guide organizations to reduce risk to an acceptable level.
The use of these applications has increased the overall risk which in turn has increased the need for data encryption and authentication mechanisms that are in line with industry best practices. The responsibility of the application user is outlined within lengthy terms and conditions that are acknowledged but not always adhered to as it relates to ensuring that user credentials have not been comprised. Security awareness also continues to be a challenge for both the customers as well as the financial institutions users.
Financial institutions are responsible for ensuring that all threats have been taken into consideration during the planning and deployment stages of the payment systems. However, new threats are constantly being introduced into the environment taking advantage of potential gaps. It is the responsibility of financial institutions to constantly re-evaluate the threat environment through known threats. Fraudulent transactions have always been a risk but added logging and monitoring controls provide the ability for management to potentially add a layer of additional security. In addition, multifactor authentication has become a requirement to comply with cyber-liability insurance requirements.
Vendors offering these products are required to provide additional documentation as part of the organization’s due diligence efforts to ensure their IT environment has been evaluated and regularly tested against identified vulnerabilities. Additional collaboration is recommended, to ensure all users of these systems have the required checks and balances in place to not only identify but also develop an incident response plan for handling of any significant events. It is critical to ensure that institutions implementing or adapting to payment system products get an understanding of how data flows and integrates to existing systems. Any flaws identified as part of this review, should be addressed through mitigating controls. The war of responsibility has been a driving factor to introduce these controls as various institutions take on the reputation risk as the ultimate users of these applications. Payment systems are both an asset and a liability to the organization which creates additional challenges.
Payment systems continue to introduce conveniences for both retail as well as commercial clients of the respective financial institutions so the level of impact of lack of controls could be significant. The risk consequently falls on all parties involved and requires additional collaboration to protect against cyber threats. Management has to introduce creative ways to continuously educate application users beyond the initial training and acknowledgement of terms and conditions. Existing security layers requires constant enhancements to meet industry regulatory standards and best practices all in an effort to make it difficult for hackers to take advantage of security gaps. As a result, organizations have to make an intentional effort to evaluate operational, security, credit, and reputation risk as decisions are made to implement these services.
How can CLA Help
If your financial institution has not performed procedures to address these risks, we can help you. Our team of experience professionals can help assess cybersecurity programs and help in various other capacities.
Brittany has more than twelve years of experience and specializing in providing audit and accounting services to financial institutions. In addition to planning, managing and performing financial statement audits for institutions ranging in total assets from $10 million to $50 billion, she has performed engagements designed to test the adequacy of loan documentation and reserves, adherence to internal control policies, outsourced internal audit, and consulting engagements for various compliance requirements.
Comments are closed.