How security professionals can approach risks to the financial team

While the acceleration of digital adoption across global organizations has greatly improved operational efficiency, one of the unintended consequences has been the vulnerability to cyber risks. CISOs and CSOs are no longer the only organizational roles worrying about hacks, breaches and other cyber concerns - now, we are seeing these worries trickle down to other disciplines.

Finance teams in particular are increasingly worried about cyber issues, given the significant responsibility they have to secure and protect funds both inside and outside of their organizations. In a recent independent survey commissioned by Flywire of 300 CFOs, VPs of Finance, Controllers and other executive-level finance professionals, respondents indicated they were just as worried about cybersecurity issues as they were with accounting issues. In the survey, 90% of respondents cited fraud, 88% cited concerns about being hacked, and 85% mentioned money laundering as their biggest cybersecurity concerns.

There is more data supporting those trends. In a January 2021 research report published by PYMNTS.com, U.S. tech companies doing business internationally reported challenges with payment fraud and the ability to manage inbound international payments. Other industries report similar challenges.

As a security expert who has worked in financial services for most of my career, and closely with finance teams, I have had the opportunity to help address some of the unique security risks that emerge with teams who are responsible for accounting, payments, audit, and everything in between.

Below you will find some of the key lessons I have learned throughout my career, which can prove helpful as you bolster the security throughout your finance teams:

Assess the risk: How can someone steal money from us?

This is the first question I always ask the finance team. What are all the possibilities? This is not the only security concern facing the finance organization, but it should be your starting point in any security conversation. From there, each organization’s needs will be a little different, and require different tactics, but there are four best practices we can all consider with our finance teams.

Segregate duties for money in and out

Any process that involves money coming in or going out of the organization should always have multiple people involved. This acts as a check and balance for any bad actors inside the organization. Steps should also be taken to provide oversight for two or more people that could scheme together. Of course, this all needs to be done without slowing the business down. The more this can be automated to flag irregular activity and create more real-time visibility, the better your chances of preventing problems.

Ensure compliance for managing client funds and data

Different industries have different compliance requirements for managing client funds and data. These are just a few:

Know Your Customer (KYC) – laws to prevent money laundering. This is a common challenge with international payments. The compliance team likely oversees this but there are software tools you can apply in your finance system to flag suspicious payments. Any payment vendor you use should also have this capability.

Utilize External Auditors to test controls:

Service Organization Control (SOC) 1 - Assess a company's internal control over financial reporting. By its very definition, as mandated by SSAE 18, SOC 1 is the audit of a company's accounting and financial controls. It is the metric of how well a company manages their books of accounts.
Service Organization Control (SOC) II Type 2 - A review of an organization’s internal controls to ensure data remains secure and confidential. An external auditor also evaluates the cyber security program to confirm the program has implemented both preventive and detective controls to avoid unauthorized access and disclosure of information. This review is great to assess your internal controls, but is equally important to determine who has a SOC II (your provider or their vendors) and what is covered in their SOC audit (security, availability, confidentiality, processing integrity, and privacy).
The Payment Card Industry Data Security Standard (PCI DSS) – A set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. This ensures a vendor’s systems are secure and helps prevent payment card fraud. There are four levels of PCI compliance depending on the number of transactions processed annually, and the scope of the audit varies by level - the lower the level, the more detailed the evaluation. Level 1 compliance is the highest standard, and with this in place, you can be sure your customers’ sensitive payment card information is safeguarded.
Privacy Standards - From General Data Protection Regulation (GDPR) to Personal Information Protection & Electronic Data Act (PIPEDA), data privacy regulations can be complex, and they vary worldwide. Check to see if your payment providers have a Privacy Officer dedicated to maintaining privacy standards and find out how they stay on top of these regulations. Failure to comply may put you and your customers at risk and can prove very costly, especially if you are doing business internationally.

Eliminate indirect refunds

A lot of financial fraud can be prevented by adherence to the standards outlined above, but one problem area is the issue of refunds. Bad actors that get access to someone’s payment information often make large purchases and then request refunds to a different account. Refunds should always be made directly to the account from which the payment was made. International payments can sometimes make that difficult because they often involve intermediary banks. Be sure to work with a payment provider that can take responsibility for delivering refunds back to the original payment account. It can be a very difficult and manual process for finance teams to do on their own.

Consider Insurance

The cost of a data breach, non-compliance or fraud today can be staggering – both in real dollars and in damage to a company’s brand reputation. Whether it’s a denial of service, data leakage or unauthorized access to customer information, the risks are very high. Cybersecurity insurance can provide protection just in case. And the cost will be based on the strength of your security profile, so you have some control over it.

Of course, risk can come from anywhere - not just in the process of sending and receiving money. Equally important to the points listed above are establishing best practices that can shore up security across your entire organization. Some of the key processes I recommend include:

Hiring an experience risk and information security team
Establishing internal controls and consistently reviewing them
Putting in place comprehensive vendor review processes
Regularly conducting breach and attack simulation exercises
Yearly penetration testing
Employee security awareness training

Finally, it is important to continue to evolve your tools, systems and practices to keep pace with the rapid innovation we’re seeing from bad actors. Establishing the right habits up front and educating your teams can help organizations stay ahead when it comes to risk management.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

How can security leaders charged with investigations handle the management of interviewers and interrogators, as well as handle interviewing, including dealing with false confessions and misleading information?