Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagement

How security professionals can approach risks to the financial team

By Barbara Cousins
fraud, cyber risk and other risks to your finance team
August 19, 2021

While the acceleration of digital adoption across global organizations has greatly improved operational efficiency, one of the unintended consequences has been the vulnerability to cyber risks. CISOs and CSOs are no longer the only organizational roles worrying about hacks, breaches and other cyber concerns - now, we are seeing these worries trickle down to other disciplines.

Finance teams in particular are increasingly worried about cyber issues, given the significant responsibility they have to secure and protect funds both inside and outside of their organizations. In a recent independent survey commissioned by Flywire of 300 CFOs, VPs of Finance, Controllers and other executive-level finance professionals, respondents indicated they were just as worried about cybersecurity issues as they were with accounting issues. In the survey, 90% of respondents cited fraud, 88% cited concerns about being hacked, and 85% mentioned money laundering as their biggest cybersecurity concerns.

There is more data supporting those trends. In a January 2021 research report published by PYMNTS.com, U.S. tech companies doing business internationally reported challenges with payment fraud and the ability to manage inbound international payments. Other industries report similar challenges.

As a security expert who has worked in financial services for most of my career, and closely with finance teams, I have had the opportunity to help address some of the unique security risks that emerge with teams who are responsible for accounting, payments, audit, and everything in between.

Below you will find some of the key lessons I have learned throughout my career, which can prove helpful as you bolster the security throughout your finance teams:

Assess the risk: How can someone steal money from us?

This is the first question I always ask the finance team. What are all the possibilities? This is not the only security concern facing the finance organization, but it should be your starting point in any security conversation. From there, each organization’s needs will be a little different, and require different tactics, but there are four best practices we can all consider with our finance teams.

  1. Segregate duties for money in and out

Any process that involves money coming in or going out of the organization should always have multiple people involved. This acts as a check and balance for any bad actors inside the organization. Steps should also be taken to provide oversight for two or more people that could scheme together. Of course, this all needs to be done without slowing the business down. The more this can be automated to flag irregular activity and create more real-time visibility, the better your chances of preventing problems.  

  1. Ensure compliance for managing client funds and data

Different industries have different compliance requirements for managing client funds and data. These are just a few:

  • Know Your Customer (KYC) – laws to prevent money laundering. This is a common challenge with international payments. The compliance team likely oversees this but there are software tools you can apply in your finance system to flag suspicious payments. Any payment vendor you use should also have this capability.

Utilize External Auditors to test controls:

  • Service Organization Control (SOC) 1 - Assess a company's internal control over financial reporting. By its very definition, as mandated by SSAE 18, SOC 1 is the audit of a company's accounting and financial controls. It is the metric of how well a company manages their books of accounts.
  • Service Organization Control (SOC) II Type 2 - A review of an organization’s internal controls to ensure data remains secure and confidential. An external auditor also evaluates the cyber security program to confirm the program has implemented both preventive and detective controls to avoid unauthorized access and disclosure of information. This review is great to assess your internal controls, but is equally important to determine who has a SOC II (your provider or their vendors) and what is covered in their SOC audit (security, availability, confidentiality, processing integrity, and privacy).
  • The Payment Card Industry Data Security Standard (PCI DSS) – A set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. This ensures a vendor’s systems are secure and helps prevent payment card fraud. There are four levels of PCI compliance depending on the number of transactions processed annually, and the scope of the audit varies by level - the lower the level, the more detailed the evaluation. Level 1 compliance is the highest standard, and with this in place, you can be sure your customers’ sensitive payment card information is safeguarded.
  • Privacy Standards - From General Data Protection Regulation (GDPR) to Personal Information Protection & Electronic Data Act (PIPEDA), data privacy regulations can be complex, and they vary worldwide. Check to see if your payment providers have a Privacy Officer dedicated to maintaining privacy standards and find out how they stay on top of these regulations. Failure to comply may put you and your customers at risk and can prove very costly, especially if you are doing business internationally.
  1. Eliminate indirect refunds

A lot of financial fraud can be prevented by adherence to the standards outlined above, but one problem area is the issue of refunds. Bad actors that get access to someone’s payment information often make large purchases and then request refunds to a different account. Refunds should always be made directly to the account from which the payment was made. International payments can sometimes make that difficult because they often involve intermediary banks. Be sure to work with a payment provider that can take responsibility for delivering refunds back to the original payment account. It can be a very difficult and manual process for finance teams to do on their own.

  1. Consider Insurance

The cost of a data breach, non-compliance or fraud today can be staggering – both in real dollars and in damage to a company’s brand reputation. Whether it’s a denial of service, data leakage or unauthorized access to customer information, the risks are very high. Cybersecurity insurance can provide protection just in case. And the cost will be based on the strength of your security profile, so you have some control over it.

Of course, risk can come from anywhere - not just in the process of sending and receiving money. Equally important to the points listed above are establishing best practices that can shore up security across your entire organization. Some of the key processes I recommend include:

  • Hiring an experience risk and information security team
  • Establishing internal controls and consistently reviewing them
  • Putting in place comprehensive vendor review processes
  • Regularly conducting breach and attack simulation exercises
  • Yearly penetration testing
  • Employee security awareness training

Finally, it is important to continue to evolve your tools, systems and practices to keep pace with the rapid innovation we’re seeing from bad actors. Establishing the right habits up front and educating your teams can help organizations stay ahead when it comes to risk management.

KEYWORDS: cyber security cybersecurity preparedness finance cybersecurity financial crime financial service security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Barbara Cousins is Chief Information Security Officer (CISO) at Flywire.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC0819-Cyber-Feat-slide1_900px

    Securing the Mainframe: How Companies can Empower Security Analysts to Protect the Backbone of Their Enterprise

    See More
  • cloud-enews

    How to Utilize the Cloud to Mitigate Cybersecurity Risks to Security Hardware

    See More
  • Security Podcast- Welch.jpg

    Listen to Michael Welch and how to address fourth-party risks and improve supply chain security in our latest The Security Podcast episode

    See More

Events

View AllSubmit An Event
  • September 3, 2024

    From DDoS Protection to WAAP: How Layered Protection Enhances Your Cybersecurity Strategy

    ON DEMAND: By participating in the webinar, attendees will gain enhanced knowledge of cyber threats and understand the current spectrum of cyber threats facing businesses.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing