Cyber defense in payments – how to cut “the cost of doing business”

The following post is written by Gisselle Micheo, Vice President – Business Solutions Group Americas for BAE Systems Applied Intelligence.

Counterfeiting, check-kiting, credit card fraud, bank robberies – they all seem so quaint compared to the increasing cyber-threats to today’s online and mobile payments systems.

Online payments have revolutionized the world of commercial, retailing and banking with tremendous economic benefits to all stakeholders. But merchants and bankers, who have long factored fraud into the “cost of doing business,” are increasingly facing new threats in this fast-changing online payments world.

Risks come not just from sophisticated cyber criminals but, from regulators who are stepping up enforcement of banking compliance requirements in the area of cyber security, BSA/AML requirements and fraud risk management. Mobile banking providers for instance have regulatory responsibilities that include adherence to guidelines for strong authentication and provisioning.

However, weak controls invite nefarious activities such as cyber-attacks, money laundering and fraud or, worse, funding for terrorist activities. Data breaches can be very costly – not only monetarily but in terms of corporate and individual reputational damage.

Many new entrants in the payments business have had great ideas with obvious economic benefits. The gap lies in true due-diligence as it relates to understanding the payment rules, risk factors, regulation and threat vectors. Big established companies can afford high level risk officers and compliance staff but are they organized internally to execute an effective cyber end-to-end defense plan?

In contrast, startups and smaller companies may be technically savvy about cyber defense but may lack the financial backing to stay up to speed with the security and defense landscape. Thus, it’s important for every payment provider to understand that cyber defense is an essential part of doing business in today’s world. Each financial institution has its own characteristics to consider while building its defense programs.

There is no one size fits all approach in terms of a strong defense program but there is guidance that can be applicable. It is increasingly important for every organization to have a validation program for its people, processes and systems – with a heavy emphasis on efficiency and effectiveness – to ensure cyber defense and regulatory compliance.

Compliance of regulations must never be seen as a burden. Regulations and regulatory enforcement are critical to sound economies, infrastructure, and quality of life globally. Adhering to strict principles and guidance helps curb access or attempts to mishandling of the proceeds of ill-gotten gains from making its way into the hands of individuals and organizations where the only purpose is crime, corruption, and self-gain.

Managing to regulatory standards takes effort. It takes money and investment, which is the cost of doing business. It can be seen as the entry and ongoing maintenance fee. It is table stakes, and is not an option.

The choice of technologies and services deployed must come from sound thought and selection criteria as “defense” is a journey and there should be no shortcuts. Only the standards established and enforced can dictate success.

A primary best practice is to revisit risk and governance programs more frequently. Understanding tolerance levels across the organizations also is critical.  If an institution understands business impact it is able to optimize programs by becoming more effective and efficient.

Ensuring defense programs are demonstrable and interpretable is also key both internally and from a regulator stand point. Being agile in your approach is increasingly important due to the changing environment as well.

This includes cyber security, threat intelligence programs, AML and fraud programs. Knowing the intersections across the entire defense programs is a must. For instance, some companies conduct annual reviews; some do it semi-annually or quarterly.

But are the results an unbiased opinion?  Switching up the review process with outside vendors can provide a new set of eyes and this in of itself provides many benefits.

Let’s put this in practice. An average data breach can take up to six months; if an organization conducts two annual reviews on a staggered basis, two outside vendors can mathematically cut its residual risk of data breaches in half.

The financial industry as a whole has a vested interest in promoting best cyber defense practices in the payments system.  Sharing of ideas on effective defense programs as the industry continues to evolve will benefit all who want to mitigate all forms of risk and stay in business.

Gisselle Micheo joined BAE Systems in 2015 as the vice president of the Business Solutions Group (BSG) for the Americas. With more than 20 years of experience in the financial and technology sectors, Gisselle plays a key role in the development of industry thought leadership efforts in the areas of financial crime, cyber crime, managed security services and managed application services.

Like this article? Take a second to support us on Patreon!