Payment Systems & Cybersecurity

  • Financial services
  • 2/11/2022

In an effort to push more capabilities and flexibility to members and customers, financial institutions have embraced automated payment platforms such as FedLine and...

This blog was authored by my colleague David Fanson, CISA, Manager, IT Consulting & Cybersecurity, Financial Institutions.

In an effort to push more capabilities and flexibility to members and customers, financial institutions have embraced automated payment platforms such as FedLine and SWIFT. These services make it easy to exchange funds between individuals and businesses across the country and across borders. Naturally, with the expanded use of these technologies, the cybersecurity risks that correspond to these technologies increase as well. The risks not only threaten the institutions that use these services, but they threaten the organizations that provide them

In the cases of FedLine and SWIFT, user institutions have always been expected to have strong information technology and cybersecurity controls in place to guard their implementations. Until recently, institutions were on the honor system. With the threat of cybercrime targeting payment systems on the rise, the honor system is no longer sufficient. Beginning in 2021, financial institutions that use FedLine and SWIFT were required to annually attest to their compliance with these IT security control requirements.

Long time users of these systems scrambled to get assessments performed and attestations submitted on time, in the cases of these platforms, by December 31, 2021. Some were able to perform self-assessments, where others had to hire independent third parties to perform the assessments for them. The control expectations include the usual domains of user authorization and authentication, network security, data encryption, contingency planning, incident response, etc. However, there is a twist.

In early 2021, financial institutions began inquiring if we could perform the IT controls assessments for them in support of their attestation requirements. And, since they all have general computing control reviews performed already, they asked if those reviews could be relied upon to cover the payment system assessment.

Upon careful inspection of the required controls, we noted many of the required IT controls must be applied directly to the payment system implementation, and not just applied to the general IT environment. Examples include:

  1. Specific system hardening standards must be in place on PCs and servers that support the payment systems.
  2. Business continuity and disaster recovery plans must cover the payment systems and include them in testing procedures.
  3. Specific authentication controls, including complex passwords and multi-factor authentication, must be in place on the specific infrastructure supporting the payment system implementation.

The control requirements also include specific operational procedures around physical security, documentation management, training, and personnel administration that may not be covered in a typical general control review. Since the typical general controls review does not scope in payment system implementations, some of these required controls would not be reviewed.

As we look back on the FedLine and SWIFT assessments we have performed over the last year, we have noted a few themes.

  1. Many of the basic technical controls, such as firewalls, data encryption, strong password controls, etc. are built into our client’s IT security program.
  2. Business Continuity plans didn’t always include the payment system in the testing scenarios.
  3. Incident response plans didn’t cover the payment systems at all.
  4. MFA was typically in place for remote users, it wasn’t always in place internally at the PC level for payment system users.
  5. Security awareness training didn’t always specifically cover the payment system implementations.

As you are planning your assessment activities in the coming year, be aware that your IT security program may not cover your payment system infrastructure and operational procedures by default. It’s worth taking a closer look at the policies, procedures, standards, and controls that support your cybersecurity program to ensure they cover your FedLine or SWIFT implementation. It’s also a good idea to have an experienced team perform the assessment.

As the cyber threats against financial systems continue to grow, we would not be surprised if more providers of transaction platforms begin requiring their users to attest to compliance with internal security controls, to not only protect the institutional users, but to protect the platform provider. This is where a thorough information security risk assessment can be useful and more focused control assessments can help you prepare for changing requirements from providers. 

How can CLA Help

If you believe your financial institution may use such systems, we are here to help you determine what requirements you are subject to how and how we can help. Our team of experience professionals can help assess cybersecurity programs and help in various other capacities.

This blog contains general information and does not constitute the rendering of legal, accounting, investment, tax, or other professional services. Consult with your advisors regarding the applicability of this content to your specific circumstances.

Experience the CLA Promise


Subscribe