The heightened threat of cyber attacks is fueling payment losses — how should your business respond?April 2018

1

How has the payment landscape changed?

| The heightened threat of cyber attacks is fueling payment losses — how should your business respond?

The heightened threat of cyber attacks is fueling payment losses — how should your business respond?

Why is the risk of a cyber attack — and the associated losses — on payments greater than ever before?

Losses from cyber attacks on payment systems — both financial and reputational — are increasingly costly, happening more frequently and are under more scrutiny from customers, regulators, investors and media.

Share prices of impacted companies dropped an average of 5% after a cyber event was disclosed, and over 30% of customers impacted by the breach ended their relationship with that organization — weak security postures are no longer acceptable.1

Cyber attacks are more sophisticated and now target the entire payments life cycle. Silos that exist between lines of business, payment operations (across payment types, business functions and geographies), cybersecurity, risk, compliance, technology, treasury and business continuity hamper the closely coordinated response needed to prevent, detect and respond to attacks.

In response to the business risks from cyber attackers who seek to harm or disrupt the payments system, perpetrate fraud and/or gather intelligence, regulators, industry groups and payments utilities have issued enhanced cybersecurity standards. Among these are the Federal Financial Institutions Examination Council (FFIEC), National Institute of Standards and Technology (NIST), Society of Worldwide Interbank Financial Telecommunication Customer Security (SWIFT), the Federal Reserve Board (FRB) and Office of the Comptroller of the Currency (OCC).

Evolving requirements and the fast pace of technological change necessitate a coordinated, proactive industry response in identifying emerging risks. Industry initiatives, such as those undertaken by the Financial Systemic Analysis & Resilience Center (FSARC) and the Financial Services Information Sharing and Analysis Center (FS-ISAC) Cyber-Attack Against Payment Systems exercises have laid the groundwork for the needed coordination between firms within the payments space and enhanced resilience within each firm.

What are the key takeaways?

• Rapid change in the payments space, including the emergence of Venmo, Apple Pay, blockchain payments and Zelle, as well as the ongoing development of real-time payments, has disrupted the model of traditional providers and forced them to provide new, innovative services creating many different avenues for attackers

• Breaking down silos, which starts with a robust operating model inclusive of governance, early warning capability and escalation protocols, is key in preventing, detecting and responding to cyber attacks

• A holistic, end-to-end view of the payments system must be taken considering key interactions, functional roles, data flows, business strategy, logic and threat management

1 “After a data breach is disclosed, stock prices fall an average of 5%,” HELPNETSECURITY website, https://www.helpnetsecurity.com/2017/05/16/data-breach-stock-price/, accessed 18 April 2018.

2 “2017 AFP Payments Fraud and Control Survey Report of Survey Results,” J.P.Morgan website, https://commercial.jpmorganchase.com/jpmpdf/1320732417358.pdf, accessed 18 April 2018.

3 “INSIGHT-Billion dollar diamond fraud case puts India’s state banks in focus,” REUTERS website, https://www.reuters.com/article/punjab-natl-bank-fraud/insight-billion-dollar-diamond-fraud-case-puts-indias-state-banks-in-focus-idUSL4N1Q807J, accessed 18 April 2018.

Organizations that experienced a cyber incident in 2017²

Losses related to fraudulent SWIFT transactions at India’s Punjab National Bank reporting in Feb 20183

Bank executives surveyed in 2017 that rated cybersecurity as their number one concern in payments (greater than regulation or market evolution)6

Volume of global digital payment transactions by 20206

86%$726b$1.77b

65%

2The heightened threat of cyber attacks is fueling payment losses — how should your business respond? |

4 “Bangladesh Bank governor quits over $101mn theft from NY Fed account,” Bangladesh Bank governor quits over $101mn theft from NY Fed account, https://asia.nikkei.com/Politics-Economy/Policy-Politics/Bangladesh Bank-governor-quits-over-101mn-theft-from-NY-Fed-account, 3/62019.

5 “Swiss fintech and financial services are partnering up,” SWITZERLAND GLOBAL ENTERPRISE website, https://www.s-ge.com/en/article/news/swiss-fintech-and-financial-services-are-partnering, accessed 18 April 2018.

6 “World Payments Report 2017,” World Payments Report website, https://www.worldpaymentsreport.com/, 18 April 2018.

• Do you have an operating model and functional roles defined across the payments process and support functions?• Do you have an up-to-date, robust and well-understood policies and procedures framework?• Is the payment technology ecosystem security tested via attack/penetration testing or red teaming?• Do you have end-to-end payment system fraud monitoring and cyber event logging and monitoring?• Have you considered using a fusion center as support with fraud and cyber event monitoring?• Do you have sufficient fraud, cybersecurity and risk capability to appropriately monitor and investigate issues?• Have you mapped end-to-end data flows?• Have you considered cross-system, cross-subprocess functional role segregations of duties?• Are intra-and intersystem layer controls (e.g., interface, application, operating system, database) tested?

What does your organization need to consider across the payments life cycle?

A firm grasp on the payments life cycle, including points of failure and areas prone to attack, and key payment risks and controls, is critical in preventing a cyber attack, or, when attacks are detected, identifying impacts and contact points across business, technology, operations cybersecurity, resiliency and risk.

• Is there a cyber incident response plan in place that covers cyber attacks on the payments system?• Have you completed an end-to-end risk and resiliency assessment? • Have you performed an exercise to test your resiliency plans and procedures?

• Are anti-money laundering/ know-your-customer controls embedded consistently across channels and payment types?

• Is there a framework to define, categorize and risk assess payment types?

• Is there a defined payments strategy that covers cyber?

• To what extent is validation automated?

• Has a risk assessment been performed to identify the validation necessary for different payment types?

• How secure is the business logic used to process payments?

• How frequently is this revalidated and/or modified?

• Have you considered how upstream controls impact compensating clearing/ settlement controls?

• When do you consider a payment to be “complete” and no longer a risk?

1) Onboarding 2) Origination 3) Validation 4) Processing5) Clearing/ Settlement 6) Confirmation

Fraudulently withdrawn from Bangladesh Bank account at the Federal Reserve Bank of New York via SWIFT network4

Organizations that have concerns around security of their mobile payment platforms2

Estimated compound annual growth rate of non cash transaction value (2015–2020E)6

Cumulative investments in payments FinTech startups from 2013–20175

$40b$101m72% 10.9%

What next?

1.

Consider whether there is an end-to-end view of payments at your firm, and more importantly, whether the end-to-end business risks surrounding it have been appropriately identified and assessed

2.

Investigate the extent to which there is a resiliency and/or continuity plan in place in the event key payment(s) systems are attacked

3.

Identify whether fraud monitoring appropriately covers business logic and key data flows in and out of your firm

4.

Determine whether your payments processes and systems have been appropriately tested, including the networks, applications, infrastructure, access and business processes that span the payments system

5.

Develop payments-related simulations and tabletop tests to identify governance, risk, control, ownership, decision-making and operational gaps

Jb RambaudPrincipal+1 212 773 4617jb.rambaud@ey.com

Sean ViergutzExecutive Director+1 404 817 5537sean.s.viergutz@ey.com

Lorry PrentisExecutive Director+1 212 773 3363lorry.prentis@ey.com

11. Wholesale vs retail paymentsThe impacts of a large-scale attack or disruption to the wholesale payments system are driven by the dollar amount being moved. Retail, on the other hand, is high volume and impacts large numbers of consumers; therefore, equal focus is required given the potential reputational, client and systemic impacts of both

10. Regulatory Regulators are increasingly turning their attention to facilitate innovative schemes and also creating a level playing field for banks and nonbanks alike

9. TalentIncreased need for a dynamic organizational talent pool that is capable of responding to threats to its payments systems within the context of a three lines of defense model

8. Increased transparency and integrity Regulators — and customers — are forcing organizations to be more transparent in disclosing cyber incidents, including their impacts, any data stolen or exposed and how the issue has been addressed

2. Risk and resiliencyConfirming payments risk and resiliency are appropriately managed, an end-to-end assessment should cover user access, IT security, IT process, business process and business continuity-related controls

1. Security and fraud monitoringIncreased need for certified fraud investigators and cybersecurity personnel to monitor things like authentication measures, 3D security, tokenization, biometrics, payment system logs, business logic and cyber threats

3. TransformationPayment processing transformation is an essential requirement for payment firms to build a scalable infrastructure in order to support next-generation payment methods

7. SWIFT Customer Security ProgrammeMember-based organizations who act as critical utilities, such as SWIFT, are increasingly issuing cybersecurity requirements their members must adhere to

6. Data analyticsPayment service providers are looking at ways to leverage data analytics and predictive modeling to drive their value-added offerings for retail and corporate customers

5. Fusion centerMany organizations are not effectively leveraging established cyber fusion centers as reporting and metrics are not always providing value to areas outside of cybersecurity. Reporting and metrics for the broader business can be pulled from the fusion center by connecting the broader business (i.e., fraud management) into the fusion center

4. System attack, penetration and red teamingPayment-specific red-team, attack/penetration, malware, network, application and social engineering testing techniques can identify gaps in an end-to-end process when combined with other IT and business process control testing

Bringing it all together

Key contacts EY | Assurance | Tax | Transactions | AdvisoryAbout EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2018 EYGM Limited. All Rights Reserved.

EYG no. 02546-181Gbl 1804-2665321

ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

ey.com