Payments 20 (P20), a leading voice of the global payments industry, has collaborated with some of the largest payment firms and law enforcement organisations to develop a standard approach that will help firms defend themselves against the growing, global cyber threat.

The advocacy group, alongside organisations including American Express, Elavon, Hogan Lovells, J.P. Morgan Chase, the UK National Cyber Security Centre and New York State Department of Financial Services, has created a new report entitled ‘20 Best Practice Recommendations for Improved Cyber Security Protection’.

Aimed at non-cyber professionals, the report emphasizes the urgency of implementing more efficient and comprehensive cyber security frameworks in response to the increasing capabilities of cybercriminals, scammers and other nefarious actors since the onset of the COVID-19 pandemic. 

The uncertainty and disruption caused by the COVID-19 pandemic have presented cybercriminals with a wealth of opportunities to attack. Since March 2020 cybercrime has rocketed with 74% of banks experiencing a rise in cyber-attacks and three out of four financial institutions worrying about the historic rise in criminal activity and what will happen going forward.

Duncan Sandys, Chief Executive Officer at P20, said: "As businesses across the globe embraced remote working and shifted operations online, the state-sponsored and professional criminal gangs exploited the weaknesses of security apparatus and the fears of individuals. At P20, we believe everyone has a part to play in protecting their organisation and its reputation against this threat. This is why we joined forces with leading financial institutions, cyber security experts and government officials to compile standardised, easy to implement actions for non-cyber experts which will go a long way in strengthening their organisations’ defences and protecting their customers.”

Global threat

The cyber security problem now represents a serious systemic threat to the global financial system, a sentiment echoed by Chairman of the Federal Reserve Jerome Powell, who in April 2021 said he worried that a cyber-attack may result in the next great financial crisis. This highlights the need for a collective global, standardised approach towards counteracting the threat.

Key players’ Best Practices

P20 invited twenty cyber security experts from fintechs, banks, consultancies, payment systems, etc. to give their personal recommendations.  Their best practice recommendations cover five vital areas:

• Network security:
  • Assess, scan, and identify everything that’s connected to your network
  • Keep software and devices updated and back up all your data to a separate location
  • Identify critical assets and assess how they are being protected
  • Ensure work from home users have updated routers with no default passwords
  • Develop an understanding of the risks associated with your supply chain network
  • Determine your ability to detect attacks and respond to them 
• Data handling:
  • Identify what data is important to protect, target and develop a protection plan
  • Develop procedures for handling data
  • Understand your digital identity, what that means to bad actors and how this information might be used by them
• Employee awareness:
  • Create an organizational culture where everyone understands that cyber security is a business risk and cyber defence is everyone’s responsibility
  • Ensure cyber security is a C-suite and board priority and appropriate investment is made
  • Develop an annual cybersecurity training and education program (including practical exercise) to ensure the entire organization including the supply chains understands the risk
  • Build a multi-disciplinary crisis management team across the business and technical departments and encourage relationship building
  • Develop crisis management and business resilience/disaster recovery plans, processes and procedures and test them in tabletop exercises
  • Ensure all employees understand that any email, link or attachment could be an attack source
• Actions before a cyber-attack occurs:
  • Engage a law firm and forensic incident response firm, and place their contact names and numbers in your mobile phone
• Actions immediately after a cyber-attack occurs:
  • After confirming that it really is a cyber-attack, assess the initial severity of the attack, including the scope, apparent impact to the organization’s IT infrastructure, sensitive data potentially affected and unknown variables
  • Convene your incident response team and implement the processes documented in the incident response plan. Consider internal escalation protocols, including C-suite and board notifications; alerting: your legal counsel, your forensic response firm, law enforcement;  and reporting the incident, as required, to: regulators, other governmental authorities and impacted individuals
  • Prepare communications to various stakeholders, including employees, customers, regulators, business partners, insurers, media and law enforcement.

---

CTMfile take: This Best Practices list for combating cyber fraud is, quite simply, the best yet. AND should be a Must Read Guide for any size of company and all corporate treasury departments. The report is worth studying too and attendance at the P20 Global Payment Conference, on 28-29 September 2021 could also be useful.