COVID-19 has forced businesses to adopt new ways of working to meet new patterns of demand. And criminals have adapted their tactics to exploit those changes. Are your fraud and cyber controls able to meet the challenge?
The shifts in your organization's business model will likely challenge your fraud and cyber controls as organized crime groups look for new ways to target your organization.
While the overall volume of phishing scams may have remained constant, criminal groups have adopted campaigns to exploit COVID-19 themes.
Your customers and staff alike are becoming more susceptible to scams and coercion as they face personal financial hardships and health challenges. Your standard processes and tooling for managing fraud, cyber and financial crime risk may need to be updated to reflect this changing environment.
We’ve put together a set of questions to help you assess your readiness to manage cyber and fraud risk.
How are you governing cyber and fraud risk?
- Do you have a view of the top fraud and financial crime risks you need to focus on in the short-term for assurance purposes?
- What steps have you taken to ensure senior management’s visibility of fraud and financial crime risks? Have changes to controls been tracked and risks re-assessed?
- How are you tracking and reporting gaps in fraud controls that have emerged due to the pandemic? Where are you documenting temporary workarounds?
- Are regular meetings and reporting lines still functioning effectively during remote working?
- How do we efficiently and effectively communicate over mutual stresses and promote an open, transparent and supportive environment?
- Are you integrated with your information security team and connecting over cyber threat intelligence feeds and their view of criminal infrastructure?
- Are you reviewing controls deemed temporary for their necessity as working conditions and government guidance changes?
- What expectations will regulators have over your ability to evidence assurance, compliance and due diligence activities during this period?
- Are you involved in industry discussions to keep track of emerging trends?
Does your team have capacity?
- Are you keeping track of your team members’ health — are they ill or under shielding? Are they looking after an ill dependent?
- Do you have back up personnel for key roles and reporting lines if staff are unable to work?
- Do employees have family who need looking after during the day and how is it affecting their working hours? How can you support them?
- Are regular call quality checks and related coaching activities still taking place while the team is diverted onto extended crisis management work?
- Is the business leaning on you? Are your fraud teams being diverted from normal working to support in-demand business processes?
- Is there increased pressure on front line colleagues due to shortage of staff and threats of redundancy?
- Has there been a recruitment freeze — are you able to fill long-term capacity and skillset gaps in the team? What workarounds do you have?
How are customers and other teams coping?
- Do you understand how potential additional fraud and security/privacy controls are impacting your customers’ ability to manage their finances, especially for vulnerable customers?
- Are product development teams able to keep up with the pace of change? Are fraud and security controls being deprioritized without consultation? Is there a way to modify the review/approval process to help them meet deadlines?
- What pressures are your procurement teams under? Are they under pressure to acquire technology at short notice? How do you ensure that speedy on-boarding of new suppliers doesn’t increase the risk of fraud or collusion?
- Are expedited processes for on-boarding new staff effectively mitigating insider threat risk, especially when dealing with access on finance systems?
Are your staff able to do their part?
- Do your fraud team members have the privacy in their own homes to discuss sensitive matters of financial crime or fraud?
- What short-term controls have been put in place to ensure front line staff are adhering to policy, particularly if they are advising customers?
- Have security risks of working from home been assessed? Has fraud and security training been provided or re-iterated?
- Have monitoring arrangements been put in place to minimize and deter employee fraud?
- Has the staff turnover been high? How are you managing joiners, movers and leavers controls, especially for third party contractors?
- Are whistleblowing and internal investigation capabilities still available and effective?
Are your controls calibrated for this environment?
- Have the effectiveness of fraud controls and transaction monitoring been reviewed to reflect drastic changes in payment volumes?
- Are tactical changes to fraud detection and transaction monitoring rule sets being adequately tested prior to go-live to avoid unintended consequences?
- What security detection and monitoring capabilities are in place to deal with the volume of new phishing and ransomware attacks? Have you linked in your security team to share intelligence?
Are you tracking your dependencies?
- Are your organization’s three lines of defense overly reliant on physical activities and monitoring?
- How much reliance is placed on third parties to provide financial crime controls? Have SLAs been affected?
- Have contingency plans for any single points of failure or significant dependencies in fraud and financial crime systems been considered?
- Are changes to due diligence processes (e.g., acceptance of scanned documentation) adequately mitigating money laundering and impersonation fraud risks?
- How can you gain assurance over third parties without physical site visits? Can remote options replace site visits?
- Are fraud and financial crime detection systems included in cyber business continuity and disaster recovery plans?
- Do you have a clear plan to revert to BAU processes with agreed triggers and arrangements to implement reversionary work?
What lessons learned are you taking forward?
- How are you documenting the lessons learned? What good practices did the pandemic reveal weren’t in place, that you can now implement?
- What new controls, processes and governance strategies can you retain permanently?
If you have any questions or would like additional advice, please contact us.