Blog
Security is an essential requirement for all online financial applications. Data privacy, customer trust, and long-term growth all depend on financial application security. Financial organizations and their auditors should strive to invest in the very best financial application security as they are accessed through various modalities and from multiple devices.
Background
To date, cybersecurity’s association with financial statements has fixated on fraud activity that could negatively impact an organization’s bottom line. Yet, as data breaches and the theft of personally identifiable information continues to rise, security experts have begun noticing that auditors are not putting adequate consideration into the inherent risks created by such attacks. As a result, moving forward, board members, executives and audit teams will need to start integrating cybersecurity into how they view compliance for Sarbanes-Oxley (SOX) and privacy-related mandates like the General Data Protection Regulation (GDPR) and Canada’s own Personal Information Protection and Electronic Documents Act (PIPEDA). It is expected that governing boards will eventually produce new guidance initiatives, but businesses should not wait to act. Financial application security is critical to any organization's short and long-term success.
Cybersecurity, Financial Applications and Internal Control Audit
Financial applications include any application completing financial transactions such as online banking portals or online insurance applications – all of which hold security as a primary concern. Many e-commerce and retail apps regularly deal with payment transactions and thus financial application security is an important feature of these applications as well. Online finance applications contend with a host of threats, including – identity theft, session hijacking, password hacking, injection attacks which all have long term ramifications on revenue and user trust.
The aforementioned rise in cyberattacks poses significant threat to financial applications and the legitimacy of the reports they generate. This is especially clear as threat actors continue to target financial applications that house immense amounts of company, employee and customer financial data. Financial applications generate financial reports that are relied on by banks, stockholders, shareholders and other investors – they are also a requirement to fulfill compliance criteria like SOX. Still, when it comes to cybersecurity and financial statements, authoritative boards and companies have historically only focused on fraudulent activity. For example, if someone successfully phished an organization and stole funds, the focus was on how the theft impacted the organization’s bottom line as opposed to overall financial application security.
Some of the key aspects of financial application security include secure authentication, authorization, data encryption and role-based access. Last year, after reviewing audit files from organizations that had been breached in 2019, the Public Company Accounting Oversight Board (PCAOB) published a report that proposed while most auditors tried to quantify a financial impact after a breach, they failed to expand their investigations to determine if there were any risks of material misstatement. Comparably, the PCAOB declared that auditors did not go far enough to assess financial application security and the various vulnerabilities related to financial reporting.
Leading Progress – Getting Started
When it comes to financial application security, a good place to lead is with access control and change management, application security testing and a secure code review.
Access control focuses on making sure the right people have suitable access and roles in financial applications based on the principle of least privilege. Auditors often fail to consider these risks, which include vulnerabilities, misconfigurations and admin abuse. In order to mitigate these vulnerabilities, auditors are required to engage cybersecurity experts, such as Packetlabs, to supplement their assessment.
Change management, on the other hand, focuses on ensuring changes to applications are complete and authorized. The greatest threats to change management arise from custom code. During any given change request, an organization may risk deploying detrimental code from a compromised supply chain vendor (e.g., SolarWinds).
Penetration testing is an authorized simulation of a true cyberattack on an application, performed to evaluate the security of the system or application and; secure code review is an activity in which security professionals review an applications’ source code, typically prior to release, annually or after any significant changes. Both of these activities represent some of our core services at Packetlabs.
Summary and Conclusion
Every organization, financial or otherwise, must make it their due diligence to attend to financial application security. Going forward, the significance of cybersecurity, compliance, regulations and financial statements will only intensify. Taking a proactive cybersecurity position to stay ahead of threat actors will help ensure your business remains active and profitable.
If you would like to learn more about Penetration Testing, Source Code Review or any of Packetlabs services, please contact us today to find out how we can help!