March 29, 2021 by Adam Malik
While many are eager to see the imminent arrival of a new system that promises to make day-to-day financial transactions quicker, cyber risk experts are warning that such a system may elevate the risk exposure to cybercrime, potentially opening the door to a flood of claims.
Canada is preparing to remove the waiting period between when payment funds are sent and when they’re released. Instead of taking five days, the process could take just five minutes. This shortened window could increase risk, says Lindsey Nelson, cyber development leader at CFC Underwriting.
The move to a quicker payments system is good for banks and business transactions in general, Nelson told Canadian Underwriter in a recent interview. But everyone needs to be extra-vigilant now.
The process is called real-time rail, or RTR. Backed by Payments Canada, it’s expected to be introduced in 2022. Earlier this month, Interac Corp. was announced as the exchange solution provider for the quickened payments system.
Canada has generally been on top of financial technology, allowing companies to go about their business with an easy swipe or click, Nelson observed. But that’s not the case when it comes to payments.
“From our perspective, Canada actually falls woefully behind existing faster payment solutions elsewhere in the world,” she told Canadian Underwriter.
Money is often held for five days before it’s released to the recipient. RTR would change this to minutes. This allows businesses to complete transactions faster, manage cash flow better, and banks are able to add more value to their commercial and personal clients.
“So it’s good news for businesses, because that widespread adoption of the new technology ultimately means they can transact their business a lot better,” Nelson said in an interview.
But there’s a catch. “It also means that there are newer vulnerabilities,” she said. “When it comes to inadvertently diverting funds to a cybercriminal through a social engineering incident, that now becomes the primary exposure for Canadian businesses once you have something like RTR in place.”
Under the current five-day waiting system, a business could potentially realize in that time that the money was sent erroneously to a cybercriminal. It could contact the bank and stop the transaction. This acts as almost a type of security blanket.
That bears out in the statistics. According to Nelson, Canadians were five times less likely to experience a social engineering fraud than people in the United Kingdom, where an RTR type of system is already in place. Nelson said incidents occuring in RTR-style environments “disproportionately make up the majority of cyber events that [clients] experience. And, of course, a Canadian business is just as likely to fall victim to a scam as a U.K. business.”
The U.K.’s Faster Payment Service is their equivalent of RTR. “It made transferring funds incredibly simple with immediate effect, and with funds being siphoned off into other accounts before victims are even aware that they’ve been the victim of fraud,” Nelson said.
Brokers need to drive the message home to their clients about the value of a cyber insurance product, she added. A quicker payment process may just be another incentive for a company to invest in such a product as human error accounts. Having a strong, robust IT system — one reason why clients think they don’t need to buy a cyber product — can’t protect against human error, Nelson emphasized.
“I think recognizing that issues like these [arise because of] employee and human error is the first step,” she said.
Feature image by iStock.com/fatido