For the financial services industry, modernization of payment systems and processes are often the focus. But in an era where cybersecurity threats are the norm and constantly evolving, financial institutions are facing real threats to their existing but often antiquated systems. These legacy structures can be an attractive haven for threat actors.
We spoke with cybersecurity expert Matthew Charette on this vital topic. Matt is the current Interim CISO and Director of Cybersecurity at Payments Canada and he recently sat on a panel discussion on cybersecurity and legacy systems alongside PPJV’s Artem Seagall and Adam MacGillivray from Interac. Matt offers some compelling insights into the challenges with, and some potential approaches to dealing with cybersecurity within legacy payments systems.
Q: What are the most pressing vulnerabilities financial institutions (FIs) face in terms of cyber threats against legacy systems? What are some best-practice cybersecurity features you’ve found tend to be typically absent or deficient in legacy systems?
Financial institutions’ legacy systems are vulnerable to cyber threats due to several key factors. These systems often lack security patches and updates, are often incompatible with modern security solutions, and usually run on outdated operating systems. They may also have insufficient encryption and limited monitoring capabilities. The complexity and interconnectedness of these systems, combined with challenges in integrating them with newer applications further exacerbate security risks. Additionally, the shrinking pool of knowledgeable IT personnel adds to the risk.
To mitigate these vulnerabilities, financial institutions should conduct risk assessments, prioritize updating or replacing critical systems, implement compensatory controls, and ensure they have robust incident response plans in place.
Q: I think for many of us who don’t live this issue the way you do, we might say just write a patch or layer on some technology to fix the problem. What are some of the challenges with this idea?
Updating legacy systems is challenging due to their complexity and deep integration with other systems, leading to compatibility issues and unforeseen impacts. These systems often lack vendor support, requiring custom solutions that demand significant financial and human resources. Concerns about business continuity, data migration challenges, and the need to maintain regulatory compliance add to the difficulty.
Another key factor is downtime. Legacy systems typically don’t have a lot of redundancy built into them, so taking them down to maintain them can be difficult, especially if the system has to have a high availability rate.
Q: I would think another challenge with legacy systems is maintaining compliance with evolving regulatory requirements, including those in relation to fraud prevention and privacy and security. What are some of the pain points when it comes to Canadian regulatory standards and legacy systems architecture?
At a high level, most regulators require that your organization implement a modernized security program that is based off of some common framework (e.g., NIST CSF or ISO 27001). These frameworks typically require you to have strong technical controls in place to remain compliant (i.e., modernized authentication and access controls, data-loss prevention (DLP) controls, patching and vulnerability management). Implementing these controls on legacy systems can be very difficult, if not impossible, causing strain to remain compliant to regulatory requirements.
Compliance with privacy laws like PIPEDA, regulatory requirements from OSFI or the Bank of Canada, and stringent reporting and documentation mandates is often difficult due to outdated security features and limited reporting capabilities. Ensuring operational resilience and managing third-party risks are also problematic, as legacy systems may not support modern strategies and tools, such as being compatible with modern endpoint protection solutions. Addressing these issues necessitates strategic modernization of legacy systems and robust cybersecurity protection and response measures to ensure you continue to meet regulatory compliance requirements throughout a modernization journey.
Q: I think a challenge for a lot of people in our audience is that on the one hand, we tell them they need to invest in modernizing technologies. But on the other hand, we’re also telling them that they need to divert resources and dollars to protecting their legacy systems, especially as we’ve seen delays to the implementation of modernized systems and standards. Do you have any advice on threading the needle of balancing investing in the future versus what is needed today?
Balancing investments in future systems with immediate needs requires a strategic approach. Financial institutions should start with a comprehensive assessment to identify critical vulnerabilities and compliance gaps, followed by developing a detailed roadmap that includes both short-term fixes and long-term modernization plans. Prioritizing risk management, adopting incremental modernization, and leveraging scalable cloud and hybrid solutions can help address immediate concerns while preparing for the future.
Q: What’s one thing that keeps you up at night when you think about cybersecurity and legacy financial systems in Canada?
For me, it’s probably a nation-state actor accessing a legacy system with the direct objective to disrupt or destroy the system. The fact that legacy systems are hard to replace and are typically not highly redundant make them time consuming and costly to remediate from an attack. Now the flip side of that, is it would also probably serve as a forcing function for an organization to move to a modernized system. Unfortunately, in our business it sometimes takes a really bad day to effect change. Businesses should realize, however, that waiting for that bad day only makes that change exponentially more expensive because of the recovery costs involved.
Q: What’s one thing any FI can start doing today to update or protect their legacy architecture from fraud threats?
One of the best things you can do to help you prioritize your efforts is to invest in a good threat intelligence capability. Threat intelligence capabilities (meaning, people, process and technology) really help you to understand and prioritize the threats that face your organization and your systems, and will allow you to ultimately manage risk and make risk-based decisions in a more structured way.
About Matthew Charette
As interim Chief Information Security Officer and Director, Cybersecurity, at Payments Canada, Matthew is responsible for the organization’s corporate security program, including both cyber and physical security, threat intelligence, security monitoring and incident response.