Corporate Treasurers must tackle cyber security. Here’s how.

27 July 2016

View Eric Cohen’s profile on LinkedInView Davide di Gennaro’s profile on LinkedIn

According to PwC’s 2016 Global State of Information Security Survey, businesses saw a 38% increase in detected security incidents in 2015. Given that growing threat, business leaders worldwide have no choice but to rethink their cyber security programs. As part of this effort, the Treasurer plays a crucial role, specifically in building the capabilities needed to protect the organisation’s financial assets and its reputation as a good steward of those assets.

Unfortunately, it’s no longer a question of if, but when, your organisation will be targeted.

Recent publicly disclosed cyber security breaches of payment systems include:

  • Bangladesh’s central bank attack that reportedly lost $81m in 2016;
  • An attack on a Vietnamese Bank that reportedly attempted to transfer €1m in late 2015;
  • A reported security breach at an Ecuadorian Bank that lost $12m in early 2015; and
  • An attack on a Philippine’s Bank in late 2015.

How does a cyber security breach impact the Treasurer?

Cyber security is a key concern for Treasurers because they are responsible for managing and controlling the group’s cash and initiating and approving large treasury and vendor payments. Many cyber attacks target Treasury’s area of responsibility directly, resulting in potential losses from fraudulent payments, disruption of operations caused by missed payment deadlines, and stolen or corrupted data. In our experience, companies with decentralised payment environments, distributed bank account structures, excessive numbers of bank accounts and complex bank connectivity models are most exposed to cyber security breaches and payment fraud. Making matters worse, attacks are growing in overall sophistication and technological complexity, and the efficacy of certain security measures is unclear.

How cyber security breaches may cause data protection issues?

The Treasury team processes treasury, vendor and employees payments that can contain significant personal data including names, addresses and bank account details. Treasury also typically receives bank statements for many accounts around the business which may also contain such personal data.

A cyber security breach may cause a breach of personal data and result in potential fines. For example, under proposed EU regulation, the maximum fines are huge: the text from the European Parliament proposes fines of up to 20 million Euros or 4% of global annual turnover, whichever is higher.

Who’s involved in payment and bank statement processing?

There are at least five groups of teams/service providers involved in payment processing any of whom may be subject to a cyber security breaches:

  • Corporate Treasury, vendor and employee payment teams;
  • Banks who process the payments and provide electronic banking platforms;
  • SWIFT and SWIFT bureaus who may provide bank connectivity solutions;
  • BACS, EBICS, NACHA and other ACH bureaus and third parties who may provide payment solutions; and
  • Credit card processing providers.

What should the Treasurer do?

The following five critical steps can help move your Treasury and Finance organisation towards a more effective cyber security risk management:

  • Review all payment and bank statement processes and technology

The Treasurer and colleagues in finance who may have direct responsibility for payments and statements should identify critical business processes and assets that are at risk by conducting an in-depth assessment of current processes, data, systems and connection points. Once the exposures have been defined, the Treasurer should take action to reduce inherent risks stemming from process inefficiencies.

  • Test cyber controls using internal or external penetration testing

Given increased risk and several highly publicised incidents, many Treasury and finance teams are taking steps to tighten controls around cash. Standard treasury controls (e.g. segregation of duties, fraud protection) can make a substantial difference in combating cyber threats, but you must implement and enforce them consistently. Centralised payment processes and high levels of automation can further strengthen control.

  • Review legal agreements with banks and payment providers and seek cyber cover/insurance

You should review agreements with Banks including your internet banking terms, payment providers such as any SWIFT Bureau and other third parties involved in your payments or statement process and check whether you are covered for cyber risk if they are compromised and your data or funds are lost. Also you should check your own insurance policy for cyber risk and consider whether you need cyber cover.

  • Train your staff

You should develop and conduct training workshops to educate employees on how to prevent, monitor, and mitigate cyber threats. The training should include payment fraud scenarios and emphasise the diverse source of security incidents, including current and former employees, current and former service providers and suppliers.

  • Prepare for an incident

To prepare for a cyber attack, the Treasury team, in coordination with key stakeholders (e.g. Finance, IT, Legal, CRO) should consider developing incident response procedures and protocols. They should be well documented, clearly communicated to the appropriate employees, and consistent with your overall crisis management and business continuity approach with the business.

It’s a wakeup call

Corporate networks including payment systems will be targeted and least prepared corporates with the weakest links in their payment system will fall prey and lose money and/or data incurring potential huge fines. Treasurers can prepare themselves against cyber attacks by following the five steps above. If you’d like to speak to one of our subject matter specialists on the areas mentioned above or you’d like to find out more about how your Treasury function can benefit from improved cyber security feel free to contact us. You can also sign up to our Treasury Talk blog to make sure you receive the latest updates and articles.

Author - Eric Cohen, Partner - US Financial and Treasury Management

Author - Davide di Gennaro, Director - US Financial and Treasury Management

 Contributor - Sanjay Bibekar, Director - UK Treasury Advisory (+44 (0) 20 7804 9582)

Comments

The authors make some really valid points. At AFP, we’re seeing two additional trends:

1) The rise of business email compromise scams. Part of what makes BEC scams so dangerous is the criminals trick employees into voluntarily sending money so it’s very difficult to recover any funds. It’s important to note that BEC scams typically are not covered under cyber insurance policies.

2) Speaking of cyber insurance, we’re definitely seeing more treasurers purchase cyber insurance because traditional business insurance typically doesn’t cover cybercrime. Problem is, cyber insurance rates have tripled in recent years – that’s mean more cash that treasurers have to spend and less for shareholders.

If you’re looking for a great resource on BEC scams may I humbly suggest AFP’s Payments Security Guide, www.afponline.org/BEC/? I know it’s a shameless plug but it really is a great resource for treasurers!

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.