Corporate Treasurers must tackle cyber security. Here’s how.
27 July 2016
According to PwC’s 2016 Global State of Information Security Survey, businesses saw a 38% increase in detected security incidents in 2015. Given that growing threat, business leaders worldwide have no choice but to rethink their cyber security programs. As part of this effort, the Treasurer plays a crucial role, specifically in building the capabilities needed to protect the organisation’s financial assets and its reputation as a good steward of those assets.
Unfortunately, it’s no longer a question of if, but when, your organisation will be targeted.
Recent publicly disclosed cyber security breaches of payment systems include:
- Bangladesh’s central bank attack that reportedly lost $81m in 2016;
- An attack on a Vietnamese Bank that reportedly attempted to transfer €1m in late 2015;
- A reported security breach at an Ecuadorian Bank that lost $12m in early 2015; and
- An attack on a Philippine’s Bank in late 2015.
How does a cyber security breach impact the Treasurer?
Cyber security is a key concern for Treasurers because they are responsible for managing and controlling the group’s cash and initiating and approving large treasury and vendor payments. Many cyber attacks target Treasury’s area of responsibility directly, resulting in potential losses from fraudulent payments, disruption of operations caused by missed payment deadlines, and stolen or corrupted data. In our experience, companies with decentralised payment environments, distributed bank account structures, excessive numbers of bank accounts and complex bank connectivity models are most exposed to cyber security breaches and payment fraud. Making matters worse, attacks are growing in overall sophistication and technological complexity, and the efficacy of certain security measures is unclear.
How cyber security breaches may cause data protection issues?
The Treasury team processes treasury, vendor and employees payments that can contain significant personal data including names, addresses and bank account details. Treasury also typically receives bank statements for many accounts around the business which may also contain such personal data.
A cyber security breach may cause a breach of personal data and result in potential fines. For example, under proposed EU regulation, the maximum fines are huge: the text from the European Parliament proposes fines of up to 20 million Euros or 4% of global annual turnover, whichever is higher.
Who’s involved in payment and bank statement processing?
There are at least five groups of teams/service providers involved in payment processing any of whom may be subject to a cyber security breaches:
- Corporate Treasury, vendor and employee payment teams;
- Banks who process the payments and provide electronic banking platforms;
- SWIFT and SWIFT bureaus who may provide bank connectivity solutions;
- BACS, EBICS, NACHA and other ACH bureaus and third parties who may provide payment solutions; and
- Credit card processing providers.
What should the Treasurer do?
The following five critical steps can help move your Treasury and Finance organisation towards a more effective cyber security risk management:
- Review all payment and bank statement processes and technology
The Treasurer and colleagues in finance who may have direct responsibility for payments and statements should identify critical business processes and assets that are at risk by conducting an in-depth assessment of current processes, data, systems and connection points. Once the exposures have been defined, the Treasurer should take action to reduce inherent risks stemming from process inefficiencies.
- Test cyber controls using internal or external penetration testing
Given increased risk and several highly publicised incidents, many Treasury and finance teams are taking steps to tighten controls around cash. Standard treasury controls (e.g. segregation of duties, fraud protection) can make a substantial difference in combating cyber threats, but you must implement and enforce them consistently. Centralised payment processes and high levels of automation can further strengthen control.
- Review legal agreements with banks and payment providers and seek cyber cover/insurance
You should review agreements with Banks including your internet banking terms, payment providers such as any SWIFT Bureau and other third parties involved in your payments or statement process and check whether you are covered for cyber risk if they are compromised and your data or funds are lost. Also you should check your own insurance policy for cyber risk and consider whether you need cyber cover.
- Train your staff
You should develop and conduct training workshops to educate employees on how to prevent, monitor, and mitigate cyber threats. The training should include payment fraud scenarios and emphasise the diverse source of security incidents, including current and former employees, current and former service providers and suppliers.
- Prepare for an incident
To prepare for a cyber attack, the Treasury team, in coordination with key stakeholders (e.g. Finance, IT, Legal, CRO) should consider developing incident response procedures and protocols. They should be well documented, clearly communicated to the appropriate employees, and consistent with your overall crisis management and business continuity approach with the business.
It’s a wakeup call
Corporate networks including payment systems will be targeted and least prepared corporates with the weakest links in their payment system will fall prey and lose money and/or data incurring potential huge fines. Treasurers can prepare themselves against cyber attacks by following the five steps above. If you’d like to speak to one of our subject matter specialists on the areas mentioned above or you’d like to find out more about how your Treasury function can benefit from improved cyber security feel free to contact us. You can also sign up to our Treasury Talk blog to make sure you receive the latest updates and articles.