Cyber risk is a growing concern for businesses. But how can a treasurer help to manage this risk? In this article, we examine the nature of threat faced by companies today and the practical steps that can be taken to prevent and minimise the damage of a data breach.
Cyber security is a growing source of anxiety for businesses. Several studies published this year indicate the growing attention cyber related risks are now being afforded by organisations. For example, a PwC study, published in conjunction with the Department for Business Innovation and Skills (BIS), reported that budgets dedicated to cyber security at UK businesses have increased by 2% over the past year, with an average of 10% now being reserved for cyber-crime prevention and mitigation. And it appears to be a similar story in the financial sector. In the Bank of England’s (BoE) twice-yearly systemic risk poll, more respondents cited cyber-crime as the main threat to the stability of their bank.
Whether this growing concern about cyber security reflects an actual increase in the frequency and severity of cyber-attacks is difficult to substantiate – cyber-crime, after all, is not something companies like to talk about, at least publically. But John Salter, Head of Cash and Payments at Lloyds TSB, argues that it would still be reasonable to assume that the threat is a growing one. An ever-growing quantity of data and assets stored in the virtual world mean that the incentives for criminals to steal money or information through corporate networks have never been greater.
“You wouldn’t risk breaking into a vault when there is only £50 inside, but you might do if there is £50m,” says Salter. “The virtual world has become a much more interesting place to exploit now through criminal activity because it is easier to do on a large scale – and the payback can be much bigger.”
Consequently, organisations have found themselves under almost constant siege from criminals in the cyber world. “They knock on the door almost on a permanent basis,” he adds. “I would use German blitzkrieg tactics as an analogy – criminals will probe for weak spots and when they find one they steam their whole division through it.”
In order to keep up with this evolving threat, companies are being forced to rethink how they approach cyber security. Salter, who recently spoke on the subject of cyber-related crime at the Association of Corporate Treasurers (ACT) conference in Liverpool, believes many companies still have a way to go.
Most banks will have a dedicated group function to manage this specialist type of criminal activity, he says. When he asked treasurers at the ACT conference how their businesses were managing the threat, it quickly became clear to him that non-financial companies have not been addressing it in the same way as banks have been. “In a room of maybe 100 people, only 20% responded positively to that question,” he says. “So I’m not sure that companies fully understand the nature of the threat they face today and are responding as well as they could or should be.”
However, some businesses are beginning to recognise that defending their networks is no longer just about having the right firewalls and anti-virus programmes in place. To protect against some of the more sophisticated types of attacks being perpetrated today, experts unanimously agree that a more holistic approach is required.
The growing use of analytics technology provided by companies such as SAS could be one example of a new level of realisation. “I think if you look at cyber security as an IT problem alone, you are always going to be ten steps behind,” says Joanne Taylor, Director of Public Security at SAS. “What we offer is the next stage in the evolution.” A large company will, she says, accumulate masses of information that serves to inform them of different types of attacks originating from different areas of the business. SAS’ solution gathers this data together and uses an analytics platform to scan for suspicious activity.
This is perfect for identifying the “low and slow attacks” referred to by Salter, and evidence shows such technology can help to reduce the cost of a security incident (see Chart 1). By linking cyber-activities to business events – the opening of an account, for example – analytics software is able to pick up on potentially suspicious events that a firewall or anti-virus would almost certainly have considered innocuous. “They are constantly hitting an organisation over a long period of time,” Taylor explains. “But because the organisation is not connecting the dots, they are often unaware they are being probed for weak points.”
Chris Pickles, BT’s Head of Industry Initiatives for the Financial Sector, agrees. “Pattern recognition is an important development.” Yet a basic anti-virus package is simply inadequate for the needs of some companies today, he says. The types of attacks that companies are experiencing have become so advanced, and the consequences for those that fall victim so severe, that companies need to change their tactics. “It is the difference between putting a bolt on your door and installing a managed alarm – the alarm not only monitors your surveillance systems throughout the day, but also looks for patterns.”
Despite these advancements companies realise that the risk of a breach cannot be eliminated fully. For those businesses whose operations make their potential losses from a cyber-breach very substantial – for example, companies that aggregate a considerable amount of personally identifiable data – they should begin looking into hedging that risk by taking out cover with a cyber-insurance provider.
Although Europe’s cyber insurance industry is still in its infancy, Kevin Kalinich, Global Practice Leader for Cyber Insurance at Aon One, believes that might be about to change. An increasing number of EU companies are taking out first party cyber liability policies to cover business interruption and the costs associated with sending out notices to aggrieved customers if personal data is compromised.
It is no surprise, he says, that this increased interest in cyber insurance has coincided with recent proposed amendments to the EU Privacy Data Directive that will require mandatory disclosure of all data breaches. “In the US and Asia, there wasn’t a big growth in cyber insurance until there was a data breach disclosure law. After that, there was an almost linear increase in litigation, which was followed by a linear increase in cyber insurance.”
Building a cyber-savvy treasury
Treasurers are not known to be the most tech savvy individuals, and in today’s challenging economic environment one might argue that they have enough on their plate managing financial risks without having to contemplate escalating cyber threats.
However, there are areas where the treasurer can make a noticeable difference. Earlier this year, the Ponemon Institute published a study that examined the impact of a data breach on company balance sheets. The research found the companies that were most successful in minimising the cost of a data breach tended to be the ones who had adopted a strong security posture. An example of this are organisations which had centralised the management of data protection with the appointment of a C-level information security professional, a chief information and security officer (CISO), who works with treasury and other company departments in order to lead a more co-ordinated response.
“It is usually the job of the CISO to make sure that there is effective security in place,” says SAS’ Taylor. Instead, a treasurer’s role when it comes to cyber security, as with every other employee, should be on understanding that the information they handle has a value, she says. “Taking responsibility has got to be the starting point for individuals in a company.”
This is particularly important when applied to the security of information stored on mobiles, laptops or USB memory sticks – among the leading factors cited by the Ponemon Institute as driving up the cost of a data breach when it resulted in the loss or theft of a device. This, Taylor thinks, should make treasurers, and indeed all individuals within a company, consider carefully how they handle information. “The trend towards bring-your-own-device does open up massive security problems for organisations. At the individual level we all need to change our behaviours. Whatever job we are in, our information is an asset which means we don’t share it and we must think about how we are protecting it.”
Kalinich agrees. “A treasurer should be looking at the information assets within his department,” he says. If these are increasing then the issue clearly demands more scrutiny. Although he says it would be wrong to expect the treasurer to be an expert on the finer details of cyber security, Kalinich believes a basic awareness of the issues is required in every senior area of corporate management if losses are to be minimised.
“Treasurers should have some involvement in the procurement process when it comes to hiring the services of third-party vendors – be it for mobile, big data or cloud computing – and ensuring that those providers will be maintaining the highest level of security.” The CISO can then dig down into the technical detail to answer this question, Kalinich adds, but it is important for treasurers to know where within an organisation they can go to get help on cyber security-related questions affecting their department.
In this space, there is clearly an area of internal policy compliance for treasurers to think about, says BT’s Pickles. “Corporate treasurers will see a lot of cash management processes can be carried out with the help of smart phones now. But obviously there are security challenges relating to this type of technology, and maybe that is why it has not yet progressed, in terms of adoption, as quickly as some might have hoped.” That doesn’t mean the technology should be regarded as off limits, he is at pains to emphasise, just that “implementation needs to be done in a proper, controlled manner”.
Treasurers should also be considering what contingency plans the department has in place in the event that one of their banking counterparties is hit by an attack, Pickles adds. In the autumn of last year, a number of large financial institutions, including Bank of America Merrill Lynch (BofA Merrill) and J.P. Morgan (JPM), were victims of this type of attack. Although the disruption was short lasting and mostly limited to retail, rather than corporate clients, the fact that they happened should emphasise to treasurers the need to look again at their contingency plans for this type of scenario. “There is a perception that banks know about security,” says Pickles. “But when you look at the security breaches they’ve had over the past few years – whether that is banks, credit card companies or other financial institutions – it is clear that companies shouldn’t be blindly relying on them.”