With high-profile cyber-attacks continuing to make headlines, treasurers cannot afford to ignore the importance of cyber-security. But should this area be viewed as a straightforward necessity, or can it be approached as a business enabler?
The risk of cyber-attacks was a major theme in 2016, with high-profile incidents including the theft of $81m from Bangladesh Bank. From data breaches to distributed denial-of-service (DDoS) attacks, businesses may be at risk from many different types of cyber threat.
Where corporate treasury is concerned, the most significant concern is the risk that a fraudulent payment will be made. This is a very real risk for companies around the world. The 2016 AFP Fraud report found that 73% of American companies were targeted by payments fraud in 2015 – up from 62% in 2014.
The strategies used by criminals continue to evolve. Andrew Bateman, Head of Corporate Liquidity and Bank Treasury at FIS, notes that “social engineering attacks through phishing and/or spear-phishing attacks as a vector for installing malware, or other advanced persistent threat (APT) components, remains a significantly high component of the threat.” Bateman adds, “We are seeing more targeted attacks on financial systems and finance employees.”
Making cyber-security a business enabler
With so many threats to consider, is cyber-security a straightforward necessity, or can it be viewed as a business enabler? For third-party vendors, such as treasury management system vendors, SWIFT bureaus or third-party payment providers, it is clear that cyber-security falls into the latter category. “If you are a third-party provider, you can turn this to your advantage by spelling out your investment in security and how often you test your controls and have them validated independently,” explains David Stebbings, Director, Head of Treasury Advisory at PwC. “So they can certainly turn it to a competitive advantage.”
For corporate treasurers, the situation is less clear-cut. David Blair, an independent treasury consultant based in Singapore, says that in Asia this topic is “more of a survival requirement”, adding that it is “hard to see security intrinsically bringing better products and services to customers”. On the other hand, he notes that a lack of security can hurt customer satisfaction.
However, Mike Lamberg, Chief Information Security Officer at OpenLink, and the former VP of Information Security at the NYSE, comments that cyber-security is definitely a necessity, and that making it a business enabler “would require a company’s senior leadership and board to view cyber-security as a strategic asset that is partnered with the business itself”. Until that happens, Lamberg says, “it will be viewed as a quasi-tax or insurance”.
How can cyber-security deliver business improvements? Aside from avoiding financial loss, the most obvious improvements lie in increasing efficiency and managing risks more effectively. Marcus Hughes, Head of Strategic Business Development at Bottomline Technologies, points out that implementing increased controls “not only helps a treasurer to remain compliant and fight financial crime, but it also makes a business more efficient by reducing errors and cutting the risk of losing money.”
In practice, treasurers can take a number of actions to avoid falling victim to a cyber-attack. These include securing devices, practising good password hygiene and ensuring systems are on the latest versions. It may also be beneficial to use screening systems and anomaly detection systems, as well as tracking employees’ use of mission critical applications.
In conclusion, cyber-security is a topic that no treasurer can afford to ignore. Whether this area is regarded as a necessary evil or a business enabler may vary from company to company – but what is clear is that this topic will only become more crucial as the threats continue to evolve.