Cyber-fraud policy and automated future-proofed technology landscape at Ferguson
Ferguson has always placed security of its systems and IT infrastructure as one of its top priorities. “In fact, one of the four key drivers for our treasury technology, is security,” explains Royston Da Costa, Assistant Group Treasurer at Ferguson Group Services Limited.
Ferguson hosted its treasury systems on its internal servers, which required a significant amount of time and cost to maintain. Typically, this involved regular testing of the business continuity process (BCP) and disaster recovery (DR) procedures. In addition, the third-party vendor required the company to upgrade at least every two years, incurring further costs and time.
It’s objective has been to automate and streamline manual processes wherever possible.
The cloud-based treasury management system (TMS) solution installed back in 2015 has been pivotal to driving automation and has laid the groundwork for the wider group to take advantage. An internal audit has endorsed the new architecture and other areas such as know your customer (KYC), and General Data Protection Regulation (GDPR) have also been accommodated.
Ferguson’s treasury set clear rules guiding best practice and procedures within treasury for the group. The roles and responsibilities of individual employees – particularly relating to payments – are clearly defined. Regular third-party payments are locked down, requiring a rigorous vetting process before any changes to payment templates can be made. Stringent guidelines exist for the processing of ad-hoc or one-off manual payments.
There are internal and external controls in place to ensure full compliance. A regular review of user profiles in all financial systems including the TMS is conducted. A list of all bank accounts held by a company is also reviewed regularly.
Best practice and innovation
Implemented a comprehensive treasury policy.
Bank statements reconciled in a timely manner.
Treasury controls enacted.
Passwords safeguarded with maximum security.
Fortified IT systems for cyber fraud protection:
Ferguson have security systems in place for a cyber fraud attack and are prepared for an incident where systems may not be available, or data has been destroyed by hackers, such as is the case in a ransomware attack. These plans will consider how often systems are backed up and what would happen in the event of a disaster or hacking attack. It is also vital to understand how long systems could be offline, the potential for a loss of data and the recovery priorities of the IT systems.
“We have a comprehensive business continuity plan in place that governs mission critical IT systems and our business continuity plan has comprehensive procedures in place for how different departments will continue operations after a disaster,” explains Da Costa.
If a cyber-fraud takes place, Ferguson’s treasury department would immediately contact its relationship banks. If, for example, a payment fraud has been identified, the bank may be able to hold the payment until it is validated. Ferguson’s crisis team would also be immediately notified.
The specialist crisis support team is enlisted to handle all communication to the public, customers, employees and business partners. A rapid response approach regarding expert outreach limits financial losses and helps to protect their reputation.
Two factor authentication on all payments approved using smartphone is a huge improvement.
100% visibility of all the group’s bank accounts.
White listing of IP addresses – the ability to control users accessing the system.
Email alerts sent to various stakeholders informing them of any actions conducted in the system (authorised or unauthorised).