Instances of cyber-attacks have been well reported in recent years. Four million UK customers’ banking details and personal information could have been accessed as a result of TalkTalk’s website being breached in October 2015 and the release of private internal correspondence from Sony Pictures by politically motivated hackers resulted in the company setting aside $15m to investigate and remediate the damage, to name just two.

According to Allianz’s annual Risk Barometer – which surveys 500 risk managers and corporate insurance experts from more than 40 countries – cybercrime, IT failures, espionage and data breaches was 2015’s highest climbing category and ranked fifth overall.

While cyber-risk featured on the risk registers of almost 75% of firms from a similar report (Marsh’s UK 2015 Cyber-risk Survey Report), senior-level engagement was worryingly low. Corporate directors were primarily responsible for cyber-risks in less than one fifth (19.4%) of the organisations surveyed, while IT departments oversaw management of the risk in more than half (55.5%). But cyber-risk doesn’t just threaten IT. For instance, in May 2015, cyber-crooks allegedly used sophisticated ‘Dyre Wolf’ malware to insert fraudulent requests in Ryanair’s payments system and made off with a six figure sum. They were targeting corporate bank accounts and the end result must surely be every treasurer’s worst nightmare.

Recent research from market analysts Juniper Research estimates that the cost of cyber-attacks will rise to approximately $2trn by 2019, a four time increase on the cost of breaches in 2015. And another recent survey, conducted by the Association of Corporate Treasurers (ACT) and Kyriba, found the risk of fraud, including cyber-fraud, continues to increase. The survey reports a 20% increase in 2016 from the previous year in the number of companies having been the target of attempted fraud.

The vast financial risk implications, the loss of intellectual property and competitive advantage, reputational damage, loss of trust and, for some individuals, loss of employment: the true cost of cybercrime is enormous. It’s time to get all departments involved.

Whilst a company has no control over the capabilities or motivations of cyber-criminals, the point is that employees can make defence of the company harder. Recent years have demonstrated the sheer number of different cyber-threats to be aware of – and secure against. A good starting point is understanding the distinctions. Here are a few threats to ponder:

• Malware. A variety of hostile or intrusive software – spyware, trojan horses and computer viruses, for example.
• Phishing. Sending emails to large numbers of people asking for sensitive information (such as bank details) or encouraging them to visit a fake website. These attacks are becoming increasingly personalised and targeted, which is called spear-phishing.
• Waterholing. Setting up a fake website or compromising a legitimate one in order to exploit visiting users.
• Stealing of confidential data/information. Obtaining access credentials and dispatching a virus.
• Distributed denial of service (DDoS) attacks. Flooding a server or connection with information requests using all capacity, leaving none for the intended use.
• Ransomware. A form of malware that encrypts all files it can access, making them inaccessible until decrypted. Functionality is returned to normal only after a ransom (monetary or political action) is paid.
• Cyber-subverting the supply chain. Attacking equipment of software being delivered to the organisation.
• Advanced persistent threats. Multi-layered and multi-stage cyber-attacks that can stay in a system for years without being detected.

Every organisation is a potential victim. Attackers often randomly target as many devices, services or users as they possibly can; after all, when the stakes are so high, even a very low percentage success rate can cause significant damage. Alternatively, they may choose to single an organisation out. In these cases, they could spend months doing the groundwork to tailor attacks to that company’s systems and processes, exploiting specific vulnerabilities.

Of course, as a general guide to maintaining treasury operations under emergency conditions, a BCP – which should also include a disaster recovery (DR) plan – is an essential tool for any business. This should be clearly documented, easily accessible and regularly tested. A BCP should cover likely emergency scenarios and provide the broad means of keeping critical business functions running following such an event. It will include input from multiple functions and cover the direction of people, locations and technology. The role of DR is that of a subset of BCP and is typically an IT-driven set of procedures that focus on the recovery of software, hardware and data.

A number of key BCP elements are noted by Michael Baum, Senior Manager, KPMG, in his December 2015 Insight piece in KPMG’s Corporate Treasury News. There are two determining factors that are the guiding principles for the generation of a treasury-specific BCP, he writes: availability and efficiency. The key enquiry when devising an approach to availability is to pinpoint the maximum tolerated period that any given process can be forgone.

Importantly, identifying critical processes must primarily be the responsibility of treasury: all other steps – in particular IT technical steps – must be based on the outcome of this analysis. “Issues of possible threats, risk mitigation and security needs, particularly for time-sensitive treasury processes, logically lead to greater investment needs to protect availability,” suggests Baum. “This is where the second guiding factor comes into play: the efficiency of requirements needs to be ascertained to achieve the best possible balance between investment and risk tolerance.” In short, he contends that an exercise in prioritisation is essential not just for operational needs but in terms of economic effectiveness too.

Consider the cloud

Cloud solutions are one such cost-effective offering. Cloud services require no up-front capital expenditure and their business models are typically based on the highest levels of security.

Before cloud-based solutions were available, corporates wanting to protect their systems against disaster typically had to maintain a secondary recovery centre of their own, or contract an external provider to make a physical recovery centre available. The cloud allows companies to keep their backed-up data in several different locations and offers the benefits of both reduced cost and reduced recovery time compared with some traditional solutions.

A certain amount of corporate wariness is to be expected though and selecting a trusted provider is important. Treasurers should ask providers how they back up their own data, so that if the company and the provider are both hit by a disaster, the recovery solutions are still available. Choosing a provider with secondary locations supporting its primary cloud data centre is key here.

According to DisasterRecovery.org, an independent organisation that provides guidance and information on disaster recovery, a plan must include the following stages:

• A policy statement, stating the goal of the plan, the reasons for it and the resources required.
• A risk assessment will identify the situations that are most likely to occur.
• A business impact analysis, describing how a catastrophic event may impact the business practically, financially and in other ways. It should also try to identify any preventive steps that can be taken.
• Recovery strategies must explain how and what needs to be recovered and with what priority/speed.
• The plan development stage will require documentation of the plan and implementation of elements as required.
• Plan buy-in and testing is essential to ensure everyone knows and understands what the BC/DR plan is, what to do and when.
• Plan maintenance and testing is important to ensure it is relevant and that it works.

Whilst third-party system vendors should be included in any BC/DR planning process to ensure they have the capacity to deliver when they are needed most, they should not be seen as a ‘get out of jail free’ card. Asking the right questions of them is an essential part of taking responsibility for DR/BC planning. Key points to raise (and include in any Service Level Agreement) would include: how long will it take to recover operations following an event (referred to as the Recovery Time Objective), how much data could potentially be lost (Recovery Point Objective) and the reliability (proven up-time) of the platform.