Unbounded by geography, cyber-risk is a concern for companies across the globe. But raising awareness isn’t necessarily the most pressing issue, as numerous reports have shown that corporates understand the threat. Now the priority is pushing forward the development of effective partnerships and frameworks to anticipate and respond to cyber-threats. Treasury Today looks at the treasurer’s role in arming against the risks, and provides advice from experts around the world.
Business continuity and disaster recovery in a digital world
Instances of cyber-attacks have been well reported in recent years. Four million UK customers’ banking details and personal information could have been accessed as a result of TalkTalk’s website being breached in October 2015 and the release of private internal correspondence from Sony Pictures by politically motivated hackers resulted in the company setting aside $15m to investigate and remediate the damage, to name just two.
According to Allianz’s annual Risk Barometer – which surveys 500 risk managers and corporate insurance experts from more than 40 countries – cybercrime, IT failures, espionage and data breaches was 2015’s highest climbing category and ranked fifth overall.
While cyber-risk featured on the risk registers of almost 75% of firms from a similar report (Marsh’s UK 2015 Cyber-risk Survey Report), senior-level engagement was worryingly low. Corporate directors were primarily responsible for cyber-risks in less than one fifth (19.4%) of the organisations surveyed, while IT departments oversaw management of the risk in more than half (55.5%). But cyber-risk doesn’t just threaten IT. For instance, in May 2015, cyber-crooks allegedly used sophisticated ‘Dyre Wolf’ malware to insert fraudulent requests in Ryanair’s payments system and made off with a six figure sum. They were targeting corporate bank accounts and the end result must surely be every treasurer’s worst nightmare.
Recent research from market analysts Juniper Research estimates that the cost of cyber-attacks will rise to approximately $2trn by 2019, a four time increase on the cost of breaches in 2015. And another recent survey, conducted by the Association of Corporate Treasurers (ACT) and Kyriba, found the risk of fraud, including cyber-fraud, continues to increase. The survey reports a 20% increase in 2016 from the previous year in the number of companies having been the target of attempted fraud.
The vast financial risk implications, the loss of intellectual property and competitive advantage, reputational damage, loss of trust and, for some individuals, loss of employment: the true cost of cybercrime is enormous. It’s time to get all departments involved.
There are weak points in any organisation which can increase the risk of cyber-attack – flaws in functionality and user error, for instance. Employees are a source of weaknesses in strategy – weak passwords, leaving laptops unattended, being fooled into providing their password or installing malware. Even a department with the most advanced controls and secure data can be exposed if an employee takes their device home or talks openly about controls in public.
Whilst a company has no control over the capabilities or motivations of cyber-criminals, the point is that employees can make defence of the company harder. Recent years have demonstrated the sheer number of different cyber-threats to be aware of – and secure against. A good starting point is understanding the distinctions. Here are a few threats to ponder:
Malware. A variety of hostile or intrusive software – spyware, trojan horses and computer viruses, for example.
Phishing. Sending emails to large numbers of people asking for sensitive information (such as bank details) or encouraging them to visit a fake website. These attacks are becoming increasingly personalised and targeted, which is called spear-phishing.
Waterholing. Setting up a fake website or compromising a legitimate one in order to exploit visiting users.
Stealing of confidential data/information. Obtaining access credentials and dispatching a virus.
Distributed denial of service (DDoS) attacks. Flooding a server or connection with information requests using all capacity, leaving none for the intended use.
Ransomware. A form of malware that encrypts all files it can access, making them inaccessible until decrypted. Functionality is returned to normal only after a ransom (monetary or political action) is paid.
Cyber-subverting the supply chain. Attacking equipment of software being delivered to the organisation.
Advanced persistent threats. Multi-layered and multi-stage cyber-attacks that can stay in a system for years without being detected.
Every organisation is a potential victim. Attackers often randomly target as many devices, services or users as they possibly can; after all, when the stakes are so high, even a very low percentage success rate can cause significant damage. Alternatively, they may choose to single an organisation out. In these cases, they could spend months doing the groundwork to tailor attacks to that company’s systems and processes, exploiting specific vulnerabilities.
In order to align treasury procedures with the most efficient security standards, the following outline some of the fundamental procedures to check you have in place:
Do you have a security programme in place, either with treasury’s own IT department or a provider?
Are they working to ensure the correct security frameworks are in place for defining policies, procedures and controls?
Have you engaged with all relevant security teams (your company’s and any providers)?
Are they proactively minimising threats posed by cyber-criminality?
Are regular audits and tests being carried out?
Is the department aware of the latest security technologies and continually updating security procedures to maintain effectiveness?
When changing legacy technologies, are security measures being adapted to integrate new solutions (mobile devices, for example)?
Should the worst happen do you have a business continuity plan in place?
According to a 2015 whitepaper produced by the UK government, titled ‘Common cyber-attacks: reducing the impact’, the main groups of potential attackers are:
Cyber-criminals interested in making money through fraud or from the sale of valuable information.
Industrial competitors and foreign intelligence services, interested in gaining an economic advantage for their companies or countries.
Hackers who find interfering with computer systems an enjoyable challenge.
Hacktivists who wish to attack companies for political or ideological motives.
Employees, or those who have legitimate access, either by accidental or deliberate misuse.
Against this backdrop, CSEG, the National Technical Authority for Information Assurance within the UK, recommends frequent reviewing of your organisation’s overall cyber-security strategy, and the following nine specific areas, in order to protect your business:
User education and awareness. Companies should provide user security policies covering the acceptable and secure use of all systems. Part of maintaining user awareness is establishing a staff training programme. Security is largely reliant on heightened levels of staff vigilance; ensuring employees use systems, websites and apps responsibly, and can spot the signs of embedded attachments, for example, the business can mitigate risks somewhat.
Home and mobile working. Similarly, a policy for mobile working is needed to protect data in transit and at rest elsewhere. The level of entitlements users have on mobile devices, for example, should be the same as if that user was accessing their files from a desktop.
Managing user privileges. Indeed, processes for managing all accounts should be established. CSEG advises that privileged accounts should be limited.
Secure configuration. Security patches that ensure the secure configuration of all IT systems should be applied and maintained.
Removable media controls. Companies may use various types of removable media (CDs and USBs, for example) and whilst these should be limited, a policy is necessary to control the remaining access. CESG also advise scanning all media for malware before importing on the company system.
Incident management. Incident response and disaster recovery capability needs to be established. Please see disaster recovery section below for more advice.
Monitoring. A strategy and capabilities for monitoring all systems and networks is necessary to analyse any unusual activity and log those which could indicate a potential attack.
Malware protection. Relevant policies and anti-malware defences should be established that are applicable for all business areas.
Network security. Managing the company’s network perimeter helps project against internal and external attacks as any unauthorised access or malicious content can be filtered out. It is important that security controls are frequently tested.
The above points provide a solid foundation, but treasury has some specific concerns. Payments, for instance, should be treated with extra care – especially when made on-the-go using mobile devices. For some professionals, the payment approval process on mobile should be limited to low-value general office expenses. Others are more open to the convenience and flexibility that using mobile devices to approve or make payments remotely offers – provided the security is there. And rightly so. Corporates are dealing with transactions of significant value so a lot of reassurances with respect to security are required. The result: developments aimed at corporates are inevitably, albeit appropriately, slower.
Persuading treasurers to become avid mobile users could take a while but as technology matures, processing power increases, and data integration deepens (and as the so-called ‘digital native’ generations – those who have been brought up with this technology – assume control), the value for corporates will increase. The true added-value, however, will always come from the skilled corporate treasurer. Ultimately, it is up to them to decide whether and how mobile channels will influence their strategic decision-making going forward.
As cyber-security has become an ever-pressing issue for corporate treasurers over the years, Treasury Today has spoken to numerous industry experts. Here are some of the key things they have had to say:
“It is important to identify that cyber-security isn’t about having an inward-looking approach and believing you are safe. The most effective departments are those who understand that it is a collective responsibility. The most ineffective are those who believe that it is just an IT issue and their responsibility to clean up. The key therefore is to be able to harmonise people, processes and technology and if this can be achieved there is a much greater chance of protecting the treasury department and the organisation.”
“Cyber-criminals do not discriminate against company size, location or industry sector, as long as a profit can be made. Cyber-criminals will attack the weakest in the herd so ignorance to threats actually makes you increasingly likely to be attacked.
Cybercrime is also becoming increasingly professional and globalised and the scope and sophistication of attacks should not be underestimated. Treasury departments should therefore be aware that an attack may stem from any corner of the world and in many cases may be disguised as legitimate business dealings. Furthermore, overseas associates may not have adequate controls in place which can leave your company exposed to attacks.”
“Clearly, there is a place for spending on specialist technical security advice and software. However, one must not see that technical element as a panacea. Instead, and perhaps somewhat counterintuitively, it is the human element that is crucial. Again, a cross-functional approach is required.”
“For treasurers, it is important to keep up-to-date with trends in the cyber-attack landscape to know what to look out for – in particular the various social engineering techniques that may be used to trick someone into allowing a cyber-attack to propagate. This can be achieved by attending cyber-security training or information sharing events/groups. It is also important to identify the most critical or sensitive information/data/processes under one’s control and relay this information to IT departments so that cyber-security efforts can be prioritised. Lastly, treasurers should understand or encourage the development of internal cyber-security policies in their firm, for example clear reporting lines in the case of a cyber-attack.”
With the cybercrime wave reaching tsunami-like proportions, more treasurers are turning to banking partners for help. And, for the banks, security is increasingly the selling factor for the products they offer. One of the key findings from a recent survey published by BNP Paribas (BNPP) and the Boston Consulting Group, is that what is important for corporate treasurers today is not product enhancements but solutions that are dependable and, above all, secure in the face of a growing cyber-threat.
With transactional banking products becoming ever more commoditised, cyber-security may begin to evolve into a new area of competitive focus. Noting the mounting costs of cyber-attacks, banks like BNPP say clients will need all the help they can get in the coming years.
“This is definitely an area in which banks have an opportunity to develop a true commercial offering,” Jacques Levet, Head of Transaction Banking for Europe, Middle-East & Africa at BNPP told Treasury Today. “But they need to develop solutions that will deliver real added-value for their clients and that could help them differentiate from competition.”
Levet believes banks could help in several different ways. “What corporates suggested in the survey is that banks could for instance provide some form of external certification on the robustness of a treasury’s internal control procedures and IT infrastructure,” he says. “Because of their recognised expertise in this field, banks are indeed seen as potentially preferred providers of such security services as transaction and network traffic monitoring mechanisms as well as staff training.”
BNPP’s survey notes that treasurers see their banking providers as the ‘gold standard’ in IT security, given the requirements they must adhere to in their own operations. Such is the level of regard many of those surveyed signalled they would look favourably on banks that proactively share their expertise and internal best practices. Some of the surveyed treasurers are quoted as saying they would be more than happy to pay for such services too.
Of course, it’s not just cyber-attacks that corporate systems and processes face – there are innumerable threats to the status quo. These must be managed as far as possible to avoid turning a threat into a disaster. Risk mitigation in this context is no mean feat.
You may believe that you have the most secure and dependable technology known to treasury-kind but the fact is, there are no infallible systems on the market. Should the worst happen, those who are prepared will obviously fare the best. For treasurers, the key questions that should be asked are: ‘are you aware of the risks, and will you be ready to deal with the outcome?’
There will be a number of immediate concerns to tackle and the absolute prerequisite is “to avoid, under every circumstance, panic and uncontrolled action”, warns Thomas Stahr, Managing Partner of Stahr Treasury Consulting and a senior treasurer of many years’ experience. This is where robust planning comes into force. In practical terms, the first task is to convene an emergency meeting with the most senior responsible personnel. “Designate an immediate task-force, ensure clear definition of tasks and responsibilities and enlarge it where appropriate and necessary,” he advises. This and all subsequent direction should form part of the business continuity plan (BCP).
Cyber-criminals do not discriminate against company size, location or industry sector, as long as a profit can be made. Cyber-criminals will attack the weakest in the herd so ignorance to threats actually makes you increasingly likely to be attacked.
John Salter, Managing Director, Global Corporate and Financial Institutions, Client Coverage/Origination, GTB, Lloyds
Of course, as a general guide to maintaining treasury operations under emergency conditions, a BCP – which should also include a disaster recovery (DR) plan – is an essential tool for any business. This should be clearly documented, easily accessible and regularly tested. A BCP should cover likely emergency scenarios and provide the broad means of keeping critical business functions running following such an event. It will include input from multiple functions and cover the direction of people, locations and technology. The role of DR is that of a subset of BCP and is typically an IT-driven set of procedures that focus on the recovery of software, hardware and data.
A number of key BCP elements are noted by Michael Baum, Senior Manager, KPMG, in his December 2015 Insight piece in KPMG’s Corporate Treasury News. There are two determining factors that are the guiding principles for the generation of a treasury-specific BCP, he writes: availability and efficiency. The key enquiry when devising an approach to availability is to pinpoint the maximum tolerated period that any given process can be forgone.
Importantly, identifying critical processes must primarily be the responsibility of treasury: all other steps – in particular IT technical steps – must be based on the outcome of this analysis. “Issues of possible threats, risk mitigation and security needs, particularly for time-sensitive treasury processes, logically lead to greater investment needs to protect availability,” suggests Baum. “This is where the second guiding factor comes into play: the efficiency of requirements needs to be ascertained to achieve the best possible balance between investment and risk tolerance.” In short, he contends that an exercise in prioritisation is essential not just for operational needs but in terms of economic effectiveness too.
Cloud solutions are one such cost-effective offering. Cloud services require no up-front capital expenditure and their business models are typically based on the highest levels of security.
Before cloud-based solutions were available, corporates wanting to protect their systems against disaster typically had to maintain a secondary recovery centre of their own, or contract an external provider to make a physical recovery centre available. The cloud allows companies to keep their backed-up data in several different locations and offers the benefits of both reduced cost and reduced recovery time compared with some traditional solutions.
A certain amount of corporate wariness is to be expected though and selecting a trusted provider is important. Treasurers should ask providers how they back up their own data, so that if the company and the provider are both hit by a disaster, the recovery solutions are still available. Choosing a provider with secondary locations supporting its primary cloud data centre is key here.
According to DisasterRecovery.org, an independent organisation that provides guidance and information on disaster recovery, a plan must include the following stages:
A policy statement, stating the goal of the plan, the reasons for it and the resources required.
A risk assessment will identify the situations that are most likely to occur.
A business impact analysis, describing how a catastrophic event may impact the business practically, financially and in other ways. It should also try to identify any preventive steps that can be taken.
Recovery strategies must explain how and what needs to be recovered and with what priority/speed.
The plan development stage will require documentation of the plan and implementation of elements as required.
Plan buy-in and testing is essential to ensure everyone knows and understands what the BC/DR plan is, what to do and when.
Plan maintenance and testing is important to ensure it is relevant and that it works.
Whilst third-party system vendors should be included in any BC/DR planning process to ensure they have the capacity to deliver when they are needed most, they should not be seen as a ‘get out of jail free’ card. Asking the right questions of them is an essential part of taking responsibility for DR/BC planning. Key points to raise (and include in any Service Level Agreement) would include: how long will it take to recover operations following an event (referred to as the Recovery Time Objective), how much data could potentially be lost (Recovery Point Objective) and the reliability (proven up-time) of the platform.
What type of availability/isolation can the user expect within the cloud pre- and post-migration?
Where will the business data be located – and how easily can it be accessed?
How is the corporate‘s information protected from user abuse?
How is the security of this data managed – and by whom?
In what way, and to what extent, are activities within the cloud monitored and audited?
How will the cloud provider ensure that no one has tampered with its data?
How is the entire cloud platform protected from hacking threats?
What are the provider‘s disaster recovery capabilities?
What type of certification or assurances can the cloud provider show?
The defenders: cyber-security and disaster recovery
Pfizer enhances treasury efficiency through treasury transformation