Treasurers may not always see cyber risk as a key focus – but new rules recently proposed in the UK, which bear some similarities to the US Sarbanes-Oxley regime, could lead to a step change in the way controls are designed, implemented and embedded.

Cyber risk continues to be a major concern for organisations, not least because criminal activity has increased during the pandemic. A report by INTERPOL in August 2020 noted that cybercriminals were shifting their targets from individuals and small businesses to major corporations, governments and critical infrastructure – and with the rise of remote working, “criminals are taking advantage of the increased security vulnerabilities arising from remote working to steal data, generate profits and cause disruption.” But where corporate treasurers are concerned, it is not always clear who within the organisation is responsible for managing cyber risk. And this, in turn, can mean that it is not always seen as a top priority.

David Stebbings, Director, Head of Treasury Advisory at PwC, says the firm’s 2021 Global Treasury Benchmark report will show that whilst cyber risk is a concern in general for treasury respondents, CEOs and CFOs regard cyber risk as a much more pressing issue. “That’s probably because they’re looking at slightly different things,” he says. “Whereas CEOs are concerned about broader risks including risks to customer data, treasurers are specifically looking at payments”.

He adds: “In addition, I think the challenge is that for many treasurers, it isn’t clear where responsibility for fraudulent payments actually lies. Commercial payments may not be the day-to-day responsibility of the treasurer, although high value payments almost certainly will be – and what is the role of the internal IT team who manage the underlying systems? Additionally, many treasury technology tools are now hosted by vendors and the treasurer may feel they have passed on certain responsibilities to the third party, although in practice it is doubtful as to how much risk they actually accept.”

Another issue, says Stebbings, is that cybercrime may only move to a top priority when there are fresh memories of a recent high profile fraud attack – such as the 2016 Bank of Bangladesh incident, in which hackers stole US$81m and came close to obtaining US$1bn. “Some people perhaps do not focus on this risk until something happens,” Stebbings adds.

Attesting to controls

Moving forward, however, the prospect of new regulation could mean that treasurers need to become more focused on cyber risk and their control environment more generally. The recent BEIS consultation on corporate governance and audit reform sets out the need for a strengthened internal controls regime in the UK, and it is looking likely that the directors will be required to make an explicit public statement on the effectiveness of their organisation’s Internal Control over Financial Reporting (ICFR) from 2024.

Although at this stage the exact requirements are uncertain, it is possible the UK regime will bear some similarities to the US Sarbanes-Oxley (SOX) regime. The proposed new rules could therefore mean a step change in the way controls are designed, implemented and embedded around treasury in general and payments in particular. “So it’s all about access to and management of systems and the interfaces between them, segregation of duties, having appropriately defined processes and controls and a recognition of the level of operational risk,” says Stebbings.

As such, he argues that the proposals, if adopted, “could change the way in which treasurers in the UK approach this topic in future.”