Cyber risks have been exacerbated by the pandemic, while criminals continue to become more sophisticated. But it’s not always clear what role treasurers should play in managing this type of risk. So what should treasurers be doing to protect their organisations from cybercrime?
There’s no question that cyber risk remains a major threat to organisations. And it’s also clear that the disruption brought by the COVID-19 crisis has exacerbated the risks: 81% of executives polled in the EY Global Information Security Survey said that the pandemic had forced their organisations to bypass cyber-security processes.
As cyber-criminals become increasingly sophisticated, the cyber threat continues to grow. However, it is not always clear what responsibility treasurers have for managing this type of risk. So what are the most significant cyber threats companies are facing today – and what measures can treasurers take to protect their organisations effectively?
Cybercriminals continue to be adept at evolving rapidly and exploiting new vulnerabilities when they arise, so it’s important to understand the latest threats. Here are some of the latest threats and trends.
While ransomware continues to be a problem, the threat has been exacerbated by criminals who are combining it with extortion, explains Joseph Krull, a Senior Analyst at Aite-Novarica Group who specialises in cybersecurity, privacy and IT risk. “What they’ll do is steal data – and then they’ll lock the computers and threaten the company that if they don’t pay the ransom, they will make public the data they have stolen,” he says. In addition, he says, ransomware organisations have become increasingly sophisticated: “Instead of doing the attacks themselves, they’ve licensed their tools to others through an affiliate programme – and then they take a share of the ransoms as payment.”
As Bank of America’s Cyber Security Journal notes, “There’s a very simple reason that ransomware is proliferating so fast: it often works, because victims face a ticking clock and severe impacts on business operations. For businesses of all sizes, the integrity of and access to data is crucial to operations, and many fear the negative impacts on brand and reputation should a data breach become public.”
What’s more, says Krull, when cyber-criminals break into an organisation, they will look for key data, such as whether the company has cyber insurance, and how much the payoff would be in the event of a breach. “So when they ask for a ransom, they already know what a company can afford.” In addition, he says, insurance providers are increasingly taking on the role of negotiating ransom on behalf of their clients in order to reduce the size of the pay out.
However, paying the ransom has the potential to create a different set of problems. “The US Treasury Department has said that if they can prove you have made payments to anyone that’s on the economic sanctions list, you can be subject to penalties,” says Krull. “So the Treasury is now examining who people are paying ransoms to, and if companies are paying someone on that list they are going to face additional sanctions, or even hold the executives responsible.”
Also of concern is the risk of a supply chain attack – such as the high-profile SolarWinds attack, in which malicious code was added to the company’s network management product. Consequently, 18,000 of the company’s clients became vulnerable to attack after installing software updates, with victims including the Pentagon, Microsoft and the US Treasury Department.
More recently, IT solutions developer Kaseya was the victim of a supply chain ransomware attack, in which managed service providers (MSPs) using the software were targeted, together with their clients. In total, as many as 1,500 organisations around the world were affected by the attack. As Krull notes, “What we learned was that the supply chain is still going to be under attack, and will be used as a way to find the path of least resistance into an organisation.”
As the pandemic escalated in 2020, fraudsters quickly began exploiting the crisis with new scams – including malicious domains exploiting people searching for information about the pandemic. Other examples included PPE-related scams, as well as instances of criminals posing as contact tracers and asking victims for their identity information and credit card details.
More recently, Krull says there has been a move away from COVID-related scams. “Frankly, people are becoming much more suspicious about these things. But there have been some really clever campaigns – such as using well-crafted messages that look like a DocuSign message to get people to download malware.”
Another impact of the pandemic is the rise of remote working – and, more recently, hybrid working arrangements. “There are people coming into the office, and those that either refuse to come into the office or have got used to working remotely and have asked their employers for an exception for returning to the office,” says Krull. “So now organisations have to provide defences for both onsite and remote workers, which becomes a bit complicated.”
Where treasury is concerned, many companies have adapted smoothly to the different working conditions adopted in response to the pandemic. Paul Bramwell, Principal & Founder at Treasury Tech Advisory, notes that the move to working from home has worked remarkably well, with the vast majority of companies having technology in place to facilitate remote working. “Effectively, companies enacted their business continuity plan, which became more of a BAU operating model,” he observes. “Companies have evolved to the new normal by ensuring they have strengthened their IT and data security configurations to ensure remote workers only use a firm’s own VPN, that all multi-factor options are enabled, and increased use of IP whitelisting.”
As Bramwell points out, companies that had already moved to a modern treasury and payment platform ahead of the pandemic were better placed than those that hadn’t, “and were already in a great place to have staff working from home.”
“From my perspective, COVID has simply acted to shine a light on the importance of good treasury processes, underpinned by good treasury systems,” adds Carl Sharman, Head of Treasury Technology Advisory at Deloitte. “When it comes to security, there should be no difference between logging on and making transactions from your office, your home, or anywhere else on the planet.”
As the threats continue to evolve, another notable development in the world of cybersecurity is the increasing focus on the concept of zero trust. “More and more organisations have embraced cloud computing,” explains Krull. “The idea is that instead of having to go through a firewall or a VPN, they’ll go straight to the data and authenticate themselves to every data source, application or asset that they want to interact with. It’s a much simpler way of doing it – but it’s a real challenge for a Chief Information Security Officer to build that kind of infrastructure.”
So what should companies be doing to protect themselves from the cyber threat in today’s landscape? “If I were a Chief Information Security Officer right now, I would probably go back to basics and review how many of the tools I’m currently paying maintenance fees for are still effective,” says Krull. “For any that aren’t, I would get rid of them and replace them with something more modern.
“I would probably look for additional automation, so that I don’t need a lot of people to do things manually. I would look at reducing the number of third parties that can come into the network. And if I bought custom software, I would check it extensively before allowing it to be on the network.”
He adds that while these measures aren’t enough to prevent a company from being breached, they can make it that much harder for an attacker to get in. “As others have said, the organisation has to be right 100% of the time – but the attacker only needs to be right once to be able to breach the organisation. It’s all about resilience today: how can I limit the impact? And how quickly can I restore business operations?”
For treasurers, Bramwell highlights the importance of having a clearly understood and documented manual that is regularly updated and tested. “This should be done alongside internal (and even external) auditors to make sure any potential risks from fraud or cyber threat are effectively stymied,” he says. “Compensating controls can be put in place in the event of system deficiencies, but it is paramount that everything is thoroughly tested.”
In addition, he points out treasurers may face challenges when it comes to making sure staff do not circumvent internal policies and procedures – for example, by writing passwords in ‘hidden’ places, such as the bottom of the laptop. “Security controls such as dual factor and tokens (both virtual and physical) also seem burdensome, and appear to make operations clunky,” he adds. “A treasurer needs to make sure all staff are aware of why such controls exist, and why they absolutely cannot be circumvented.”
It’s also important to understand the implications of cyber threats for the treasury’s technology infrastructure. As Bramwell explains, “Technology vendors are acutely aware of the threats and risks, and routinely test their environments and software for vulnerabilities that could be exploited by groups with nefarious intentions. Threats are often controllable within the treasurer’s team, but oftentimes remain under the control of the organisation’s technology team and the vendor.”
Where vendors are concerned, Bramwell notes that treasurers are increasingly outsourcing a significant component of potential cyber issues to their vendors. “The best vendors will produce regular documentation, unqualified and timely, demonstrating the security of their systems, process and hosting environments,” he says. “These are performed by third parties specialising in cyber security, processes and controls, and provide a significant level of comfort that moving to SaaS/cloud does not expose your company to undue levels of risk.’’
As such, Bramwell says treasurers need to ensure their solution vendors go through regular testing for their own controls. “These morphed over the years from SAS70 to SSAE audit resulting in SOC certifications. This cannot be overstated – any qualifications to SOC reports should be taken very seriously,” he says.
Deloitte’s Sharman argues that treasury should be employed as part of an end-to-end process, as a facilitator for good practice, rather than as a solution itself. “However, treasurers should determine how their organisation needs to operate before selecting the technology that is the best fit and adopting its capabilities – there will still be design elements and rules of the road for employee engagement,” he says. “Security, user experience and quality of output – not cost – should be the core decision drivers.”
A further obstacle when it comes to managing cyber risk is that the responsibilities of the treasury are not always straightforward. “I think the challenge is that for many treasurers, it isn’t clear where responsibility for fraudulent payments actually lies,” says David Stebbings, Director, Head of Treasury Advisory at PwC.
Corporate attitudes towards responsibility for cybersecurity could change in the future, however. In the UK, measures set out in a consultation by the Department for Business, Energy and Industrial Strategy (BEIS) earlier this year could result in directors having to attest to the effectiveness of their controls. The proposed measures, which have been compared to the US Sarbanes-Oxley Act, could change the way in which treasures think about operational risk in the future.
Cyber-criminals are nothing if not opportunistic. It’s essential that companies continuously work to protect themselves from cyber-attacks – and, just as importantly, have a plan in place to recover from any attacks that do take place. And while cyber-security is not always seen as a core responsibility for the treasurer, this could change in the future – so treasurers should make sure they are prepared.
George Dessing, SVP Treasury & Risk at Wolters Kluwer, says cyber-security “is top of mind for our customers, who rely on us to deliver our platforms and services safely and reliably, while safeguarding their data. We are committed to cyber-security and resilience, with our customers’ success at the centre of everything we do.”
Dessing adds that treasurers have an important role to play when it comes to managing cyber-security risks and maintaining related resiliency. “Hackers and other criminals are taking advantage of the current worldwide volatile situation, and their fraud schemes are increasingly more sophisticated,” he says. “We remind all employees on a regular basis who are involved in any type of financial transactions, that we need to remain extra vigilant with communications received during this time of crisis – whether by text, phone or email.”
Dessing adds that fraudsters that carry out ‘engineering’ of the company can put together names and titles, and are able to make requests look genuine. “So, we ask everybody – ‘be vigilant, develop sharp reflexes and use common sense’.”
In addition, he says wolters kluwer has adopted the national institute of standards and technology cyber security framework (nist-csf) “to expand the maturity-based model of our cybersecurity programme into a risk-based model.”
Identification – such as guiding risk management strategy and participating in related governance structures internally.
Protection – eg holding regular training and anti-fraud ‘lunch and learn’ sessions to encourage shared stories about the latest attempts, and ask whether home offices are cyber secure. “As a result, we implemented a mobile device management solution to protect our mobile devices, and are actively implementing multi factor authentication,” says dessing.
Detection – examples include technical and human controls including segregation of duties, as well as common sense checks such as call-back procedures to detect potential fraud early. Risk-based internal audits and fraud assessment activities are also used to mitigate risk.
Response – “irrespective of incident type, it is important to carefully assess, track, recover and improve from financial impacts, not if but when incidents occur,” says dessing. “Employees (and our vendors) are encouraged to ‘pause for cause’ and report suspected activities including fraud via appropriate channels.”
Dessing says forward-thinking treasurers have a part to play in weaving anti-fraud protections into vendor management, payment card and banking practices. “To guard against fraud and cyber risks, it is not enough to have procedures, tools and controls,” he adds. “It is very important to keep your employees informed and trained so they can detect and counter fraud attempts and cyberattacks. As we know, in almost all cases fraudsters take advantage of human weakness.”