Corporates should expect more cyberattacks from nation states leveraging AI technology to craft smarter scams, automate attacks and find security gaps. But the democratisation of new, easy to use technology like GenAI means more nation states will deploy cyberattacks as well as criminal enterprises that seek to profit from cybercrime.

“Between 25-40 nation states currently leverage cyber as part of their national security operation. We expect to see this triple or quadruple, making cybercrime more complex and more sophisticated,” warns Sean Joyce, PwC’s Global & US Leader on Cybersecurity, Privacy and Regulatory Risk who consults in some of the most prolific cyber breaches and who also served as the Deputy Director with the FBI. “These tools are available for everyone, and very ineffective guardrails exist right now,” he tells Treasury Today.

It’s a similar message from Rusty Clark, Head of Cybersecurity Intelligence at J.P. Morgan Chase & Co. “Gone are the days of poorly worded phishing emails. AI has significantly raised the bar for threat actors in general, enabling even relatively unsophisticated bad actors to craft convincing content that can be difficult to detect, even by well-trained eyes.”

It’s a salutary warning for firms already aware of the risk of ransomware that can paralyse computer systems unless a payment is made, deepfake scams and the constantly changing nature of cyber risk. In Asia, breakneck digitisation but often poorly defended banks and companies means the region is experiencing the sharpest increase in cyberattacks in the world and an area where cyber criminals experiment with their latest ransomware before targeting richer countries that have more sophisticated security methods.

What should companies do?

The speed of a company’s ability to recover from a cyberattack is directly linked to knowledge around key dependencies in the company. Or, to put another way, how the company makes money. From this, firms can trace back to the software applications that support how it makes money (a website or customer service operation, for example), the data behind those applications, and where it resides. “It is about understanding where those critical dependencies are and having the ability to back up so you can recover quickly,” says Joyce.

Another way to view risk is to understand the element of the market that is most dependent on the goods or services the company sells. This may not align with what the organisation thinks is most important internally, warns Simon Viney, Cyber Security Critical National Infrastructure Lead at BAE Systems Digital Intelligence, responsible for cyber security across the UK’s critical national infrastructure spanning telecoms to financial services.

“Something that is not financially material to an organisation is often fundamental to a wider supply chain or individual consumers,” he explains. “A company may be able to ‘last a week,’ but that doesn’t include the huge disruption to the market as a whole. Firms need to think outside the box and understand how they ensure they take a big picture approach if an attack happens. For example, it could mean passing some of the work to a competitor.”

Companies also need to quantify the risk of a cyberattack. Many firms still adopt a qualitative, woolly approach that defines cyber risk as high or low. Instead, they should understand the potential impact from a range of estimates – and show how the risk budget is being effectively used. “It can be challenging for an organisation to regularly demonstrate its value, especially when a significant part of its mission involves taking preventative measures to avert potential incidents,” says Clark.

Viney counsels on the importance of testing security controls in a structured manner that is consistently challenging. It involves adopting a mindset whereby the company acts like a threat group itself, working through barriers in a systematic process to achieve the same objective as the criminals.

“Companies should think like their adversaries. Think, we know how our systems work. If we were going to disrupt it, what would we do? Continue testing through the process so even when internal security processes manage to prevent a breach of one barrier, carry on,” he says.

It is an approach championed by the Bank of England’s CBEST scheme [Critical National Infrastructure Banking Supervision and Evaluation Testing] and has provided such valuable insights many banks have adopted it internally. “This approach gives real world insights that teams can take to their board. They can say, ‘we tried this, and we know this can happen; this is how easy it was. How happy are we about that?’” says Viney.

Companies require perimeter controls and walls, but they also need a fallback plan because some attacks will always get through. It involves striking a balance between prevention as much as possible alongside robust recovery plans and resilience to forms of disruption. “It is about minimising both the time it takes to resolve an attack and the disruption to customers,” says Viney. “Think through which risks you are prepared to live with. Companies should set barriers according to their values and around the things they are most concerned about.”

Another element to consider is the people, adds Clark. “The most successful threat analysts tend to have two key intangibles: curiosity and a constant desire to grow. As leaders, it is our job to identify those analysts and ensure they have the right opportunities for long-term growth.”

Collaboration

Treasury Today interviewees call for more collaboration between companies. Communication can flag suspicious traffic or unusual behaviours and act as an early tip off for others. It also helps companies tailor their approach to tools and technologies that have worked. But it is an aspect of mitigation that many firms find challenging because they are competitors. In many jurisdictions, companies are reluctant to share threat intelligence because of legal issues and collaboration also requires board approval. Organisations that champion and showcase the benefits of cooperation include the UK’s National Cyber Security Centre, NCSC, part of GCHQ. Elsewhere Singapore has created a dedicated task force focused on cybersecurity that seeks to coordinate efforts, share best practices and develop comprehensive strategies to combat cybercrime effectively. But cooperation is nowhere close to where it needs to be. “We have no international norms or regulations established that we can leverage. We are still operating in a 20th Century mindset when it comes to understanding cyber risk yet in the 21st Century, digital information moves at machine speed and the threat changes very quickly,” says Joyce.

BAE Systems’ Viney is encouraged by the emergence of informal relationships between cyber teams based on personal relationships at different companies. But he agrees wider cooperation can be poor. “It does come down to individuals,” he says. “In my experience of informal working groups, many people join, but few contribute.” It leads the conversation back to their first point: no company operates in a vacuum and cyberattacks target the whole ecosystem. Large banks might be able to withstand a breach because they have the budget, but SMEs with small cyber budgets are still part of the ecosystem. “No one operates by themselves. All companies are part of a broader ecosystem and how do we protect that ecosystem,” says Viney. “A business can have one of the best cyber defence postures and still lose essential services or have sensitive data exposed due to a third-party compromise,” says Clark.

Board involvement

Corporate boards play a central role in navigating cyber risk. A good board is across the risk exposure, and the company’s risk appetite. “If a breach happens, what is the recovery time and how does the board feel about that. What is the culture around cyber risk and who owns it?” questions Joyce. Executive managers are key stakeholders and should lean in as part of the solution and initiate training, he continues. Yet often his conversations with boards begin with requests for how their cyber framework and response compares to industry peers. “This is not the best question because every company is unique,” says Joyce.

In another worrying trend, the treasury function is not always involved in cyber risk as a primary stakeholder. Yet the treasury function is an obvious focus for thieves. For example, cyber teams should be across the social media presence of key members in the finance team (a rich hunting ground for bad actors to scrape personal information to fashion deep fake voices and video) and close gaps in training following staff rotation. A recent missive from the World Economic Forum called on firms in APAC to make cyber security leadership and governance a priority by appointing qualified professionals with expertise in cybersecurity to executive positions and boards of directors to create “an intelligence led prevention first cybersecurity approach to combat the new frontier of cyber battlefields.”

Paying up?

PwC’s Joyce estimates that between 40-60% of corporates pay ransomware because they can’t sustain the financial loss from the business interruption and can’t reestablish normal operations quickly enough. Worryingly, even when companies do pay up, they don’t always get a full recovery. “When they get the keys back, the data doesn’t unlock cleanly because it has lots of bugs. It’s not as simple as people think,” he says.

Insurance policies can bring financial redress, but don’t minimise disruption or the impact of diverted staff attention. And companies can’t rely on law enforcement. “It’s very difficult to find perpetrators, particularly when it is driven by nation states,” says Viney.

Joyce notes that “naming and shaming” doesn’t put the criminals off. One of the only ways they are held accountable is if they travel outside their country – which they rarely do. “The consequences haven’t been at a level that has changed behaviour,” he says. The experience of MGM Resorts International is instructive. Following a breech in 2023 the company didn’t pay its attackers but the incident cost hundreds of millions in earnings and consulting, legal and technology fees. In its 2023 annual report, the casino operator said it anticipated further costs from class action lawsuits and federal investigations relating to the attack.

Can technology help?

All Treasury Today interviewees agree that throwing more money at the problem is not the solution: the best way to beat the criminals is to understand those key dependencies. Nor is technology the silver bullet to fighting cybercrime. Organisations are building AI into the cyber security, fraud and anti-financial crime operations and AI has lots of positives. It is being used to test models, and spot rogue behaviour patterns and deep fakes, for example. “AI is better at spotting AI than we are,” says Jessica Cath Partner at Thistles Initiative. But AI still requires a human guiding and overseeing the technology. Elsewhere, new technologies like behavioural biometrics might offer a more robust biometric screening because they are harder to clone and make it easier to identify when someone else has taken over your device. But Cath says biometrics shouldn’t replace human checks. “Have checks that are proportionate to the size and value of money moved,” she concludes.