With high-profile cyber-attacks continuing to make headlines, treasurers cannot afford to ignore the importance of cyber-security. But should this area be viewed as a straightforward necessity, or can it be approached as a business enabler?
The risk of cyber-attacks was a major theme in 2017, with a number of high-profile incidents underlining both the breadth of attacks taking place and the scale of possible losses. In February, US$81m was stolen from Bangladesh Bank in an attack which had attempted to steal almost US$1bn. In December, Yahoo revealed that a data breach from August 2013 had affected a billion users.
Even when the figures are less staggering, the impact of a cyber-attack can still be considerable. According to Cisco’s 2017 Annual Cybersecurity Report, 29% of security professionals said that their organisations experienced a loss of revenue as a result of cyber-attacks, with 38% saying their revenue loss was 20% or higher. Twenty two percent of organisations said they had lost customers as a result of cyber-attacks, while 23% said they had experienced a loss of business opportunity.
From data breaches to distributed denial-of-service (DDoS) attacks, businesses may be at risk from many different types of cyber threat. Linda Coven, Senior Analyst at Aite Group, points out that the threat of a cyber-attack has grown beyond the account takeover to the potential for stolen company secrets and intellectual property. She notes that these attacks can take the following forms:
- Social engineering fraud using network breaches and stolen credential information.
- Nation states – sponsored attacks, which may be politically, economically or militarily motivated.
- Continued DDoS attacks of significant volume and frequency against financial institutions, often to cover fraudulent activities.
- Extortion (ransomware) – demands for money or other ‘payments’ from a business.
- Espionage against governments and business intellectual property.
- Business Email Compromise – accessing executives’ accounts to gain credentials or spoof email to elicit a funds transfer.
It is clear that these threats are becoming more severe as cyber-criminals refine their techniques. “Are the bad guys getting more sophisticated? Absolutely,” says Mike Lamberg, Chief Information Security Officer at OpenLink, and the former VP of Information Security at the NYSE. “Social engineering, or the practice of getting someone to trust you and do things you want them to do, continues to increase and be the prevalent method of infiltrating an organisation and doing harm.” Lamberg points out that this could take the form of a legitimate looking email, enticing website ad – “or a simple phone call leading to a loss of confidential information, or causing an inappropriate funds transfer, for example.”
Targeting treasury
Where corporate treasury is concerned, the most significant concern is the risk that a fraudulent payment will be made. This is a very real risk for companies around the world. The 2016 AFP Fraud Report found that 73% of American companies were targeted by payments fraud in 2015 – up from 62% in 2014. While cheques were found to be the payment method most often targeted by fraudsters, the research also found that 64% of businesses were exposed to BEC scams, while 48% were exposed to wire fraud.
Increasingly, sophisticated spear-phishing attacks are being aimed specifically at finance and treasury staff. “Recent sophisticated attacks on systems and services that offered weak overall security have directly targeted the treasury and payments systems that sit at the heart of a modern corporate treasury,” says Andrew Bateman, Head of Corporate Liquidity and Bank Treasury at FIS.
The strategies used by criminals continue to evolve. Bateman notes that “social engineering attacks through phishing and/or spear-phishing attacks as a vector for installing malware, or other advanced persistent threat (APT) components, remains a significantly high component of the threat.” The nature of the APT components is changing in sophistication year on year, as is the professionalism of the most sophisticated phishing attacks. Bateman adds, “We are seeing more targeted attacks on financial systems and finance employees.”
But despite these threats, treasurers may not be doing everything possible to protect their businesses. Bateman says that treasurers are “probably not yet as concerned as they need to be”. He adds, “While we are seeing a clearly strong and growing awareness amongst treasurers of the risks that cyber-attacks place on their businesses, the active engagement that is required to address it is lagging a little.”
According to Bateman, this lag may be attributed in part to the “legacy view” that treasury remains somewhat isolated from the outside world – although the targeting of treasury staff demonstrates that the reality is changed.
Liability for fraud
If the worst happens and a company falls victim to a significant cyber-attack, is there anything companies can do to get their money back? David Stebbings, Director, Head of Treasury Advisory at PwC, says that while companies are focusing their attention on how to protect themselves from an attack, they are also keen to understand whether their banks, technology providers or SWIFT bureaus may take some liability for the loss.
“In the past, it’s always been assumed amongst the corporate community that once you sent a payment message via the bank, if something went wrong, they would pay you back for the loss,” explains Stebbings. “Obviously the challenge was proving that it was not your fault and that you had sent them valid instructions, but based on the relationship repayment was often assumed.” More recently, however, Stebbings notes that banks may be tightening up their approach such that this assumption may no longer be as true as previously.
Technology providers, meanwhile, may simply be unable to repay a large sum, whatever the circumstances. “The challenge for them is to show that they are the best in terms of minimising this risk, given their focus on cyber security measures and persuading treasurers and their IT people that this is the case,” Stebbings explains.
“Unfortunately for a treasurer or finance person, although the chance of something happening is remote, the scale of the loss if something does happen is probably career damaging. So choosing the right payment providers is very important and obviously the providers which can show they have the best security have a competitive advantage.”
In some cases, companies may wish to check for themselves that their third-party providers have sufficient security controls in place. “One of my clients wanted to go to their SWIFT bureau every year,” Stebbings explains. “The SWIFT bureau gave them a certificate of its controls which had been provided by audit firms, but the client wanted to go down to the bunker themselves and test the security controls independently.” Stebbings argues that supporting this level of scrutiny should be seen as a positive thing by third party vendors – “if you want to sell this stuff, and you want to be top of the market, it could be one of your selling points.”
Meanwhile, businesses may be reacting more robustly in some regions than in others. In Asia, for example, the risk of cyber-attacks is particularly strong. Research published last year by US internet security company Mandiant said that the median time between a breach occurring and being discovered is 520 days in APAC, compared to 146 days globally. The reported noted that “APAC organisations are frequently unprepared to identify and respond to breaches”, pointing out that most breaches in APAC never become public due to a lack of effective breach disclosure laws.
But despite the scale of these risks, not all companies are focusing on cyber-attacks as a high priority for corporate treasury. David Blair, an independent treasury consultant based in Singapore, notes that where treasurers in Asia are concerned, “Asia is probably behind on this, despite at least equal risks compared to western businesses.”
Making cyber-security a business enabler
With so many threats to consider, is cyber-security a straightforward necessity, or can it be viewed as a business enabler? For third-party vendors, such as treasury management system vendors, SWIFT bureaus or third-party payment providers, it is clear that cyber-security falls into the latter category. “If you are a third-party provider, you can turn this to your advantage by spelling out your investment in security and how often you test your controls and have them validated independently,” Stebbings explains. “So they can certainly turn it to a competitive advantage.”
For corporate treasurers, the situation is less clear-cut. In Asia, for example, Blair says that this topic is “more of a survival requirement”, adding that it is “hard to see security intrinsically bringing better products and services to customers”. On the other hand, he notes that a lack of security can hurt customer satisfaction.
OpenLink’s Lamberg comments that cyber-security is definitely a necessity, and that making it a business enabler “would require a company’s senior leadership and board to view cyber-security as a strategic asset that is partnered with the business itself”. Until that happens, Lamberg says, “it will be viewed as a quasi-tax or insurance”.
However, this is also an area which is evolving rapidly, and companies are adjusting the way in which they approach cyber-security as the threats develop. Bateman argues that cyber security should – and can – be a business enabler as well as a necessity.
Ensuring systems are on the latest versions, and the systems and vendors have robust and audited security and risk management processes in place, should now be a key element of any treasury or financial professionals’ role.
Andrew Bateman, Head of Corporate Liquidity and Bank Treasury, FIS
“Treasurers, and their organisations right through to Board oversight level, will expect security and risk management to be built into the solutions and services their organisations consume – and will expect their cloud vendors, their partners, and their service providers to focus on cyber security as a key element of an overall offering,” he explains. “Treasurers will give greater value to those offerings that have superior cyber risk protection in the same way we value any quality metric, and partners or vendors that excel in this area will be advantaged in their client relationships.”
How can cyber-security deliver business improvements? Aside from avoiding financial loss, the most obvious improvements lie in increasing efficiency and managing risks more effectively. Marcus Hughes, Head of Strategic Business Development at Bottomline Technologies, points out that implementing increased controls “not only helps a treasurer to remain compliant and fight financial crime, but it also makes a business more efficient by reducing errors and cutting the risk of losing money.”
Coven agrees that cyber-security can be seen as a business enabler, pointing out that the costs of an attack can be devastating. These may include direct damages, such as missing funds, trade secrets, damaged hardware and software and business disruption. “There are also response costs such as notifications to employees or customers and in some cases having to provide services such as credit monitoring to those affected,” she explains. “And of course there is reputational damage which can lead to loss of customers, goodwill of suppliers and diminished valuation for investors.”
As such, Coven says that companies need to take cyber-security seriously. This involves making it part of the company’s culture to manage risk at all levels, and making this area “the responsibility of everyone”.
Best practice
With so many threats to consider, what actions should treasurers be taking to protect their businesses from cyber-crime? The following actions may help treasurers avoid falling victim to a cyber-attack:
- Secure your devices. All devices on the network should be secure, with up-to-date virus protection.
- Practice good password hygiene. Strong passwords should be used and users should be required to change their passwords regularly. Different passwords should be used for different systems.
- Use the latest versions. “Ensuring systems are on the latest versions, and the systems and vendors have robust and audited security and risk management processes in place, should now be a key element of any treasury or financial professional’s role,” advises Bateman.
- Segregation of duties. Where possible, different staff should be tasked with initiating payments, approving payments and reconciling the accounts.
- Enforce network separation. Lamberg says that treasury and financial systems should be physically and logically separated from the general corporate network. “You need to minimise the chances that a rogue network user could gain access to your key financial systems,” he adds.
- Inform and educate. All too often, employees themselves are the weak spot when it comes to preventing fraud. “With proper training on how to recognise a cyber-security event, phishing email or a suspicious link on a web page will go a long way to reducing the security risk in an organisation,” says Lamberg.
- For incoming emails, ‘trust but verify’. “A basic step for any employee to make before clicking a link in an email is to press the “reply” button and examine the email domain for discrepancies, since fraudsters can buy nearly identical domains,” explains Coven.
- Use screening solutions. By screening payment files against sanctions lists, Hughes says that treasurers can avoid the reputational risk of being identified by their banks as trying to make payments to black-listed organisations or individuals. “It also builds a good relationship with banking partners by reducing their payment investigations work,” he adds. Hughes points out that screening solutions can also be used to identify inappropriate payments diverted to fraudster employees, or to accounts which do not appear on the controlled list of suppliers.
- Use anomaly detection systems. Such systems can be used to identify anomalies and alert management to payment files which do not fit within normal patterns, such as payments above preconfigured limits. “This not only prevents fraud but also identifies operational errors, such as failure to submit a payment file by a certain deadline,” explains Hughes.
- Track employees’ use of mission critical applications. Tracking how employees use certain applications can reveal anomalies and suspicious behaviour. Hughes notes, “this non-intrusive way of monitoring user activity enables management to capture and replay such behaviour, rather like a CCTV, not only recording any information, such as amount or account number, which has been tampered with, but also tracking all screens which have been viewed by employees.”
- Carry out simulations. Blair advises that treasurers should “accept you will be hacked and be prepared to deal with it”, adding that this should include carrying out regular simulations like fire drills, designing systems and processes on the assumption that hacking will occur.
Direction of travel
By necessity, cyber-security is an area which continues to develop rapidly. As Lamberg points out, “the bad guys are getting smarter with new technology and techniques, forcing all of us to get smarter and implement newer technology to anticipate and defend against them.”
In terms of future developments, Blair says he hopes that software will increasingly be built for security, much as it is now tested for bugs. “I expect more human-friendly security arrangements to progress beyond the current multiplicity of impossible to memorise passwords (face, blood vessels, etc),” he says, adding that the advent of voice, as heralded by developments such as echo and siri, will open a “whole new can of worms”. Blair also comments that people will increasingly have to accept that some convenience will need to be sacrificed in order to maintain security, with companies increasingly locking down work computers and restricting BYO devices.
Bateman, meanwhile, says that “there needs to be greater partnership between governments, NGOs and corporate entities in information sharing and threat prevention.” He adds that this should involve moving to a real-time threat information sharing model, allowing all partners to move quickly and efficiently and to benefit from each other’s experiences.
In conclusion, cyber-security is a topic that no treasurer can afford to ignore. Whether this area is regarded as a necessary evil or a business enabler may vary from company to company – but what is clear is that this topic will only become more crucial as the threats continue to evolve.