Steps to keep finance focused and compliant in the battle against cyberfraud.
The explosion of cybercrime in the digital era has forced finance departments at corporates to up their game in the unending effort to protect the data and financial assets of the company and its customers. NeuGroup members have shared about tactics to buttress treasury’s defenses and preparation for inevitable attacks, including “attacking” their own employees to raise awareness of phishing and other ploys used by bad actors to obtain confidential information.
Beyond tactics, though, treasury benefits from having a seat at the table where practices and policies on cyber risk are set. That was among the takeaways at the spring meeting of the Assistant Treasurers’ Group of Thirty, where one assistant treasurer described the role of treasury in his organization’s cybersecurity strategy as well as the department’s attention to a growing number of cyber-related compliance issues.
Secure a seat on the risk committee. Treasury at the presenter’s company plays an active role on a corporate risk committee that’s facilitated by the enterprise risk management (ERM) team and provides a forum for identifying, communicating and escalating risks, including cyberthreats. The committee uses a score sheet to grade how “owners of risk” are protecting the company. The committee is involved in decisions on funding risk reduction projects.
Hire a compliance officer. To evaluate cybersecurity and other practices of the company, treasury hired a compliance manager who reports to the assistant treasurer. The manager’s purview includes non-regulatory payment industry compliance, Sarbanes-Oxley, policies and procedures and audits. Among the issues examined for best practices are positive pay vs. payee positive pay, bank account validation for vendor banking changes, bank account validation software and services, and focused cybersecurity training. No other companies attending the meeting have a dedicated compliance person.
Coping with regulation inflation. The financial industry’s focus on cybersecurity is leading to what the member company describes as a “noticeable increase in non-governmental cybersecurity and data security compliance regulations.” The presenter described these areas where the company needed to take additional steps:
- Payment card industry data security standards (PCI-DSS). These standards apply to all entities that store, process or transmit cardholder data. Treasury at the presenting company, along with IT and ERM, implemented an action plan that among other steps tokenized all customer credit card data, developed PCI-DSS web training and hired a qualified security assessor to evaluate global compliance. The presenter said his company’s APAC business is decentralized and some areas said their country standards were sufficient, making it hard to convince them they had to be PCI compliant.
- SWIFT customer security program. Swift membersmust attest to mandatory controls on an annual basis. This includes a security baseline that must be implemented on locally-hosted SWIFT infrastructure, something another member said is “onerous.” The member’s company implemented an action plan with treasury collaborating with IT and ERM. It includes a new SWIFT transmission server in a firewall environment in a data center and multifactor authentication security controls on payment platforms.
- National Automated Clearing House Association (NACHA) security rule. Third-party senders must soon protect beneficiary account numbers by rendering them unreadable when stored electronically.NACHA is neutral about the methodology, e.g., encryption, truncation, tokenization. The presenter said the possibility of needing to attest to being noncompliant made his company realize it had to take action.
What’s your role? Another concept that surfaced at the meeting that will serve treasury’s efforts to prevent the theft or misuse of data is role-based access control (RBAC). This limits what digital information an employee can access based on the person’s role within the company. The presenting member endorsed it as a way to prevent people from “moving within the company with data they don’t need.”