High profile companies including Target, J.P. Morgan Chase, and most recently Home Depot have all reported significant data breaches potentially affecting millions of customers, but corporate treasury departments, making what they presume to be highly secure payments, are also at risk.
That was the message conveyed by Treasury Strategies in a mid-September technology briefing. Cathy Gregg, a partner at the consultancy, said securing the company’s payment information and processes is, of course, key. But treasury executives need to be prepared for less direct impact from cyber attacks, such as the company’s bank experiencing a denial of service attack, making its services unavailable to commercial customers.
“You want to avoid having to explain to your boss and the board why your data got away from you, or why you couldn’t get payments out,” Ms. Gregg said.
Companies must methodically assess potential cyber impact on their organizations, to understand the risks and exposures, and then take steps to deal with them.
Jeff Diorio, a principal at the consultancy, said hackers have shown a proclivity for credit card and student loan data, as well as protected health information. Treasury executives often don’t recognize the extent of sensitive information they hold, Mr. Diorio said, but the advent of Foreign Banks and Financial Accounts (FBAR), the Fair and Accurate Credit Transaction Act (FACTA) and other rules require companies to maintain sensitive data, in addition to clearly important bank account data.
Fraud and financial malfeasance is where a majority of treasury controls are focused today, but too often they concentrate on securing payment streams, Mr. Diorio said, adding purchase-card and supply-chain programs can also be targets.
Ms. Gregg added that it is helpful to consider “data at risk,” resting in a database somewhere, as well as “data in flight,” or being transmitted to another party. The first type can rest on the company’s servers as well as those of its banks or service bureaus. In all three cases, treasury executives should review controls preventing hackers from accessing payment information and changing it.
“Is it secure from internal and external compromise, do we have good administrative controls, and do our banks and service bureaus also have those controls?” Mr. Diorio said, adding that the question applies to the historical data companies are required to store as well as their disaster recovery sites.
In terms of transmitting data, the trend is toward greater ease of use and mobility. The former typically means a single point of communication, such as what SWIFT offers corporates to communicate with their banks, that also concentrates risk if that connection is compromised. Mobility enables executives to complete transactions from their mobile devices, wherever they may be, but it increases the risk messages can be intercepted. “The easier something is to use, probably the less secure it is,” Ms. Gregg said.
The straight through process (STP) is something of a misnomer, Mr. Diorio said, given such processes typically have several components, each with potential weaknesses. When initiating payments, for example, data moves from the company to an internal server, a host server or a cloud provider, then to a SWIFT bureau, and finally to the bank. For each of those steps, treasury executives should ascertain who has access to the data, who can initiate data transmissions, and what are the physical security controls. Then are any transmissions encrypted, are communications unreadable and unalterable, and is connectivity robust.
“And finally, how does the bank authenticate it’s the proper sender and that the message hasn’t been altered,” Mr. Diorio said, adding some companies now interrupt the STP by requiring their banks to post information transmitted them so it can be verified by company executives. “So they’re willing to give up STP for that extra confirmation of security.”
Once weakness are identified, companies most strengthen their preventive measures in those areas. They then must develop a response plan, Mr. Diorio said, noting that Target knew its data was being compromised but didn’t have a strategy and tactical response plan, which could have lessened the breach.
Mr. Diorio added that cyber insurance is also available to corporate treasuries. “An interesting aspect of [insurance] is that your cyber insurer will have policies and procedures to help you,” he said. “If they’re going to insure you, they’re going to try to make sure you have a really good grasp of what’s going on and the proper protections in place, so they don’t have to pay out on claims.”