By Ursula Conterno
What is the role of treasury in preventing and responding to cyberattacks?
Cyberattacks are on the rise. In the last year alone, many companies have made headlines by becoming unfortunate targets of cybercriminals. However, these attacks are likely happening more often than commonly believed or reported.
As per the second-half results of a survey recently conducted by The NeuGroup, 83 percent of responding members said their treasury organization had been subject to a security breach in the last five years.
Get engaged
That significantly large number speaks to the need for treasuries to get more involved in preventing security breaches and to have a plan to respond in a timely and effective manner when one occurs. While most of the threats treasurers report involve third parties seeking to convince treasury to make unauthorized transfers or payments, cybersecurity experts caution that in cases of actual system breaches, companies fall largely into two categories: those that have been breached and detected it and those that have been breached and don’t know it yet.
Given the low number of treasury and banking system breaches reported, where unauthorized users have gotten access without the witting or unwitting cooperation of treasury or IT staff, treasurers still should probably assume some exposure to the latter category. In response to both types of cyber-risks, treasurers should also step up awareness-raising education and training, as well as contingency plans to guide action when a threat is detected.
Cyber-risk has evolved
The days of feeling protected behind a firewall are over. As discussed by various experts during the latest NeuGroup meeting cycle, nowadays cybercriminals look for any weak point that allows them to reach inside an organization, including its staff or its supply chain. These attacks range from criminals trying to steal financial data, intellectual property or actual money to creating serious business disruption.
As pointed out by HSBC’s security expert during the latest NeuGroup Global Cash and Banking Group (GCBG) meeting, attackers’ tools and techniques in many ways outpace innovative detective and preventive security controls. Their tactics range from using malicious code and social engineering to taking advantage of physical/proximal access. In fact, according to NeuGroup Peer Research, two of the top three security breaches experienced by treasury organizations in the last five years were social engineering-type attempts.
However, the bigger game-changer in the cybersecurity space is that the attackers are no longer just individual hackers, but entire criminal organizations or, in some cases, countries. As HSBC’s expert pointed out, when cyberattacks are financed by criminal organizations or countries, a bank or company alone might not be in the best position to defend itself. That is why it is important for industry-wide groups to discuss cybersecurity challenges in partnership with government institutions, like the FBI or the Secret Service.
the corporate response has to evolve too
It is no secret that cyber-risk has morphed over the last year or two into an enterprise-level risk issue, since attacks can result in lost funds as well as lost client trust. In this context, cyber-risk is no longer just an IT problem.
As discussed during a recent NeuGroup Treasurers’ Group of Thirty (T30) meeting, cross-functional teams are emerging to deal with cybersecurity, including representatives from internal audit, business units, IT and finance, with CFOs and general counsels now taking active roles, too. Also, corporate executives increasingly see that the risk is not restricted just to their organization but also extends to the company’s broader ecosystem—from supply-chain vendors down to end-customers. Still, according to NeuGroup Peer Research, the role of treasury remains somehow undefined in how it should support company-wide cyber-risk efforts.
In general, the main cybersecurity concerns for treasurers are (1) unauthorized access to bank accounts or online banking portals; (2) a data breach resulting in significant financial impact, (3) an attack on major cash management partner resulting in operational issues and (4) having enough insurance coverage.
In response to the current circumstances and in hopes of preventing cyberattacks or minimizing their possible effects, treasury organizations have implemented additional company-wide training to raise employees’ cyber-risk awareness (72 percent); increased review/risk audit of treasury/banking systems and network connection points (48 percent); initiated or increased amount of cyber insurance (42 percent) and increased review of treasury policies and procedures to identify possible areas where cyber-risk exists (34 percent).
Forming a partnership with IT is key to the success of some of these initiatives. IT can be a great partner to find best practices to manage access to treasury systems, like providing tools and guidelines to manage passwords or bank tokens securely, to complement the fraud prevention policies already in place. Also, IT can provide the training to increase cyber-risk awareness to minimize the success of socially engineered attacks.
Furthermore, IT can support treasury by actively monitoring any vendors that house treasury data as a way to identify weak spots that can be subject to attacks. As discussed during the T30 meeting, cybersecurity concerns have gone from a reason not to outsource treasury systems or select SaaS solutions to a reason to do so. Asked if SaaS solutions were secure, a recent panel of cybersecurity experts fromMarsh, PwC and Deutsche Bank said that the security deployed by top-tier vendors was likely to be higher than that of most corporates. Still, companies must scrutinize just what kind of expertise SaaS providers employ, their business continuity plans, how they protect customers, their crisis leadership team and response plan, and their insurance coverage.
Cyber-coverage can become an emerging indicator for counterparty cyber-risk in that counterparties that have cyber coverage can be deemed to have satisfied the basic due diligence questions and risk-mitigation requirements of their underwriter. However, digging into the nature of coverage could also be wise. Cyber policies tend to cover liabilities stemming from lawsuits as well as out-of-pocket expenses, such as legal counsel or forensic services, as well as the cost of notifying customers or suppliers, setting up call centers, crisis management and public relations firms and other necessary outlays. There is no cyber-specific coverage yet for brand reputation or theft of intellectual property.
However, none of these solutions address how to react in the case of total business disruption caused by a cyberattack. After the recent attack on Sony, the company had to shutdown their data center for 45 days. This fact highlighted the need to include cyberattacks in each company’s business recovery plan. Companies can find best practices by participating in cyberattack table-top exercises to evaluate and challenge their contingency risk preparedness and operational readiness for a major cyberattack. In turn, demonstrating the company’s response plan and a thorough audit of vendors’ cyber defenses can help in securing insurance to partially cover business interruption stemming from a breached third-party provider.
Proper Prep
Cybercrime has become more organized and has more funding. In this context, cyberattacks will continue to rise and to become more widespread. In response, companies also need to step up their response and preparedness. Cybersecurity can no longer be just an IT responsibility but must be a concerted effort on every front.
Finally, companies must have contingency plans to guide action when a threat is detected, so it can be stopped and the damage minimized.