Cyber risks are escalating as the price tag attached to cybercrime explodes. While many of the incidents recently in the headlines involved data breaches and ransomware, the risks that face corporate treasuries in particular have been brought home by the mounting costs of business email compromise scams and cyberthefts that involve the SWIFT financial messaging system.
Most notably, hackers stole $81 million from Bangladesh’s central bank last year by penetrating the system the bank used to access SWIFT and sending fraudulent payment instructions.
In May, the FBI estimated that business email compromises—scams in which cybercriminals trigger unauthorized payments, often wire transfers, by sending emails that appear to come from a company executive—caused $5.3 billion of losses globally from 2013 to 2016, and U.S. losses of $1.6 billion over that same time frame. “There’s definitely a raised awareness and concern,” said Craig Jeffery, managing director at Atlanta-based consultancy Strategic Treasurer.
The hit that a single company potentially could suffer is no longer the $1,500 average for check frauds or even the $130,000 average for a business email compromise, Jeffery said. Losses “are getting larger; they’re getting significantly larger.
“People need to understand the scope of the losses that everyone’s experiencing,” he added. “This absolutely requires a much more aggressive posture, a stronger, more muscular approach to defeating that. The calculus changes. It becomes too expensive.”
Business email compromise (BEC) scams are also notable for their prevalence. Seventy-nine percent of companies said they had experienced business email compromise attempts over the past two years, according to a survey conducted earlier this year by Strategic Treasurer, Bank of America Merrill Lynch, and Bottomline Technologies. Twelve percent of overall respondents, and 15% of those who had experienced a BEC attempt, had suffered a loss.
“These are organizations that are patient,” Jeffery said of the hackers. “They’ll surveil organizations through social media, they’ll compromise credentials, they’ll sit and monitor how things are done over time, and they’ll use that knowledge to violate whatever the policy is.”
People need to understand the scope
of the losses that everyone’s experiencing.
This absolutely requires a much more
aggressive posture, a stronger, more
—Craig Jeffery, Strategic Treasurer
While treasurers are concerned about cyberthreats, Jeffery said they may not be concerned enough.
“There’s always a bit of a lag when something happens,” he said, and cited the example of the SWIFT Customer Security Program, under which users of the messaging network now have to attest each year to their compliance with a set of security standards, with the first deadline Dec. 31. “Too often, we’ve heard companies saying, ‘What if I don’t attest? Is that a problem? I have a lot of other things to do,’” Jeffery said.
Jeffery noted that corporate treasuries are planning to spend significantly more on technology in response to the risk. Strategic Treasurer’s 2017 survey showed 61% of companies said security concerns had a strong or very strong influence on their plans for technology spending.
Jerald Seti, vice president of product management at Openlink, a trading, treasury, and risk management solution provider, said he was seeing particular concern around payments given the thefts involving SWIFT.
“That’s definitely raised the attention of treasury in terms of locking down their payments mechanisms,” Seti said, and added that a fraudulent payment can have an immediate impact on a company’s finances. “One payment can go out, add a couple of extra zeros, and a firm can be bankrupt overnight,” he said.
The Strategic Treasurer survey showed 46% of companies surveyed had higher or significantly higher payment security concerns in 2017 compared with 2016, while just 2% had lower concerns.
Seti said cybercrimes involving corporate payments have increased corporates’ interest in encrypting payment files. “Treasurers that are looking at new systems are definitely requiring encryption as a way to handle that risk,” he said.
If hackers can get into the message files that contain payment instructions, they have access to bank account numbers and amounts of payments. The SWIFT network is fortified, Seti said, so “it’s when a file is dropped, produced by a system and waiting to be picked up by a delivery mechanism, that it should be encrypted. Or if you’re sending the file to a service bureau, you probably want to encrypt it as well.
“By encrypting it, either by totally obfuscating the data inside that file or adding a key that would validate that no single byte in that file has changed, you can mitigate the risk that someone has actually touched that file,” he said.
Spreadsheets are the Wild West—
you have no control over who’s viewing
the data, or who sent the data to whom.
—Jerald Seti, Openlink
Sayantan Chakraborty, head of product management for Global Treasury Management at U.S. Bank, also noted corporate treasuries’ use of encryption, both to secure connections and encrypt the data being transmitted.
Treasuries also want to be notified if anything odd happens in a bank account, Chakraborty said, and want to know whether bank platforms have that capability, including a workflow that sends information to the correct person, who can then take action. “They’re trying to get information in a faster and proactive fashion, so if something appears out of the ordinary, they can take action around it,” he said.
The U.S. is moving toward faster payments, he noted. “As the velocity of payments increases, it becomes even more important to ensure [users] are monitoring them in near real-time.”
SWIFT’s Customer Security Program, or CSP, sets out 27 security controls, 16 of which are mandatory, and requires customers to comply with all of the mandatory controls and attest to their compliance each year.
Strategic Treasurer’s Jeffery predicted other payments networks will roll out security standards for companies that use their solution to make payments. “We think that’s going to become the norm,” he said.
Chakraborty argued that adopting industry-standard protocols, such as encryption standards, file formats, and transmission standards, is a step in the right direction when it comes to treasury cybersecurity.
Such standard applications make change management easy. “When you have an update to a standard, it’s much easier to deploy it across the board,” he said, and since standard applications are usually backed by consortiums or large institutions, “there’s a shared interest in keeping them updated.”
He cited the ISO XML standard for financial messages as a good example. While corporate customers traditionally communicated with their banks using proprietary file formats, “there’s a concerted move we see toward ISO XML formats,” Chakraborty said. Other examples include secure FTP for file transfers and application programming interfaces, or APIs, to connect with service providers, he said.
Spreadsheets a Weakness
Seti argued that treasury departments’ “most glaring” weakness when it comes to cybersecurity is their continued reliance on an older form of technology: spreadsheets.
The use of spreadsheets “just creates a whole bunch of vulnerabilities on many different levels,” he said.
For starters, employees usually send spreadsheets back and forth in emails, and emails can contain viruses, he noted. And the fact that spreadsheets can be emailed means a loss of control from a security perspective.
“If you’re a security officer and you’re trying to impose compliance rules, you can permission certain screens,” Seti said. “Spreadsheets are the Wild West—you have no control over who’s viewing the data, or who sent the data to whom.”
He pointed to the macros inside spreadsheets, which can be infiltrated by a virus or contain typos, whether intentional or unintentional, as another source of risk. There’s also the danger of having a laptop stolen that contains spreadsheets with confidential information, such as Social Security numbers.
Spreadsheets are “still pervasive; they probably won’t go away—but it’s wrong,” Seti summed up.
Cloud or Not
More and more corporate treasury teams are shifting to technology that’s hosted in the cloud, which allows for quicker and easier implementations and updates, and may lower costs. Some argue that cloud solutions are also a plus when it comes to guarding against cyberthreats because cloud providers are likely to employ better cybersecurity measures than an individual corporate would use for its on-premises software.
“Those environments are fortified as a common way of business,” Seti said. “That’s the point of them: to have every security precaution taken care of.”
Cloud vendors enjoy economies of scale that benefit their security measures, said Thomas Hunt, director of treasury services at the Association for Financial Professionals. “They’ve probably got a higher echelon of security than a corporate on its own could adopt,” he said. “It wouldn’t be cost-effective.”
But Drew Del Matto, CFO of Fortinet, which provides cybersecurity software and services, said cloud solutions can still entail challenges when it comes to cybersecurity, although their challenges are different than those related to installed software.
“Many organizations have multiple security-vendor products in their infrastructure, with different operating systems and solutions for the cloud,” Del Matto wrote in an email. “This can create a visibility, control, and management challenge for cloud-based applications and workloads.”
Education is a key first step. Phishing
attacks, triggered by employees clicking
on malicious links, are still
one of the greatest cyberthreats.
—Drew Del Matto, Fortinet
Del Matto said that “if the right type of security architecture is in place, cloud-based solutions can actually provide the same level, if not better, security.”
With software-as-a-service offerings, “it can actually be easier to apply controls such as data loss prevention, two-factor authentication, etc.,” he said. “Also, cloud-based applications can deliver great auditing, reporting, monitoring, and email security solutions for treasury departments looking to offload some enterprise workloads to the cloud.”
David Watson, global head of digital cash products for Deutsche Bank, noted that not all cloud solutions are the same. “Cloud A does not necessarily have the same level of security as Cloud B,” he said, so companies still need to assess how secure the environment is when they’re selecting a vendor.
Jenny P. Menna, a senior vice president and cybersecurity partnership executive at U.S. Bank, said the cloud “can be extremely secure.” But she cited a list of factors that treasuries should be sure to consider when shopping for a cloud solution, including how the cloud provider handles incident response, what the contract says about who has access to the company’s data, and, if the cloud is shared, what barriers exist between the company’s data and that of other tenants.
Another issue to consider is where the data will be housed. “Depending on which legal jurisdiction data is housed in, that may create some unique situations for the company if something goes wrong,” said U.S. Bank’s Chakraborty. Treasury should be sure the company’s lawyers look at where the data to be stored in the cloud will be located and what issues might arise in that jurisdiction.
Centralization, or the lack thereof, is another element that can affect a treasury’s cybersecurity.
In larger organizations that have many affiliates spread out around the world, a single type of treasury work may be performed by many different parts of the organization. Openlink’s Seti cited the example of a company with 10 different groups that make their own payments. In that situation, “I kind of lose control over the whole process if I’m the global treasurer
“The name of the game here is to centralize all these processes,” he argued.
“We took an insurer with 1,500 bank accounts around the globe, making thousands and thousands of payments on a daily basis from six or seven payment centers, and moved them all into one payment center,” Seti said. “That gives you much better control, not only of the operational aspect but the forecasting aspect, and enables you to see anomalies that might be happening.
Strategic Treasurer’s Jeffery said cloud services can serve as the path to such centralization.
“Let’s say you have a payments hub, and now you’re routing everything from multiple payment areas through the hub,” he said. That move not only increases efficiency and improves forecasting, “you can be sure you’re looking in one key location where all the money is moving through.”
Centralizing the payments also decreases risk, he said, since “you’re moving information from 50 locations, each of which can be penetrated, to a single location.”
Similarly, centralizing certain activities in a shared service center “means there should be more expertise,” Jeffery said. “Someone who’s handling these types of payments all the time, they’re not going to be as readily fooled” as a staffer who’s doing 20 different tasks in the course of the day.
He noted that while approaches like shared service centers or centers of excellence should provide more security, they have to be properly implemented.
As the velocity of payments increases,
it becomes even more important to ensure
[users] are monitoring them in near real-time.
— Sayantan Chakraborty, U.S. Bank
Treasurers should use a framework that looks at the four elements of IT security: the company’s IT perimeter, its interior security, the transport function, and its third-party providers, Jeffery said.
“Even though the perimeter might be largely IT’s domain, treasury needs to know about that,” he said. Treasury should regularly review what they’re doing and how each of those elements is being assessed, Jeffery said, and suggested that some of those reviews should be by an external party, rather than internal audit.
But to what extent does treasury have the authority to oversee IT security outside its domain, or the resources to do so? Few treasuries have dedicated IT resources; most have to request the help they need from the IT and information security departments, which report up to other parts of the organization.
Jeffery said treasury should be “the superintendent of security.
“That doesn’t mean they’re in charge of who locks the door or selects which antivirus software or what exact tools are used to protect the perimeter,” he said. “But as superintendent, they are responsible for protecting the corporate assets.
“To me, they should be asking IT and the information security people: ‘What are we doing to protect the perimeter, how is that changing, what are the attempts we’re getting hit with?’” Jeffery said. “They should be getting that information, and they should be understanding it to a certain extent and taking the view that they are the superintendent of it.”
Others see the process as a partnership.
“It’s critical that treasury be actively involved in thinking about the issues and partnering with the IT department, because they’re the ones who have to make IT understand, ‘This is what’s important to us,’” said U.S. Bank’s Chakraborty.
Treasury executives should be “proactive, rather than reactive,” said Fortinet’s Del Matto, and work with executives in IT and information security “to ensure that the company’s security architecture can rapidly detect, isolate, and mitigate any breach.”
Deutsche Bank’s Watson said while corporate treasurers are highly aware of cyberthreats at this point, their views on what they can do about those threats vary.
Some understand that their role managing the company’s funds means they should take the lead on “ensuring the right controls are in place on payments and money,” Watson said. “At the other end, many treasurers see this as the role of IT or their corporate security office and haven’t woken up to the fact that as the owners of the funds, they need to be in the driver’s seat with their CISO [chief information security officer] and IT departments.”
He rejected the notion that treasurers lack the power to influence the company’s cybersecurity efforts.
“Is a corporate treasurer able to find out who their CISO is and go and challenge them on security tools?” Watson asked. “When the treasurer drives an RFP with banks, are they empowered to include the CISO in that process to define what questions to ask their banks, or include the CISO in their regular reviews regarding controls banks have in place?”
Treasurers “need to stand up and put themselves in the driving seat,” he added. “They won’t be asked to get into it.”
He added that while having dedicated IT resources lets treasuries position themselves at the cutting edge of industry movements such as XML and state-of-the-art treasury management systems, developers who work on treasury issues aren’t necessarily experts on cybersecurity.
Even a treasury with dedicated IT resources will “still need to work closely with a CISO team and understand what they should be doing when it comes to cybersecurity,” Watson said.
The Human Touch
While improving security around treasury systems and processes is important, a large part of protecting treasury against cyberthreats has to do with ensuring that treasury employees are on guard against hackers.
Certainly in the case of business email compromise scams, it’s employees who are clicking on links in emails or taking at face value a message purportedly from an executive such as the CFO.
“Education is a key first step,” said Fortinet’s Del Matto. “Phishing attacks, triggered by employees clicking on malicious links, are still one of the greatest cyberthreats.
“Continual education and in-house testing of employees through mock phishing exercises to ensure that they follow proper policies and procedures can go a long way to mitigating threats,” he said.
U.S. Bank’s Menna said user training should include educating staffers about “the latest scams and schemes, and why they shouldn’t click on things.”
Companies should also have a plan in place so that employees know what to do if some sort of cyber incident does occur, she said. “How would your organization address that? How would you communicate with your customers?”
Erika Baumann, senior wholesale banking analyst at Aite Group, said she’s spoken to companies that brought in bank officials to brief their executives.
“It’s all around increased education, understanding that the bad guys are always one step ahead, and taking advantage of the information resources that are out there from the industry security experts to know what steps can be taken to better protect themselves,” Baumann said.
Given hackers’ efforts in business email compromise scams to send emails that could plausibly have come from a company executive, employees should also be “reasonably discreet” on social media, said Strategic Treasurer’s Jeffery. “You don’t need to say, ‘Here’s my boss, here’s everybody who works for me,’ so people can build the proverbial org chart,” he said.
Jeffery noted that SWIFT CSP mandates annual training for employees, and said that security is an issue for everyone. “You can’t just trust an email,” he said.