Information security for treasuryhas become a top priority as organizations struggle to defendthemselves against internal and external fraud.

The numbers are frightening: According to the 2017 AFP Payments Fraud and Control Survey, 74 percent ofparticipating companies were targets of payments-fraud attacks in2016. Worse, 47 percent of those fraud attempts were successful,meaning that more than a third of all companies surveyed lost moneylast year due to fraud.

Treasury is a leading target for cybercriminals because of thesensitive information that the function protects, as well as thepossibility of immediate payoff if unauthorized payments succeed.It is no surprise that information security is garnering so muchattention within treasury functions.

Still, in many organizations, treasury maintains its own set ofsecurity policies that are neither aligned with, nor managed by,IT. This creates risk for the organization, as the treasury teammay not be following the best practices employed by the company'schief information security officer (CISO). This disconnect maycreate exploitable opportunities for internal and externalcompromise of payments and other treasury data.

To minimize their function's risk, treasurers should leveragethe growing fears of cybercrime and payments fraud as anopportunity to align treasury with corporate security requirementsestablished by the CISO or other IT security executive. Aneffective treasury information security policy must support thecompany's overall objectives in four areas: application security,data security, payment controls, and payment screening.

|

1. Application Security

Application security is about protecting access to treasury andpayment systems, including managing the credentials that are neededto log into these platforms. Fortunately, treasury teams widelyagree that relying on a simple user ID and password is insufficientto protect access to treasury systems, since passwords can bestolen or guessed by hackers' algorithms.

The minimum standard for treasury application security istypically two-factor authentication, in which user ID and passwordare complemented by an additional, randomly generated security key.There are different ways to deploy two-factor authentication,including via hard token (a physical device) or soft token (SMS toyour mobile phone). Most banks use this approach for access totheir portals, which is why treasury professionals should be veryfamiliar with, and comfortable employing, two-factor authenticationfor access to their treasury systems.

In addition to two-factor authentication, treasury teams canemploy safeguards such as IP filtering and single sign-on. With IPfiltering, the system requires additional information (e.g.,security questions or an additional authentication measure) anytimea login attempt is coming from an unrecognized device. With singlesign-on, IT actually manages all logins to the treasury system;users will log into a single internal account, such as Windows, andthat connection drives access to corporate systems, includingtreasury. This puts IT in control of the treasury system'ssecurity, which is often viewed as a positive because IT staff canensure that application security and user entitlements arecentrally managed for all corporate employees.

Whatever the combination of application security protocolsimplemented, multiple options are always better than a single lineof defense. And achieving consistency between treasury's controlsand the rest of the organization is always a best practice, toensure that treasury is not the weakest link in the organization'scybersecurity armor.

2. Data Security

Cloud-based treasury software has become extremely popular, fromcorporate treasury management systems to trading portals to banksoftware. Yet moving treasury information to the cloud alsonecessitates 100 percent encryption of corporate data when it's atrest on cloud servers. This is crucial so that if the hostingservice provider's systems are ever compromised, the data will beunusable to unauthorized users. The IT team's due diligence on anew treasury cloud provider should include evaluating whether alldata at rest is encrypted, and possibly whether key fields can befurther encrypted at the application level.

In addition, any evaluation of a cloud provider should confirmthat a reputable information security vendor regularly conductspenetration testing on the cloud-based systems, and provideswritten attestations to the results of the penetration testingprogram. These tests should include both blind and authenticatedmodes. Blind testing occurs when a security firm attempts to hackinto the system without credentials, and looks for areas ofvulnerability to external attackers. Authenticated testing occurswhen an individual with authorized access to the system looks foropportunities to access data that they are not supposed to see.

|

3. Payment Controls

A company's payment controls need to be aligned to its globalpayment policies and consistently applied for all payment types,across all users, and in all geographies. Any exception createsrisk, whether the exception is granted because the CEO asks for anurgent wire transfer or because the regional CFO is 12 time zonesaway.

Most treasury organizations do a good job of creating policiesthat balance who can initiate and approve payments, especially forfirms where treasury is a global operation. Problems are morelikely to arise in the execution of those policies, as treasury,accounting, and finance may use different systems for payments.Each system offers its own features for limits and approvals, so acompanywide global payment policy may be difficult toimplement.

For this reason, increasing numbers of CFOs are favoring paymentfactories and shared service centers. These centralized structuresbetter align payment policies with a single set of paymentcontrols. They also offer greater visibility into outgoing paymentsfor treasury, which supports more efficient cash management andenables simpler reconciliation between the company's record ofexpected payments and the acknowledgement messages that arereturned from the bank. Most treasury management systems can handlethis reconciliation process so that any discrepancies can beflagged for immediate investigation.

Whatever degree of payment centralization exists, paymentplatforms should have a checklist of controls to document who hasprivileges to create and approve a payment, along with scenarios inwhich those privileges are suspended—for example, if the paymentapprover has modified a payment instruction. These safeguards,alongside an additional requirement for two-factor authenticationat the point of payment approval, can help ensure that onlyapproved payments are being sent from internal systems.

|

4. Payment Screening

Payment screening is the last line of defense against fraud.Treasury teams are familiar with the fact that their banks screenpayments against sanction lists, such as OFAC in the United Statesand similar government-managed databases from the E.U. and U.N.Treasurers are usually notified by their banks if payments runafoul of such watch lists, yet that notification may occur a day ormore after payments were transmitted to the bank.

Fortunately, treasury management systems are beginning toincorporate external sanction-list screening within their paymentworkflows so that treasury teams see the exact same screeningresults as their banks do, though they receive notification ofissues much sooner than if they waited for the bank to providenotification. In some cases, the company may be able to identifyoffending payments before they are ever sent to the bank, which isyet another fraud control.

Treasury should not rely onexternal payment watch-list screening as the sole indicator ofsuspicious payment activity. Payments must also be screened againstinternally designed rules that are built around scenarios treasurywants to protect the company against—such as payments being sent toa recently updated bank account; transactions being modified afterimport from the ERP system; payments being transmitted to abeneficiary in a country where the organization does not have anysuppliers; or a combination of payments that, in aggregate, exceedsoft or hard payment limits.

These are only a few of the many scenarios that a company'ssystems should automatically screen payments against in real timeso that treasury and/or internal audit can be alerted to suspiciouspayments before they are transmitted to the bank. Depending on thenumber of third-party payments that treasury and finance mustanalyze, data visualization may help direct attention to the mostserious pending issues through use of different fonts, colors, andcustom scoring.

Top 5 Ways to Align to the CISO

Combating payments fraud is difficult because, in many cases,companies lack the technology and personnel to properly implementglobal payment policies across all their systems. By working withthe CISO or equivalent companywide leader to secure their systems,treasurers can help minimize the organization's risk of fallingvictim to payments fraud.

Here are 5 first steps for initiating this mutually beneficialrelationship:

1. Request a list of security bestpractices, or the company's security policy, fromyour CISO. It's an easy ask and will enable treasury staff toidentify any areas where treasury security policies differ fromcorporate policies in significant ways.
2. Acquire a list of data-security best practices andpolicies from the vendor of your treasury managementsystem, and present this list to your CISO. Your vendor should havethis information readily available. The treasury team's ability toadhere to policies and establish workflows that effectively protectcorporate data will be useful in company compliance audits.
3. Establish security KPIs with yourteam. Effectively monitoring access to the corporatetreasury management system will impress the CISO. Request a simplereport on security access from your treasury management systemvendor.
4. Request training on securing your treasurymanagement solutions. As part of today's ongoingeducation for treasury certifications, many webinars and conferencetraining sessions offer tips and best practices that reinforce theimportance of secure passwords and multi-factor authentication.It's a good idea to ask your team to provide a list of the securitytraining they've undergone, and to include that information inreports on the treasury function's security practices.
5. Treasury systems via VPN: New,best-in-class cloud solutions run in data centers and utilize datasecurity services that most CISOs prefer to see. Nevertheless,there are options for enhancing security for companies that runtheir treasury management systems on-premises. One key securitymeasure is ensuring that employees working from remote locationscan access treasury data only via a locked-down and secureVPN.

Protecting systems from unauthorizedusers, always keeping data encrypted, and implementing a standardset of payment controls will help significantly reduce the risk offraud. The final line of defense should be scenario-based paymentsscreening to detect, in real time, any suspicious payments thatneed another look before being released.

As the era of non-bank payments, distributed ledgers, andreal-time payments looms closer, the importance of great fraudprevention increases drastically.

———————————

Bob Stark is the vicepresident of strategy for Kyriba. In this role, he is responsiblefor that company's global product strategy and market development.Stark is a 19-year veteran of the treasury technology industry,having served in multiple roles at Wall Street Systems, ThomsonReuters, and Selkirk Financial Technologies. He is a regularspeaker at treasury conferences, including AFP National,EuroFinance, and regional AFP events.