Cyberattacks are estimated to be draining more than US$400billion a year from the global economy, and that figure ispredicted to rise to US$2.1 trillion by 2019. The Bangladesh Bank heist of 2016, which saw US$81million taken from the central bank's account, stands as a tellingexample of the damage that can be wrought.

Corporate treasury teams are at significant risk of succumbingto a similarly disastrous incident. Access to large sums of moneyand a wealth of sensitive client data have placed the function atthe top of many cybercriminals' hit lists. Businesses are certainlynot ignorant of this threat, nor have they stood idly by. Mosttreasuries have taken measures to address their technologicalvulnerabilities, many investing in solutions such as two-factorauthentication and penetration testing.

Still, all signs suggest that more needs to be done. TheEconomist Intelligence Unit's recent study “Third-Party Risks: The Cyber Dimension,”sponsored by Deutsche Bank, highlights third parties as a chink inthe armor of many a treasury department. Oversight of internalemployees is another ongoing concern. These two factors go some waytoward explaining how cybercriminals have been succeeding insiphoning so much money from international businesses.

|

Secure Partners Are Essential

The case for shoring up third-party weaknesses is clear. Everylarge company relies on external suppliers, and while thesepartnerships are essential, the corporate must take steps to ensurethat its supply chain doesn't represent a weak spot cybercriminalscan exploit. This is an area in which global businesses have muchwork to do.

As part of its report, the Economist Intelligence Unit (EIU)surveyed more than 300 corporate treasury executives on theirexisting cybersecurity defense mechanisms. This research indicatesthat 19 percent of companies do not check whether their suppliersuse the same methods for identity authentication as they do. Theyhave not, for example, asked whether suppliers have secure emailsystems to protect confidential information, or whether they offerthe ability to check the IP addresses of log-ins to match them withpreassigned, or “white-listed,” addresses.

While 92 percent of corporates in the EIU survey vet their owninternal systems with penetration testing—a specific cybersecuritytechnique in which experts are hired to attack systems to revealweakness—the survey also reveals that only 33 percent of corporatesapply penetration testing to their external agencies, and only 38percent require it of their partners.

There is also room for neglect farther down the supply chain:Fourteen percent of surveyed treasurers demand that their suppliersmeet specific requirements for information security but do notrequire those suppliers' subcontractors to conform to the samepolicies and procedures.

These gaps leave the door open for what are known as business email compromise, impostor fraud, or “man in the middle” attacks,in which hackers attempt to manipulate payment instructions, eitherby posing as a supplier and sending fraudulent invoices or byaltering the payment instructions of legitimate invoices in orderto redirect funds to a different account.

Avoiding falling victim to such incidents is a matter of workingwith supply chain partners to jointly tighten security protocols.Basic steps include ensuring third parties use a secure emailsystem to protect confidential communications, including two-factorauthentication (or equivalent) to verify that employees of thesupplier are who they say they are. In addition, companies shouldcheck whether their suppliers track the IP addresses of thoseentering their treasury management or email systems. Are they ableto match the IP addresses of those logging in against a set ofwhite-listed addresses? Can they block access to anyone who is notspecifically white-listed? Finally, companies need to check thattheir third parties are trained to look for unusual patterns ofbehavior in customer accounts.

Where partners do not comply with these requirements—and refuseto upgrade their security accordingly—treasurers must begin to lookelsewhere for support.

To Err Is Human

Internal employees are often overlooked as a source ofvulnerability within corporate treasuries. Cybercriminalsfrequently look to gain entry by hijacking an employee's insiderstatus. This strategy can yield quick and easy results if employeesof the target company are not adequately trained to identify thesigns of an attack. Fraudulent emails now populate the inboxes ofalmost everyone with an email account, while sophisticated phonescams are on the rise.

In the treasury space, a common scam is the fake-CFO scam.Attackers will attempt to impersonate a senior member of staff viaemail or phone, requesting financial information from a junioremployee. They may, for example, ask for a transaction to beinitiated or for goods to be diverted in what appears to be alegitimate request.

Another common email scam relieson a company receiving a message—ostensibly from a legitimatesupplier—that alerts the treasury of amended supplier bank accountdetails. The email actually comes from a fraudster and would divertpayments to his or her account. Similarly, a company might receivea falsified invoice that appears to come from a business partner,but for services that never happened.

In each of these scenarios, scammers may take advantage of timedifferences involved in cross-border trade to improve thelikelihood of success for their con. For instance, if they contacta European business group in the middle of its day and demand thatfunds be transferred before close of business in Asia, the targetedemployee may panic, thinking he or she has to act immediately.

Training is crucial to ensure employees are able to identify anddeal with threats quickly and safely. A well-trained employee, forexample, is well placed to spot a fraudster posing as a supplier inorder to alter payments or pilfer sensitive data. Effectivetraining could also help employees to spot emails infected withransomware, which, if not dealt with appropriately, might encryptcritical data and threaten to delete it altogether unless thecompany pays a ransom by a certain deadline.

Even if a treasury organization can train employees to keepexternal threats at bay, management must still be mindful ofthreats born from within the organization.There is a growing awareness of the risk of “maliciousinsiders”—employees looking to gain access to company funds anddata for their own personal gain. Given that these individualsoften already have the permission required to take action, theyrepresent a particularly potent threat.

How can the treasury team tackle this threat from within?Employees need to be alert to suspicious behavior among theircolleagues. They also need to be aware of which types of behaviorshould raise red flags—for example, downloading large volumes ofdata to external drives, accessing sensitive information that bearsno direct relevance to the individual's normal job duties, andemailing confidential data to a personal account. Requests forclearance or higher-level access without adequate explanation, orbehavior that demonstrates sudden affluence without obvious cause,should also raise alarm bells among fellow employees.

One individual red flag is not necessarily a clear demonstrationof harm, but when managers or employees note these types ofactivities, they should have a means for setting in motion aprocess of review and clarification.

|

Cybersecurity Lessons for Banking Relationships

The recurring lesson of cybercrime stories in the press thesedays is this: Make sure every link in the transaction chain isfully secure. Corporate treasury groups should be in constantdialogue not only with their third parties and employers, but alsotheir banks—the partners that represent the final barrier in theway of the cybercriminal.

Many banks today are making cybersecurity a top priority. Forexample, to tackle phishing and protect information exchanges fromdisclosure to and manipulation by third parties, some banks use anencrypted email solution based on digital certifications with bothprivate and public key combinations. Such a system enables the bankto establish a secure channel with clients.

Banks should also be providing employees with cybersecurity andcyberfraud training. Some financial institutions offer regular (andregularly updated) training in the art of identifyingirregularities in both client transactions and colleagues'behavior. They might also provide frequent updates on new securitythreats and best practices, and require employees to pass onlinetraining courses related to security topics. Another measure bankscan initiate to reduce cyber risks is offering their employees a24×7 cybersecurity hotline to ensure swift action is taken inresponse to potential threats.

Of course, these are just a few examples of measures that a bankcan take. Companies need to start assessing their prospectivebanking partners on their ability to protect the confidentiality,integrity, and availability of customer and bank details. They needto start asking their banks security-related questions, suchas:

• What are your security policies?
• What controls do you have in place to tackle threats?
• Do you hold third-party IT vendors to the same standards?
• Are your employees aware of potential threats, and do theyreceive rigorous training?

Armed with this information, a corporate treasurer can beconfident that banking partners do not represent a weak link in thechain. As the cybersecurity landscape continues to evolve, banksmust now be experts not only in financial services, but also infighting cybercrime.

David Watson isglobal head of digital cash products and Americas head of cashmanagement for Deutsche Bank's Global Transaction Banking (GTB)business. As part of the Cash Management business leadership team,he helps with defining the forward strategy and identifyingdisruptive opportunities in the product, technology, investment,digital, and fintech areas.