Much has changed since the early20th century bank robber Willie Sutton, when asked why he chose histargets, reportedly said, “Because that's where the money is.”Criminals are now using tools Sutton couldn't have dreamed of, buttheir philosophy in choosing targets remains pretty true tohis.

Many attacks are now perpetrated online, alarming growth involume and sophistication over the past two years. Equallydistressing is the range of perpetrators, from conventional hackersand disgruntled employees to well-funded nation-states, terroristorganizations, and criminal groups. Their top target in manyattacks: corporate treasury.

That's where the corporate money is. But some hackers thattarget treasury have more in their sights than direct theft ofcompany funds. Treasury systems are repositories of sensitive datathat can be stolen. Crucial financial systems also can be shutdown, either for ransom or to promote a geopolitical agenda. Asidefrom the financial costs of these disruptions, companies confrontthe risk of serious reputational damage, which may have a lingeringbusiness impact.

While many corporate treasuries have thoughtful measures inplace to ward off known forms of malware, it's tomorrow's(currently unknown) malware that gives deep pause for informationsecurity experts. Hackers and fraudsters are in the business ofinventing new types of ever-more-innovative cyberattacks, theirmethods continually evolving to achieve specific aims.

“Cybercriminals considercorporate treasury – due to its mission-critical function ofmanaging the flow of funds – to be a high-value target.”

|

– Rajesh Shenoy, Global Head of Digital Security, Treasury andTrade Solutions, Citi

In this work, corporate treasury is in the crosshairs.“Cybercriminals consider corporate treasury—due to itsmission-critical function of managing the flow of funds—to be ahigh-value target,” says Rajesh Shenoy, global head of DigitalSecurity, Treasury and Trade Solutions at Citi. “Consequently,treasuries must do all they can to make their operations less of atarget by hardening their systems, processes, and procedures to beless susceptible to a cyber event taking place.”

Payments Fraud Continues to Grow

Payments fraud is a key cyber event that treasuries need toprotect against. According to the 2018 Payments Fraud Survey ofnearly 700 treasury and finance professionals conducted by theAssociation for Financial Professionals (AFP), a record 78 percentof treasury organizations were hit with payments fraud in 2017.

“It is alarming that the rate of payments fraud has reached arecord high despite repeated warnings,” says Jim Kaitz, AFP'spresident and CEO. “In addition to being extremely vigilant,treasury and finance professionals will need to anticipate [such]scams and be prepared to deter these attacks.”

A key method of perpetrating payments fraud is business emailcompromise, whereby an attacker gains access to a corporate emailaccount and spoofs the owner's identity to defraud the company—orits employees, customers, or partners—of money.

Business email compromise scams are among the top fraud threatsto corporate treasury and finance, with both the frequency ofattempts and the total dollar amounts stolen increasing in recentmonths—dramatically in some cases. The AFP survey indicates that 77percent of organizations experienced at least one such attack in2017. More than half the scams (54 percent) targeted wire payments,followed by checks at 34 percent. A typical ruse involvespersuading an employee to send a fraudulent invoice for processingby accounts payable, which unknowingly makes the payment to a bankaccount controlled by the fraudster.

Shenoy agrees with these findings. “Increasingly, a combinationof technology and human elements looking to compromise people,manipulating them to take specific actions for what they believeare authentic business purposes,” he says. “Most people think theywould spot such charades, but the truth is they are extremely wellthought out and crafted.”

Data Breaches a Major Concern

Although business email compromises make up the bulk of paymentsfraud schemes, other treasury-focused cyberattacks are predicatedon stealing valuable data—typically including the names, addresses,bank account information, and bank statement details of vendors,partnering organizations, employees, customers, and other payersand payees. Once they've stolen personal data, cyber thieves holdit for ransom or sell it directly on the murky underground forumspopulating the dark web.

According to Dark Web News, bank accounts hold more value thanother forms of identity in that world. A $2,000

account balance, for instance, could sell for about a tenth ofits value, or $200. Multiply this figure by hundreds or thousandsof accounts, and the incentive for identity theft increasesexponentially.

Corporate treasuries that suffer a successful attack resultingin a breach of personal data can incur stiff penalties. The newGeneral Data Protection Regulation (GDPR) in the European Union,for example, imposes substantial fines on companies fornoncompliance—up to 20 million euros or 4 percent of global annualturnover, whichever is higher. All companies that do business inthe EU must comply with the regulation.

“In and organization of 25,000people you might have 10 or 15 people within treasury, narrowing ahacker's ability to perpetrate a phishing attack. At the same time,thought, this makes it easier to seek out the most vulnerabletarget.”

|

– Bob Stark, Vice President of Strategy, Kyriba

Other cyberattacks, like ransomware, involve encrypting atreasury system to curtail its service until a ransom is paid. Andpaying the money doesn't guarantee the company's desired outcome.“In Eastern Europe, many organizations paid the ransom to havetheir systems decrypted and unlocked, but in some cases theynonetheless remained locked,” says Shenoy.

He's referring to malware called NotPetya, which was blamed fordisrupting business operations at shipping ports, advertisingagencies, law firms, and retail outlets in 2017. Once inside theseorganizations' networks, the malware destroyed the infectedmachines' file systems. The goal was not financial gain; rather, itwas geopolitically motivated, designed to completely shut downcorporate networks for purely malicious reasons.

The attacks were followed by the similar Bad Rabbit malware thatinfected the networks and systems of several news mediaorganizations in Russia, Ukraine, and Turkey. Hackers demandedpayment in bitcoin to decrypt the fi les they had encrypted, thenneglected to make good on some of their promises. The malware waseventually decrypted when keys to unlock it were provided byInternet security firms.

Hacker Sophistication Requires EmployeeVigilance

How often do cyberattacks hit corporate treasuries? It depends.“For the most part, treasuries are attacked on an infrequent basis,but in some large organizations, these attempts are fairly common,as many as multiple times a day,” says Bob Stark, vice president ofstrategy at Kyriba, a provider of cloud-based treasury managementsoftware systems. “A small company, on the other hand, might beattacked once or twice a year.”

There are no current statistics on the aggregate number ofsuccessful cyberattacks against corporate treasuries or the totalcost of these crimes. For security purposes, many treasuries preferto stay tight-lipped on the subject. However, the intervieweesagree that the risk and financial impact are substantial. Based onanecdotal evidence, losses are likely in the tens of millions ofdollars, if not more.

“The potential losses are huge,” a 2017 report produced by theEconomist Intelligence Unit (EIU) states. “Hackers infiltratingindividual companies have stolen tens of millions of dollars in asingle attack. The stock price of breached companies falls, andCEOs are sacked. Data losses create reputational damage andlawsuits from inside and outside the company. Even mergers andacquisitions can be derailed or altered in value to the tune ofhundreds of millions of dollars.”

Today's cyberattackers differ from previous generations in theirmeticulous planning. Criminals undertake copious research andtrial-and-error experimentation in plotting the crimes before theyexecute. “Sophisticated cybercriminals use social engineering andinside information gleaned from lengthy reconnaissance within agiven company's systems to execute high-value thefts,” the EIUreport states.

Nevertheless, many treasurers believe their companies arewell-protected. To a certain extent they are—most organizationshave undertaken basic security procedures like installing softwaresystem updates, limiting network and data access, and incorporatingpenetration testing to spot vulnerabilities. The Achilles heel inmany cases is people. Even after small doses of cybersecuritytraining, treasury, finance, and accounts payable staff may fail torecognize (or respond effectively to) scams that use socialengineering to target the right people with the right message for asuccessful attack. Thus, business email compromise remains theprimary attack vector used to gain unauthorized access to treasurysystems.

“The biggest threat to corporate treasury cybersecurity is oftenstaff complacency,” according to a report on treasury payment fraudby research firm IDC. “Cybersecurity within the treasury departmentis as much, or perhaps even more, about the people.”

A common example of a business email compromise attack thatutilizes social engineering is the so-called “CEO fraud,” in whicha hacker, impersonating the company's CEO or other seniorexecutives, emails a specific employee asking him or her to make anurgent, confidential payment on the executive's behalf. In somecases, the hacker follows up with a phone call to the person, whohas been carefully selected as having personality traits thatsuggest he or she is unlikely to question authority.

Before an employee receives such an email, the scammer does alot of research. Typically, these scams are perpetrated by someonewith inside knowledge of the company, its business procedures, andkey people, which enables the scammer to augment the appearance oflegitimacy. These requests also emphasize the time sensitive natureof the payment, which pressures the employee to act immediately anddiscourages him or her from seeking to substantiate the requestwith another senior executive before initiating payment.

If there is a silver lining here, it is that the relativelysmall number of treasury employees limits the available pool ofpeople for scammers to target. “In an organization of 25,000 peopleyou might have 10 or 15 people within treasury, narrowing ahacker's ability to perpetrate a phishing attack,” says Stark. “Atthe same time, though this makes it easier to seek out the mostvulnerable target.”

How to Mount a Defense

Treasury organizations are extremely concerned about the risk ofpayments fraud. “This is not a question of 'Will this happen?'—it'sa question of when,” says Shenoy. “The majority of treasuryprofessionals have seen payments fraud and other types ofcyberattacks. Such attacks are increasing in number andsophistication. Regrettably, there is no silver bullet to stop allattacks at once.”

Studies back him up. An overwhelming 84 percent of corporatetreasury groups believe the threat of cyber fraud has increasedover the past year, according to a 2018 survey of more than 300treasury professionals by consultancy Strategic Treasurer. “Fraudcontinues to be at the forefront of practitioners' minds, andsecurity remains a top priority for treasury in 2018,” the reportstates. “Fraudulent techniques such as business email compromiseand ransomware have become the norm.”

Whereas only 8 percent of respondents had experienced aransomware attack in 2017, 25 percent had experienced at least onesuch event in 2018, a more than 300 percent year-over-yearincrease. Additionally, one-third of the respondents said they werenot sure of the source of the attack—whether, for example, itoriginated internally or externally, and whether it involved acriminal working solo or a group.

Despite the extraordinary increase in cyber fraud threats, onlyone-quarter of corporate treasuries in the survey indicated thatthey have increased their spending on payments fraud security andcontrols in the past three years. Those that have primarilytargeted treasury payment controls, reconciliation features,account-level controls, and fraud monitoring. The report concludedthat many practitioners had inadequate security controls,unassigned fraud management responsibilities, a piecemeal approachto security, and poor visibility into transactions.

The latter finding resonates loudly with Stark. “Organizationscontinue to rely on human eyes to enforce payment policies,” hesays. “People can make mistakes, especially as they take on moreresponsibilities and have to review more data, or match paymentsagainst more fraud scenarios.”

Building Resilience

In many corporate treasuries, the level of preparedness toidentify and respond to future payments fraud schemes isunsettling. Fortunately, several well-known best practices can helptreasury teams mount a stronger defense against cyberattacks.

The first step is to identify major vulnerabilities in thecorporate network and treasury-related systems. Through in-depthrisk assessments the company's information security team and/or anexternal cyber-risk consultant can ferret out weaknesses in thetreasury organization's critical business processes, data assets,and systems, as well as the integration points between systems.

Citi's Treasury and Trade Solutions team utilizes regularcybersecurity reviews. “It is critical to have the right subjectmatter expertise to pinpoint vulnerabilities and know how toeffectively respond,” Shenoy says. “We work hand-in-hand with teamsacross the organization to safeguard our most important data on aday-to-day basis. Our information security team also analyzesrecent cyber events as well as real-time threat intelligence toassess potential impact to the treasury system and ourprocesses.”

Based in part on these analyses, Citi recently strengthened thesecurity of its client-facing online platform. Customers using itsbanking services app can utilize a software token that generates aone-time password on their mobile device for authenticationpurposes. “We've also put in place invisible controls that the badguys are unaware of, using advanced analytics and machine learningtechnology to help identify a customer's normal patterns againstwhat appear to be anomalies,” Shenoy says.

When unusual activity occurs, such as a customer logging ontothe platform at an unusual hour or from an odd location, the systemsends up a red flag. “We're not expecting to catch 100 percent offraudulent activities, but we'll expect to catch more of them,”Shenoy says.

Stark agrees. “AI-based payment fraud detection is increasing insophistication, with complex algorithms now able to detect customfraud scenarios in real-time,” he says. “In some cases, these toolsare built into payment workflows, building a better line ofdefense.”

Another best practice is to conduct routine penetration tests touncover weaknesses in the cyber-defense methods of the treasuryorganization, suppliers, and partnering organizations. The EIUreport indicates that 92 percent of respondents to that surveyconduct internal penetration testing, but only 33 percent apply thesame testing to their suppliers.

Moreover, 19 percent of treasury departments fail to check theirsuppliers' identity authentication processes or evaluate whethersuppliers have secure email systems for protecting confidentialinformation. “Our research found serious gaps in corporate defense,including vulnerabilities hidden within third parties and theirsubcontractors,” the EIU report states.

Stark affirms that third parties are a chink in the armor. “Wefind it highly advisable for the CISO or someone in informationsecurity to require suppliers to fill out a lengthy questionnaireasking them about their IT security processes,” he says. “This way,you're able to compare each supplier against other suppliers interms of their cyber-risk defenses and response procedures. Themore vulnerable suppliers become that much clearer.”

Workflows and Controls

Another smart tactic is to standardize and document paymentapproval workfl ows and other treasury processes, and to appraisethe effectiveness of these controls on a regular basis. “There areinformation security standards like ISO 27001 and third-partyaudits like SOC 1, 2, and 3 reports that treasury technologyvendors should adhere to,” Stark explains.

Two other defensive processes are to encrypt all treasury datain transit and at rest, and to segregate duties within the treasuryorganization to reduce the possibility of internal fraud. Withregard to the latter tactic, only certain people should have accessto specific types of payment data.

“You want to separate the duties between the payment initiator,the payment approver, and the reviewer of a detected payment,” saysStark. “It's best to designate these reviewers by payment rule andspecific payment scenarios. For example, a decision might be madefor payments under $1 million to be reviewed by the treasurymanager, whereas payments over this amount would be sent to thetreasurer for review.”

Yet another best practice is to use a security incident andevent management (SIEM) system. The InfoSec Institute describesSIEM systems as offering a “real-time analysis of a security alertgenerated by operational systems, applications, network hardware,and databases.”

“If you don't have a SIEM system and you're hacked, you'relikely to be stuck wondering too long about what you need to donext,” says Stark. “The longer you wait, the worse the situationcan become. And if the attempt is successful, it is typicallyfollowed by additional attacks.” He pointed out that Kyriba'scloud-based treasury solution comes equipped with a SIEMsystem.

Help Is Here

Many companies that provide products or services to corporatetreasury functions are offering online resources that helpcustomers with cyberattack planning, management, mitigation, andresponse. For instance, both Kyriba and the Treasury and TradeSolutions group at Citi have created guides to help detect variousscams.

Corporate treasury teams will become increasingly effective atdiscerning and defending against cyberattacks as cutting-edgetechnologies become more widely available. “Later this year, weplan to roll out tools that have the potential to detect anomaliesin how users navigate applications using their computer mouse,arrow keys, and the scroll bar,” says Shenoy. “Suchbehind-the-scenes tools can tell us things we couldn't guess atbefore.”

Just in time, too. “Cyberattacks are becoming moresophisticated, but we're becoming more sophisticated, too,” saysStark. “Our capabilities are constantly improving.”

Also from the September 2018 Special Report

SPONSORED STATEMENT: TreasuryFights Back: Latest Trends in Combating CybersecurityThreats